grc session notes
TRANSCRIPT
GRC ComponentsGRC Components
FireFighterFireFighter Complaince CalibratorComplaince Calibrator Role ExpertRole Expert Access EnforcerAccess Enforcer Process ControlProcess Control
Firefighter
Firefighter StrategyFirefighter Strategy The Firefighter™ application allows personnel to take The Firefighter™ application allows personnel to take
responsibility for tasks outsideresponsibility for tasks outside
their normal job function. Firefighting is a term describing their normal job function. Firefighting is a term describing the ability to perform tasks in emergency situations.the ability to perform tasks in emergency situations.
Firefighter enables users to perform duties not included in Firefighter enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage.auditing layer to monitor and record Firefighter usage.
Firefighter is an ABAP‐based and web‐based application that Firefighter is an ABAP‐based and web‐based application that automates all activitiesautomates all activities
related to firefighting, including defining of Firefighter IDs related to firefighting, including defining of Firefighter IDs and Firefighters, assignment of Firefighter ID Owners and and Firefighters, assignment of Firefighter ID Owners and Controllers, and the logging of all transactions executed Controllers, and the logging of all transactions executed during firefighting.during firefighting.
Firefighter
Contd …Contd …
Firefighter temporarily redefines the IDs of users when Firefighter temporarily redefines the IDs of users when assigned with solving a problem, giving them provisionally assigned with solving a problem, giving them provisionally broad, but regulated access. There is complete visibility and broad, but regulated access. There is complete visibility and transparency to everything done during the period.transparency to everything done during the period.
Firefighter provides a solution for systematic handling of Firefighter provides a solution for systematic handling of emergency situations and at the same time managing the risk emergency situations and at the same time managing the risk for the special access necessary to resolve the issue. The for the special access necessary to resolve the issue. The logging of transactions during the process provides the logging of transactions during the process provides the capability to review activities used during an emergency capability to review activities used during an emergency situation.situation.
Firefighter is designed for the use of Firefighting Firefighter is designed for the use of Firefighting Administrators, Owners of Firefighter IDs and FirefightersAdministrators, Owners of Firefighter IDs and Firefighters
FirefighterLogging InformationFirefighter gathers logging information from various sources including the
following:
• Statistical Records/User Activities (STAT) ‐ The SAP Systems also log activitiescategorized by transaction and user in statistical records.• Change Documents (CDHDR) ‐ The SAP Systems capture changes with changedocuments, i.e. entries into the CDHDR table.• Transactions ‐ All transactions which are successfully entered are reported
(whetherany updates were made or not).• Programs Executed ‐ If transactions SA38 or SE38 are executed and a program is
run,the program name will be reported.• Table Updates ‐ If table updates are made, the transaction used to update a table(SE16, SM30) is reported (table name and table entries changed are reported if
tablelogging is enabled).
Log Files:ZVIRFFLOGZFFTNSLOG
FirefighterFirefighter Roles
Before a user can access Firefighter they must be assigned a Firefighter role.
There are three types of Firefighter roles: Administrator, Owner, and Firefighter.
FirefighterFirefighter IDs
A Firefighter ID is a userID with specific roles allowing the Firefighter to perform the required tasks. Each Firefighter is assigned specific Firefighter IDs for a designated period of time.
Once a Firefighter initiates the Firefighter application, only Firefighter IDs assigned to them are displayed and available for use. Each time a Firefighter logs in using a Firefighter ID the login event and any subsequent transaction usage are recorded.
Any existing userID can be designated as a Firefighter ID. However, once specified as a Firefighter ID it can not be used for normal login purposes. In order to avoid this issue for existing userIDs and to make sure the Firefighter ID has only the roles needed to perform the necessary firefighting use SU01 to create new userIDs.
FirefighterFirefighter Users
Firefighter users have specific roles assigned to them.
Firefighter roles determine what features are accessible within the Firefighter program. Three roles are: Administrator, Owner, and Firefighter.
There is a one other type of user, Controller, who are assigned the Owner role.
FirefighterFirefighter Users
Administrators
Firefighter Administrators have complete access to the Firefighter program.
Administrators are the only Firefighter user that can create Firefighter ID passwords. All other Firefighter users receive an error when attempting to open the Firefighter Security table.
Administrators have the responsibility for assigning Firefighter IDs to Owners and can also assign Firefighter IDs to Firefighters.
Administrators are also the only Firefighter users with the ability to access the Firefighter Tool Box and generate reports. The exception is the Log report, which is accessible from the Administration menu and the toolbar in the Firefighter Cockpit.
FirefighterFirefighter Users
Owners
Owners can assign Firefighter IDs to Firefighters and Controllers.
When accessing the Firefighter program Owners only see Firefighter IDs assigned to them by the Firefighter Administrator.
Owners can be Controllers by assigning Firefighter IDs to themselves in the Controllers table.
Owners can also assign Firefighter IDs to themselves in the Firefighters table to perform firefighting tasks.
Firefighter Version 5.2
Firefighters Firefighters have access to the Firefighter IDs assigned to
them and can use the Firefighter IDs to perform any tasks permissible by the Firefighter ID roles.
Controllers Controllers are responsible for auditing the usage of
Firefighter IDs by viewing the Firefighter Log report and receiving email notification of Firefighter ID logins.
Email notification is enabled through the Controllers table and the Firefighter Configuration table.
Controllers can view the Log report within Firefighter or have the Log report emailed as a text file attachment.
ReportsReports Log Report This report displays information about
Firefighter ID logins and transaction usage. Log Summary Report This report lists Firefighters using
each Firefighter ID. Reason/Activity Report This report lists the reason and
activity for each login event. Transaction Usage Report This report can be generated
in summary or detail form and lists a count of transactions executed and the transaction codes used by each Firefighter.
Invalid User Report This report lists any users who are not authorized.
SOD Conflicts Report This report lists any separation of duties conflicts.
Role Based Log Report This report lists information pertaining to Firefighter usage by roles.
Creating Firefighter Users
Roles:Dialog User - Administrator Role -
/VIRSA/Z_VFAT_ADMINISTRATORService User –2a. Firefighter Role -
/VIRSA/Z_VFAT_Firefighter2b. Owner Role - /VIRSA/Z_VFAT_ID_Owner2c. Controller Role (Same)-/VIRSA/Z_FAT_ID_Owner
Creating Firefighter Users
/N / Virsa/VFAT :Click New Entries:
Initial Configuration
These following procedures must be completed before using the Firefighter program.
Define Remote Function Call (RFC) Destination
Firefighter requires an RFC destination to call a specific RFC‐enabled function module.Each time a Firefighter ID logs in and creates a new session the RFC is used. The RFCdestination must be basic with no access or users attached to it. Firefighter can beconfigured to use an existing RFC. To define an RFC destination, use transaction SM59 or work with your Basis Administrator.
The following screenshot displays the default settings for creating the Remote FunctionCall. The RFC can have any name. Once you create the RFC, use the FirefighterConfiguration table to specify the RFC to be used by Firefighter.
Initial Configuration
Compliance Calibrator
Web Based Tool designed to identify all SOD & Security Audit Reporting and End to End Accesibility for Particular Functions.
Types of Risks: SOD Risk Critical Action Risk Critical Permission Risk.
Risk can be defined as two (or) more Actions when available to a single user (or) Role which creates the Possibility of error.
Rule Architect:To import or Export Ruleset data, into GRT System, we have done the Rule set data import/ export using Utilities Option .
Compliance Calibrator
Rule Library
Business Process
Rule Sets
Functions
Risks
RisksRisks
RisksRisks
If You want prioritise the Risk Id, search by clicking the Risk If You want prioritise the Risk Id, search by clicking the Risk id Button:id Button:
RisksRisks
Risk Level can be selected by clicking the Button as shownRisk Level can be selected by clicking the Button as shown
Action RulesAction Rules
Action RulesAction Rules
Action RulesAction Rules
Action RulesAction Rules
No SOD Conflicts
Permission RulesPermission RulesNo SOD ConflictsCritical Permissions:
Permission RulesPermission Rules
Mitigation Overview
Mitigate the Risk
The risk “F00500M: Maintain bank account and post a payment from it” already has Mitigate SelectedClick ContinueNOTE: Choose an appropriate mitigating control, from approved mitigation list. It is important to have “control” around mitigations to make sure they are meaningful.This is a very important step and not available in other solutions. When your auditor arrives 6 months down the road and sees that Brent Bailo has SoD risk in his authorizations, they will noticethat you have assigned a mitigating control – in addition they will see that you have evendocumented that control – GREAT, better than most companies. Now the mitigating control suggests that the Corporate Accountant will run a report on a weekly basis – the auditor will ask, “Can you prove to me that this report was actually run and reviewed?” The “mitigation monitor” is an individual who will get an e-mail if the payment detail report is not run on a weekly basis and they will follow-up with the Corporate Accountant to help ensure control effectiveness.Search for Mitigation ControlSelect Mitigation Control: FI_002790
Risk MitigationRisk Mitigation
Risk MitigationRisk MitigationEnter Control Valid to: (current date)Enter Control Valid to: (current date)
Select a Monitor ID: HASSELT and Save.Select a Monitor ID: HASSELT and Save.
Remediation through “Access Removal’Remediation through “Access Removal’
Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)
Risk ResolutionRisk Resolution
Click ‘Continue’Click ‘Continue’NOTE: If this user had been running transactions, from here you can NOTE: If this user had been running transactions, from here you can see exactly how many times the user has performed the transaction see exactly how many times the user has performed the transaction since the time the user got access to the system.since the time the user got access to the system.Many users do not even know they have access. SAP GRC Access Many users do not even know they have access. SAP GRC Access Control allows business users to collaborate with technical users on Control allows business users to collaborate with technical users on risk resolution. The business user is the correct person to make the risk resolution. The business user is the correct person to make the risk tradeoff of whether BBAILO should have this access or not, BUT risk tradeoff of whether BBAILO should have this access or not, BUT they are probably not the right person to decide to I remove this they are probably not the right person to decide to I remove this transaction from the role (which will affect other users), this is a transaction from the role (which will affect other users), this is a technical tradeoff. SAP GRC Access Control sends a workflow ticket technical tradeoff. SAP GRC Access Control sends a workflow ticket off to a technical user to implement the remediation.off to a technical user to implement the remediation.Click ‘Cancel’Click ‘Cancel’Delimit access for the userDelimit access for the userDelimit will allow you to specify a certain time period where the Delimit will allow you to specify a certain time period where the user’s access will remain before the workflow ticket is sent off for user’s access will remain before the workflow ticket is sent off for resolution.resolution.Select “delimit access for the user”Select “delimit access for the user”
Risk ResolutionRisk Resolution
Risk ResolutionRisk ResolutionClick ContinueClick ContinueEnter a comment: “Please investigate removing role from Brent or transaction from the Enter a comment: “Please investigate removing role from Brent or transaction from the
role”role”Click CancelClick CancelClick “User Level’ (Left hand table)Click “User Level’ (Left hand table)As you Know , for Prevention through Simulation:As you Know , for Prevention through Simulation:
Simulation – User LevelSimulation – User Level
Simulation – User LevelSimulation – User Level
While Simulating the Roles , we have to consider the Ignore Mitigation as Yes
Mitigation ControlsMitigation Controls
Overview Mitigation ControlsOverview Mitigation Controls
1. Use the Pie Chart and review the Mitigation controls defined1. Use the Pie Chart and review the Mitigation controls defined
2. Use the Graph and review the mitigation controls for each of the controls 2. Use the Graph and review the mitigation controls for each of the controls by process.by process.
3. Logoff .3. Logoff .
Create ControlsCreate Controls
Previously we had shown how Fox had assigned mitigating control “XXX” with Previously we had shown how Fox had assigned mitigating control “XXX” with control monitorcontrol monitor
JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to select a mitigatingselect a mitigating
control previously had to create appropriate controls for his area of control previously had to create appropriate controls for his area of responsibility.responsibility.
Mitigation ControlsMitigation Controls
Let’s take a quick look at how Fox has created the mitigating control.Let’s take a quick look at how Fox has created the mitigating control.1. Log into the Compliance Calibrator demo server:1. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/
ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes12. Select ‘Mitigation’ Tab2. Select ‘Mitigation’ Tab3. Click ‘Mitigation Controls’3. Click ‘Mitigation Controls’4. Click “Create”4. Click “Create”5. Set Mitigation Control ID: FI_00095. Set Mitigation Control ID: FI_00096. Enter the Description:6. Enter the Description:Reports “Display Critical Vendor Changes” (S_ALR_87010040) and “Vendor List”Reports “Display Critical Vendor Changes” (S_ALR_87010040) and “Vendor List”(S_ALR_87010036) are reviewed by the Master Data Manager.(S_ALR_87010036) are reviewed by the Master Data Manager.7. Set Business Unit: CORP FINANCE7. Set Business Unit: CORP FINANCE8. Set Management Approval: MBOND8. Set Management Approval: MBOND9. Click the Plus sign to add a risk9. Click the Plus sign to add a risk10. Select the10. Select the11. Search for P00111. Search for P00112. Select P00112. Select P001
Mitigation ControlsMitigation Controls
Mitigation ControlsMitigation Controls
13. Select the “Monitors Tab”14. Select the plus sign to add a monitor ID15. Set Monitor ID: “APPROCESS”16. Click the plus sign to add another monitor ID17. Set Monitor ID: “JMURPHY”
Mitigation ControlsMitigation Controls
18. Select the “Reports Tab’18. Select the “Reports Tab’19. Click the Plus sign to add a report19. Click the Plus sign to add a report20. Set System: ERP - Discovery20. Set System: ERP - Discovery21. Set Action: S_ALR_8701004021. Set Action: S_ALR_8701004022. Set Monitor: JMURPHY22. Set Monitor: JMURPHY23. Set Frequency to “1”23. Set Frequency to “1”24. Click the plus sign to add another report24. Click the plus sign to add another report25. Set System: : ERP - Discovery25. Set System: : ERP - Discovery26. Set Action: S_ALR_8701003626. Set Action: S_ALR_8701003627. Set Monitor: JMURPHY27. Set Monitor: JMURPHY28. Set Frequency to “1”28. Set Frequency to “1”
Mitigating ID SearchMitigating ID Search
Mitigation ControlsMitigation Controls
Mitigation ControlsMitigation Controls
29. Click “Save”29. Click “Save”30. Logoff Fox Wilson30. Logoff Fox WilsonLet’s take a quick look at the Mitigation Control that Fox had created.Let’s take a quick look at the Mitigation Control that Fox had created.31. Log into the Compliance Calibrator demo server:31. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/
ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes132. Select ‘Mitigation’ Tab32. Select ‘Mitigation’ Tab33. Click ‘Mitigation Controls”33. Click ‘Mitigation Controls”34. Click “Search”34. Click “Search”35. Set Mitigation Control ID: FI_000935. Set Mitigation Control ID: FI_0009Fox can now verify that the mitigation control was created.Fox can now verify that the mitigation control was created.Executive-Level ViewExecutive-Level ViewExecutive Progress Tracking – Interaction with management.Executive Progress Tracking – Interaction with management.If not already logged on, log onto Fox WilsonIf not already logged on, log onto Fox Wilson36. Log into the Compliance Calibrator demo server:36. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/
ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes137. Select ‘Informer’ Tab37. Select ‘Informer’ Tab38. Click ‘Management View.’38. Click ‘Management View.’
SOD Summary ReportsSOD Summary Reports
GRT Background Job AdministrationGRT Background Job Administration
Risk ViolationsRisk Violations
Informer Date Status
Pictorial Representation of SOD Violations
ConfigurationConfiguration
ConfigurationConfiguration
Background JobsBackground Jobs
Background JobsBackground JobsSelect Job Type as Daily and click Search:
Background JobsBackground Jobs
Background JobsBackground JobsSelect Job Type as Monthly and click Search:
Scheduling Background JobScheduling Background Job - User Analysis,Like the same way, for Risk and Profile Analysis are Scheduled.
Scheduling Background JobScheduling Background Job - User Analysis,Like the same way, for Risk and Profile Analysis are Scheduled.
Scheduling Background Job
Scheduling User Analysis based Batch Jobs
Scheduling Role Analysis based Batch Jobs
Scheduling Profile Analysis based Batch Jobs
Audit ReportsAudit Reports
Audit Reports – Mitigating ControlsAudit Reports – Mitigating Controls
User Management EngineUser Management Engine
User Management EngineUser Management Engine
Roles assignedGroups assigned
ThankyouThankyou