grc session notes

GRC ComponentsGRC Components

FireFighterFireFighter Complaince CalibratorComplaince Calibrator Role ExpertRole Expert Access EnforcerAccess Enforcer Process ControlProcess Control

Firefighter

Firefighter StrategyFirefighter Strategy The Firefighter™ application allows personnel to take The Firefighter™ application allows personnel to take

responsibility for tasks outsideresponsibility for tasks outside

their normal job function. Firefighting is a term describing their normal job function. Firefighting is a term describing the ability to perform tasks in emergency situations.the ability to perform tasks in emergency situations.

Firefighter enables users to perform duties not included in Firefighter enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage.auditing layer to monitor and record Firefighter usage.

Firefighter is an ABAP‐based and web‐based application that Firefighter is an ABAP‐based and web‐based application that automates all activitiesautomates all activities

related to firefighting, including defining of Firefighter IDs related to firefighting, including defining of Firefighter IDs and Firefighters, assignment of Firefighter ID Owners and and Firefighters, assignment of Firefighter ID Owners and Controllers, and the logging of all transactions executed Controllers, and the logging of all transactions executed during firefighting.during firefighting.

Firefighter

Contd …Contd …

Firefighter temporarily redefines the IDs of users when Firefighter temporarily redefines the IDs of users when assigned with solving a problem, giving them provisionally assigned with solving a problem, giving them provisionally broad, but regulated access. There is complete visibility and broad, but regulated access. There is complete visibility and transparency to everything done during the period.transparency to everything done during the period.

Firefighter provides a solution for systematic handling of Firefighter provides a solution for systematic handling of emergency situations and at the same time managing the risk emergency situations and at the same time managing the risk for the special access necessary to resolve the issue. The for the special access necessary to resolve the issue. The logging of transactions during the process provides the logging of transactions during the process provides the capability to review activities used during an emergency capability to review activities used during an emergency situation.situation.

Firefighter is designed for the use of Firefighting Firefighter is designed for the use of Firefighting Administrators, Owners of Firefighter IDs and FirefightersAdministrators, Owners of Firefighter IDs and Firefighters

FirefighterLogging InformationFirefighter gathers logging information from various sources including the

following:

• Statistical Records/User Activities (STAT) ‐ The SAP Systems also log activitiescategorized by transaction and user in statistical records.• Change Documents (CDHDR) ‐ The SAP Systems capture changes with changedocuments, i.e. entries into the CDHDR table.• Transactions ‐ All transactions which are successfully entered are reported

(whetherany updates were made or not).• Programs Executed ‐ If transactions SA38 or SE38 are executed and a program is

run,the program name will be reported.• Table Updates ‐ If table updates are made, the transaction used to update a table(SE16, SM30) is reported (table name and table entries changed are reported if

tablelogging is enabled).

Log Files:ZVIRFFLOGZFFTNSLOG

FirefighterFirefighter Roles

Before a user can access Firefighter they must be assigned a Firefighter role.

There are three types of Firefighter roles: Administrator, Owner, and Firefighter.

FirefighterFirefighter IDs

A Firefighter ID is a userID with specific roles allowing the Firefighter to perform the required tasks. Each Firefighter is assigned specific Firefighter IDs for a designated period of time.

Once a Firefighter initiates the Firefighter application, only Firefighter IDs assigned to them are displayed and available for use. Each time a Firefighter logs in using a Firefighter ID the login event and any subsequent transaction usage are recorded.

Any existing userID can be designated as a Firefighter ID. However, once specified as a Firefighter ID it can not be used for normal login purposes. In order to avoid this issue for existing userIDs and to make sure the Firefighter ID has only the roles needed to perform the necessary firefighting use SU01 to create new userIDs.

FirefighterFirefighter Users

Firefighter users have specific roles assigned to them.

Firefighter roles determine what features are accessible within the Firefighter program. Three roles are: Administrator, Owner, and Firefighter.

There is a one other type of user, Controller, who are assigned the Owner role.


Administrators

Firefighter Administrators have complete access to the Firefighter program.

Administrators are the only Firefighter user that can create Firefighter ID passwords. All other Firefighter users receive an error when attempting to open the Firefighter Security table.

Administrators have the responsibility for assigning Firefighter IDs to Owners and can also assign Firefighter IDs to Firefighters.

Administrators are also the only Firefighter users with the ability to access the Firefighter Tool Box and generate reports. The exception is the Log report, which is accessible from the Administration menu and the toolbar in the Firefighter Cockpit.


Owners

Owners can assign Firefighter IDs to Firefighters and Controllers.

When accessing the Firefighter program Owners only see Firefighter IDs assigned to them by the Firefighter Administrator.

Owners can be Controllers by assigning Firefighter IDs to themselves in the Controllers table.

Owners can also assign Firefighter IDs to themselves in the Firefighters table to perform firefighting tasks.

Firefighter Version 5.2

Firefighters Firefighters have access to the Firefighter IDs assigned to

them and can use the Firefighter IDs to perform any tasks permissible by the Firefighter ID roles.

Controllers Controllers are responsible for auditing the usage of

Firefighter IDs by viewing the Firefighter Log report and receiving email notification of Firefighter ID logins.

Email notification is enabled through the Controllers table and the Firefighter Configuration table.

Controllers can view the Log report within Firefighter or have the Log report emailed as a text file attachment.

ReportsReports Log Report This report displays information about

Firefighter ID logins and transaction usage. Log Summary Report This report lists Firefighters using

each Firefighter ID. Reason/Activity Report This report lists the reason and

activity for each login event. Transaction Usage Report This report can be generated

in summary or detail form and lists a count of transactions executed and the transaction codes used by each Firefighter.

Invalid User Report This report lists any users who are not authorized.

SOD Conflicts Report This report lists any separation of duties conflicts.

Role Based Log Report This report lists information pertaining to Firefighter usage by roles.

Creating Firefighter Users

Roles:Dialog User - Administrator Role -

/VIRSA/Z_VFAT_ADMINISTRATORService User –2a. Firefighter Role -

/VIRSA/Z_VFAT_Firefighter2b. Owner Role - /VIRSA/Z_VFAT_ID_Owner2c. Controller Role (Same)-/VIRSA/Z_FAT_ID_Owner

Creating Firefighter Users

/N / Virsa/VFAT :Click New Entries:

Initial Configuration

These following procedures must be completed before using the Firefighter program.

Define Remote Function Call (RFC) Destination

Firefighter requires an RFC destination to call a specific RFC‐enabled function module.Each time a Firefighter ID logs in and creates a new session the RFC is used. The RFCdestination must be basic with no access or users attached to it. Firefighter can beconfigured to use an existing RFC. To define an RFC destination, use transaction SM59 or work with your Basis Administrator.

The following screenshot displays the default settings for creating the Remote FunctionCall. The RFC can have any name. Once you create the RFC, use the FirefighterConfiguration table to specify the RFC to be used by Firefighter.

Initial Configuration

Compliance Calibrator

Web Based Tool designed to identify all SOD & Security Audit Reporting and End to End Accesibility for Particular Functions.

Types of Risks: SOD Risk Critical Action Risk Critical Permission Risk.

Risk can be defined as two (or) more Actions when available to a single user (or) Role which creates the Possibility of error.

Rule Architect:To import or Export Ruleset data, into GRT System, we have done the Rule set data import/ export using Utilities Option .

Compliance Calibrator

Rule Library

Business Process

Rule Sets

Functions

RisksRisks

RisksRisks

If You want prioritise the Risk Id, search by clicking the Risk If You want prioritise the Risk Id, search by clicking the Risk id Button:id Button:

RisksRisks

Risk Level can be selected by clicking the Button as shownRisk Level can be selected by clicking the Button as shown

Action RulesAction Rules

Action RulesAction Rules

No SOD Conflicts

Permission RulesPermission RulesNo SOD ConflictsCritical Permissions:

Permission RulesPermission Rules

Mitigation Overview

Mitigate the Risk

The risk “F00500M: Maintain bank account and post a payment from it” already has Mitigate SelectedClick ContinueNOTE: Choose an appropriate mitigating control, from approved mitigation list. It is important to have “control” around mitigations to make sure they are meaningful.This is a very important step and not available in other solutions. When your auditor arrives 6 months down the road and sees that Brent Bailo has SoD risk in his authorizations, they will noticethat you have assigned a mitigating control – in addition they will see that you have evendocumented that control – GREAT, better than most companies. Now the mitigating control suggests that the Corporate Accountant will run a report on a weekly basis – the auditor will ask, “Can you prove to me that this report was actually run and reviewed?” The “mitigation monitor” is an individual who will get an e-mail if the payment detail report is not run on a weekly basis and they will follow-up with the Corporate Accountant to help ensure control effectiveness.Search for Mitigation ControlSelect Mitigation Control: FI_002790

Risk MitigationRisk Mitigation

Risk MitigationRisk MitigationEnter Control Valid to: (current date)Enter Control Valid to: (current date)

Select a Monitor ID: HASSELT and Save.Select a Monitor ID: HASSELT and Save.

Remediation through “Access Removal’Remediation through “Access Removal’

Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)Select ‘Remove Access from the User’ (vs Mitigate the Risk which was the default)

Risk ResolutionRisk Resolution

Click ‘Continue’Click ‘Continue’NOTE: If this user had been running transactions, from here you can NOTE: If this user had been running transactions, from here you can see exactly how many times the user has performed the transaction see exactly how many times the user has performed the transaction since the time the user got access to the system.since the time the user got access to the system.Many users do not even know they have access. SAP GRC Access Many users do not even know they have access. SAP GRC Access Control allows business users to collaborate with technical users on Control allows business users to collaborate with technical users on risk resolution. The business user is the correct person to make the risk resolution. The business user is the correct person to make the risk tradeoff of whether BBAILO should have this access or not, BUT risk tradeoff of whether BBAILO should have this access or not, BUT they are probably not the right person to decide to I remove this they are probably not the right person to decide to I remove this transaction from the role (which will affect other users), this is a transaction from the role (which will affect other users), this is a technical tradeoff. SAP GRC Access Control sends a workflow ticket technical tradeoff. SAP GRC Access Control sends a workflow ticket off to a technical user to implement the remediation.off to a technical user to implement the remediation.Click ‘Cancel’Click ‘Cancel’Delimit access for the userDelimit access for the userDelimit will allow you to specify a certain time period where the Delimit will allow you to specify a certain time period where the user’s access will remain before the workflow ticket is sent off for user’s access will remain before the workflow ticket is sent off for resolution.resolution.Select “delimit access for the user”Select “delimit access for the user”

Risk ResolutionRisk Resolution

Risk ResolutionRisk ResolutionClick ContinueClick ContinueEnter a comment: “Please investigate removing role from Brent or transaction from the Enter a comment: “Please investigate removing role from Brent or transaction from the

role”role”Click CancelClick CancelClick “User Level’ (Left hand table)Click “User Level’ (Left hand table)As you Know , for Prevention through Simulation:As you Know , for Prevention through Simulation:

Simulation – User LevelSimulation – User Level

Simulation – User LevelSimulation – User Level

While Simulating the Roles , we have to consider the Ignore Mitigation as Yes

Mitigation ControlsMitigation Controls

Overview Mitigation ControlsOverview Mitigation Controls

1. Use the Pie Chart and review the Mitigation controls defined1. Use the Pie Chart and review the Mitigation controls defined

2. Use the Graph and review the mitigation controls for each of the controls 2. Use the Graph and review the mitigation controls for each of the controls by process.by process.

3. Logoff .3. Logoff .

Create ControlsCreate Controls

Previously we had shown how Fox had assigned mitigating control “XXX” with Previously we had shown how Fox had assigned mitigating control “XXX” with control monitorcontrol monitor

JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to JMurphy to mitigate a high risk that Brent Bailo has had. In order for Fox to select a mitigatingselect a mitigating

control previously had to create appropriate controls for his area of control previously had to create appropriate controls for his area of responsibility.responsibility.


Let’s take a quick look at how Fox has created the mitigating control.Let’s take a quick look at how Fox has created the mitigating control.1. Log into the Compliance Calibrator demo server:1. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/

ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes12. Select ‘Mitigation’ Tab2. Select ‘Mitigation’ Tab3. Click ‘Mitigation Controls’3. Click ‘Mitigation Controls’4. Click “Create”4. Click “Create”5. Set Mitigation Control ID: FI_00095. Set Mitigation Control ID: FI_00096. Enter the Description:6. Enter the Description:Reports “Display Critical Vendor Changes” (S_ALR_87010040) and “Vendor List”Reports “Display Critical Vendor Changes” (S_ALR_87010040) and “Vendor List”(S_ALR_87010036) are reviewed by the Master Data Manager.(S_ALR_87010036) are reviewed by the Master Data Manager.7. Set Business Unit: CORP FINANCE7. Set Business Unit: CORP FINANCE8. Set Management Approval: MBOND8. Set Management Approval: MBOND9. Click the Plus sign to add a risk9. Click the Plus sign to add a risk10. Select the10. Select the11. Search for P00111. Search for P00112. Select P00112. Select P001


13. Select the “Monitors Tab”14. Select the plus sign to add a monitor ID15. Set Monitor ID: “APPROCESS”16. Click the plus sign to add another monitor ID17. Set Monitor ID: “JMURPHY”


18. Select the “Reports Tab’18. Select the “Reports Tab’19. Click the Plus sign to add a report19. Click the Plus sign to add a report20. Set System: ERP - Discovery20. Set System: ERP - Discovery21. Set Action: S_ALR_8701004021. Set Action: S_ALR_8701004022. Set Monitor: JMURPHY22. Set Monitor: JMURPHY23. Set Frequency to “1”23. Set Frequency to “1”24. Click the plus sign to add another report24. Click the plus sign to add another report25. Set System: : ERP - Discovery25. Set System: : ERP - Discovery26. Set Action: S_ALR_8701003626. Set Action: S_ALR_8701003627. Set Monitor: JMURPHY27. Set Monitor: JMURPHY28. Set Frequency to “1”28. Set Frequency to “1”

Mitigating ID SearchMitigating ID Search


29. Click “Save”29. Click “Save”30. Logoff Fox Wilson30. Logoff Fox WilsonLet’s take a quick look at the Mitigation Control that Fox had created.Let’s take a quick look at the Mitigation Control that Fox had created.31. Log into the Compliance Calibrator demo server:31. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/

ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes132. Select ‘Mitigation’ Tab32. Select ‘Mitigation’ Tab33. Click ‘Mitigation Controls”33. Click ‘Mitigation Controls”34. Click “Search”34. Click “Search”35. Set Mitigation Control ID: FI_000935. Set Mitigation Control ID: FI_0009Fox can now verify that the mitigation control was created.Fox can now verify that the mitigation control was created.Executive-Level ViewExecutive-Level ViewExecutive Progress Tracking – Interaction with management.Executive Progress Tracking – Interaction with management.If not already logged on, log onto Fox WilsonIf not already logged on, log onto Fox Wilson36. Log into the Compliance Calibrator demo server:36. Log into the Compliance Calibrator demo server:http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/http://SAPDiscoverySystem:51000/webdynpro/dispatcher/virsa/ccappcomp/

ComplianceCalibratorComplianceCalibratorUSER PASSWORDUSER PASSWORDFwilson sarbanes1Fwilson sarbanes137. Select ‘Informer’ Tab37. Select ‘Informer’ Tab38. Click ‘Management View.’38. Click ‘Management View.’

SOD Summary ReportsSOD Summary Reports

GRT Background Job AdministrationGRT Background Job Administration

Risk ViolationsRisk Violations

Informer Date Status

Pictorial Representation of SOD Violations

ConfigurationConfiguration

Background JobsBackground Jobs

Background JobsBackground JobsSelect Job Type as Daily and click Search:

Background JobsBackground Jobs

Background JobsBackground JobsSelect Job Type as Monthly and click Search:

Scheduling Background JobScheduling Background Job - User Analysis,Like the same way, for Risk and Profile Analysis are Scheduled.

Scheduling Background Job

Scheduling User Analysis based Batch Jobs

Scheduling Role Analysis based Batch Jobs

Scheduling Profile Analysis based Batch Jobs