2014.01.30 expert session sap grc access control @ expertum - looking for a way to make user...
DESCRIPTION
We will show you how GRC Access control automates User Management, User Access Management, Emergency Access Management, reporting, reviews, preventive analyses,… Automating the assignment of access rights to users saves a lot of time, resources and thus money. Whilst at the same time reducing risk and increasing compliance. By automating the User Access Management processes you can ensure the right people are involved and can make informed decisions. Automating the process decision flow, execution and logging ensures people’s involvement is concentrated to value adding actions.TRANSCRIPT
Looking for a way to make User Access Management easier?
Why not automate it?
Melissa Dielman
Why do companies choose GRC?
2
REDUCTION OF IT COSTS
3
STANDARDIZATION
4
IDENTIFICATION
5
ROOT CAUSE ANALYSIS
6
PREVENTION
7
AUTOMATION
8
REDUCED RESPONSE TIMES
9
COMPLIANCE
10
REDUCED COST
11
Why do companies choose GRC?
12
IDENTIFICATION
STANDARDIZATION
ROOT CAUSE ANALYSIS PREVENTION
AUTOMATION
REDUCED RESPONSE TIMES
COMPLIANCE
REDUCED COST
REDUCTION OF IT COSTS
Why automate
Reduce cost
Reduce workload
Reduce response times
Increase compliance
Continuous information
Tracking
Optimization of resources’ intellectual value
Facilitate ownership
13
Core Processes
New user
User requests (more) access
User changes position
User termination
Password reset
Role creation
Role maintenance
14
Next level processes
HR triggers
User Access Reviews
Control Reviews
Emergency/Backup access
New implementations (roll-ins, roll-outs)
15
People Involved
IT – user administrator
IT – role administrator
Business Process/Data Owners
Risk Controllers/Internal Audit
End users
16
Example: emergency access
17
Risks
Uninformed / Outdated information -> wrong decisions
Manual errors
Non-compliance
Data loss, data theft, data corruption
Lead times impact business
18
SAP GRC Access Control Components
19
Emergency
Access
Management
(EAM)
Emergency
Access
Management
(EAM)
Provision &
Manage Users
(PMU)
Provision &
Manage Users
(PMU)
Business Role
Management
(BRM)
Business Role
Management
(BRM)
Analyze &
Manage Risks
(AMR)
Analyze &
Manage Risks
(AMR)
Example: automated emergency access
2020
What can be automated?
Reporting = key: are we facing any risk today?Issue identification is automated
21
What can be automated?
Issue reporting & resolution: root cause analysis
22
What can be automated?
User Access Requests – from user request to provisioning
23
What can be automated?
User Creation/Termination/Access Assignment triggered by HR
24
What can be automated?
Emergency access from ‘need’ to ‘solution’ with detailed logging
25
What can be automated?
Password reset
Gartner : a password reset costs approx 10-15£/ reset.
Gartner : Using automated password reset, a large U.S. beverage producer reduced its IT service desk costs by more than $600,000 in only one year
26
What can be automated?
User access review
Risk & mitigating control Review
Role certification
27
What can be automated?
Role Governance process
28
GRC Access Control: overview
29
Emergency
Access
Management
(EAM)
Emergency
Access
Management
(EAM)
Provision &
Manage Users
(PMU)
Provision &
Manage Users
(PMU)
Business Role
Management
(BRM)
Business Role
Management
(BRM)
Analyze &
Manage Risks
(AMR)
Analyze &
Manage Risks
(AMR)
Issue identification & reporting Emergency/back up rights
Role Governance Automated user access request flowSelf service password resetUser CreationIntegration with HRUser Access/ Control Review
More advantages of SAP GRC AC
Centralization
Standardization
Real-time Information
Prevention
Root Cause analysis
Documentation
Reduced analysis time
Reduced response times
Resource optimization – cost reduction
30
GRC Access Control: overview
31
Emergency
Access
Management
(EAM)
Emergency
Access
Management
(EAM)
Provision &
Manage Users
(PMU)
Provision &
Manage Users
(PMU)
Business Role
Management
(BRM)
Business Role
Management
(BRM)
Analyze &
Manage Risks
(AMR)
Analyze &
Manage Risks
(AMR)
Accurately identify and analyze access risk violations in real-timeRemediate and mitigate conflicts for users and rolesContinuously monitor access risks and user assignments across the enterprise
Self service emergency access activationCentrally approve and manage emergency access or all SAP systemsDetailed usage logs for comprehensive emergency access reviews
Centralized business role managementEnforced compliancy to format & SOD rulesAutomated role governance process involving business & technical owners
Self service user access request processPreventive risk analysis in user provisioningAutomated workflow for efficiently approving requestsStreamline and automate reviews of user access
The value
IT costs are reduced throughSelf service password resetAutomated user access requestsAutomated periodic certification reviewsPreventive impact simulation of planned actions & access requestsAutomated root cause analysis of issuesIntegration with IDM solutions to ensure consistency and compliance across the enterprise
Operational costs are reduced throughIncreased response times at access requestsReduced response time to business emergencies through Emergency AccessReduced penalties for Risk & compliance violations
Audit costs are reduced throughAutomated audit trail of changes to rules, access approval & risk mitigationAutomated reporting & centralized location reducing analysis time for internal & external auditors
32
Value Testimonials
33
“Finally we have just one place to look for all our compliance rule sets, violations, mitigating controls, … and so forth. That winds up saving us quite a bit of money”Diana Dayal, Newell Rubbermade Inc
“SAP BO Access Control and SAP NW Identity Management have helped us save vast amounts of money by automating almost the entire authorization process from access request to approval and documentation”R. Falke, Vibracoustic GmbH & co
“Using automated password reset, a large U.S. beverage producer reduced its IT service desk costs by more than $600,000 in only one year.”Gartner
“Although Identity and Access Management has traditionally played the role of gatekeeper, it is now also helping to improve business agility and reduce IT complexity by enabling organizations to quickly control user access”Deloitte, 2010 TMT Global Security Survey
Thanks for listening!
Any questions?
34
Expertum: Contact details
35
Chris Walravens
GRC Competence Lead
T. +32 474 47 59 83E. [email protected]
www.expertum.net
Melissa Dielman
Account ManagerSr GRC Consultant
T. +32 470 56 20 63E. [email protected]
www.expertum.net
Johan Wouters
Sr GRC Consultant
T. +32 493 21 23 03E. [email protected]
www.expertum.net