grcsg2014_kumar_lessons for ensuring_f2e [compatibility mode]
TRANSCRIPT
![Page 1: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/1.jpg)
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2014 Wellesley
Information Services. All rights reserved.
Lessons and Strategies for Ensuring Your SAP Systems Remain Compliant
Barun KumarTurnkey Consulting Malaysia
![Page 2: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/2.jpg)
1
In This Session
• Understand the key challenges to maintaining compliance over
time
• Consider ways to integrate compliance into good practice on
projects and as part of BAU
• Learn how to develop a sustainable approach to compliance that
includes not just technology but also organization and process
• Provide tips on extending the reach of GRC to optimize your
compliance environment
• Understand the standard SAP tools available to help you remain
compliant
![Page 3: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/3.jpg)
2
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 4: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/4.jpg)
3
Lack of Governance and Control
• There is often a gap between those setting the objectives and
those responsible for administering the controls
� Not always aligned
� Do not communicate – not aware of gaps or changes in the
environment
• Decision-making authority does not reside at the right level
� Lack of clarity over who can make decisions
• Owners and approvers are not identified
� May have changed over time
� Documentation not maintained
![Page 5: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/5.jpg)
4
Understanding Compliance Objectives and Solution
• Finance organization is usually responsible for setting objectives
� Do not always have detailed knowledge of SAP solution
� Are the objectives really aligned with the business perception
of risk?
� Too many/too few
� Do not reflect risk profile
• Business finds it difficult to manage the volume of process
controls
� Testing, monitoring
� Unable to prioritize
• Administrators do not understand the risks being mitigated
� Controls may not be implemented correctly or at all
![Page 6: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/6.jpg)
5
Unwieldy Processes That Are Overly Complex
• Processes often have unnecessary steps and checks built in
� Inefficient processes that take too long
� No value add
• Increased risk to the organization
� Users bypass the process just to “get things done”
� No controls
� E.g., Users sharing powerful IDs
� E.g., Changes made directly in production
• Increased cost
� Support costs increase along with cost of non-compliance
� Investigate and resolve issues
� Financial loss incurred
![Page 7: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/7.jpg)
6
Gaps in the Supporting Technology
• Difficult to maintain compliance without some degree of
automation …
• … but needs to be configured correctly to avoid pitfalls of process
complexity
• Workflow approvals
� Delegation of authority set up?
• Alert monitoring
� Are you notified when suspicious activity occurs, or a
compliance breach?
• SoD matrix
� How easy is it to identify and mitigate potential conflicts?
![Page 8: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/8.jpg)
7
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 9: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/9.jpg)
8
Establish Your Control Framework
• Develop a framework that supports business goals
� Ensures IT goals are aligned
� Across the organization
• Identify the core control objectives and prioritize
� Business risk
� Complexity
� Known areas of weakness
• Define and design controls
• Test the effectiveness of the controls
• Document testing for continuous use
![Page 10: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/10.jpg)
9
Build the Right Controls into Your Business Processes
• Business process controls should be identified and applied
� During an implementation
� As part of any redesign or enhancement activity
� May be manual or automated
� Detective or preventative
• Controls should be commensurate with the associated risk
� E.g., do not add verification steps if noone will review the
output and take action accordingly
• Use control mechanisms to simplify the process wherever
possible
� Workflow tools, e.g., to manage PO approvals, set tolerances
![Page 11: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/11.jpg)
10
Ensure Appropriate IT Controls Are in Place
• Environment build standards are in place and are followed
� System parameters
� Security components and audit logging
• Technical change and release management processes are
followed
� Impact assessment completed by appropriate skilled staff
� Changes are tested
� Approvers are defined
� Changes are documented
� Alignment between production stack and project stack
� QA and Prod in sync
� Regression testing
![Page 12: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/12.jpg)
11
Develop Relevant Access Controls Across Landscape
• Role design concept is documented and maintained
� End user and support team roles
� Concept is easy to understand and administer
• Role owners/approvers identified within the business
� Understand role content and control objectives
• Role documentation is maintained
� Changes
� Restrictions and org. levels
• SoD reviews are conducted as part of role build or role change
� Reviews of single roles and sensitive access checks
� Conflicts are mitigated
• Changes are tested and approved
![Page 13: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/13.jpg)
12
Access Controls Apply not Only in Production
• Specific roles defined for non-Production access
• SoD checks should still be applied
� Particular focus on sensitive access
• Data restrictions should be considered
� Production data available in QA systems for testing?
� HR, customer, vendor details widely available?
� Data privacy constraints
![Page 14: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/14.jpg)
13
Implement Efficient User Management Processes
• Ensure processes are aligned with agreed standards
• Determine approvers and document these for support teams
� Make sure documentation is kept up-to-date
• Simplify the request form
� Easy to complete
� Easy to identify access required
• Use of identity management tools
� Joiners and leavers
� Follow up on users that have not logged on for an extended
period/never logged on
� Contractors/third parties
![Page 15: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/15.jpg)
14
Verify User Management Processes Are Maintained
• Are there well defined SLAs in place and, are they met?
� Failures are usually due to:
� Incomplete request – user does not know what to ask for
� Lack of “informed” approver
� Difficult to identify roles to be assigned
• Regular monitoring and audits
� Access validation by approvers
� SoD reviews
� Violations managed down
� Non-dialog IDs
� Specific roles
� Approvals
![Page 16: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/16.jpg)
15
Don’t Forget Patching!
• Process established for managing patches
� Security patching should be one element in overall patching
approach
� Where support is outsourced, contract may be “patch on fail”
� Assess potential vulnerabilities
• Use EarlyWatch alerts to flag when security-critical notes have
not been applied
• Assess and test security notes in a timely manner
� Use monthly SAP Security Patch Day to drive review process
• Apply patches following standard change and release
management processes
![Page 17: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/17.jpg)
16
Monitoring Practices Are Implemented
• Identify key risk areas to be monitored
� Existing weakness
� High impact
• Develop KPIs based on good practice and reality of environment
� Audit/Compliance input
� Only measure what you intend to action
• Agree on owners for KPIs
� Who will investigate and take action over variances?
� How do you prioritize activities?
![Page 18: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/18.jpg)
17
Examples of KPIs
• Number of dialog or service users with SAP_ALL
• Number of times Firefighter access has been invoked
• Number of end-user roles with direct table access
• Number of security incidents logged in a reporting period
• KPIs will vary by organization
� Do the KPIs provide useful information to your organization?
� Can you measure them?
� Do you plan to resolve the issues that are identified?
Be prepared to change your KPIs as new areas of
risk are identified
![Page 19: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/19.jpg)
18
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 20: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/20.jpg)
19
Develop the Supporting Organizational Structure
• The existing organization structure may not support ongoing
compliance
• Establish a RACI
� What are the key compliance-related activities?
� Which roles are accountable, responsible, etc.?
� Where are the gaps?
• Publish the RACI and implement
� May need to restructure to ensure gaps are closed
� Will provide clarity on roles and responsibilities to all parties
� Integration points may require attention
• Governance model will highlight decision-making and ownership
![Page 21: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/21.jpg)
20
Ensure Ongoing Business Stakeholder Engagement
• Responsibility for SAP compliance does not only sit with IT
� Business must take ownership
� Identify potential new risks/change in existing risks
� Risk and control owners
� Approver roles
• Partnership between Business – Controls – SAP Security Support
� Regular conversation and reviews
� Develop mutual understanding of roles and responsibilities
Increased collaboration will ultimately result in a
more secure and compliant environment
![Page 22: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/22.jpg)
21
Establish a Training and Education Programme
• Training and education are important, not as a one-off but ongoing
� SAP Security
� IT Support
� Business and Controls
� End users
• Link all aspects of the controls environment together
� How does each area impact the others?
� Hand-off points
• Regular updates on changes to:
� Process
� Risks/Mitigations
� Approvers
![Page 23: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/23.jpg)
22
Keep Outsource Providers Involved
• Ultimate accountability for risk management and compliance sits
with the organization, not the outsource provider
• Partnership with outsource providers (win-win approach)
� Support function
� Implement/administer based on organization “rules”
� Auditors
� Provide input in compliance requirements
� Can help the support organization develop a response to
requirements
Third parties can bring experience and alternative
perspective to help achieve compliance goals
![Page 24: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/24.jpg)
23
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 25: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/25.jpg)
24
ARA Enables Greater Transparency Over Access Conflicts
• As a rule, audit findings focus on Segregation of Duty conflicts
• Implementing ARA will enable the organization to:
� Document a wide range of business rules plus sensitive access
restrictions
� Identify potential risks at a granular level and mitigate them
� Avoid SoD issues at all through simulations during role build
and user assignment
� Promote ownership of SoD management within the business
� Risk owners
� Real-time reporting directly into the business
![Page 26: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/26.jpg)
25
Opportunity to Manage and Control Privileged Access Usage
• Extend use of Firefighter to cover broader privileged access
requirements
� Emergency access
� Sensitive, one-time access, e.g., year-end scenarios
� Cutover, project support access
• Good time to review and revise privileged access roles and re-
validate usage criteria
� Who can use in what scenarios
� Firefighter owners and approvers
• Automated audit logs provide usage details, but reliant on
reviewers with the requisite knowledge
� Training needs
![Page 27: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/27.jpg)
26
Enhanced, Automated Access Request Management Process
• Online request form that makes it easier for the user to select the
most appropriate access
• Ability to introduce multiple approvers for specific access
requests
� Workflow is key to speeding up the approval process whilst
ensuring the right controls are in place
• Ability to provision access directly based on approval
� Reduces risk of human error
� Potential to reduce cost of compliance over time
![Page 28: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/28.jpg)
27
Enhanced Control Monitoring
• Ability to enhance existing process controls
� Workflow alerts
� IT General Controls as well as business controls
� Real-time view of compliance breaches
• Continuous control monitoring (CCM) to determine whether
controls are effective
• Automated testing to reduce audit and compliance footprint
• Potential to integrate with broader transaction monitoring tools in
order to identify suspicious transactions
• Trend reporting
![Page 29: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/29.jpg)
28
Simplified Business Role Management Tools
• Role mapping database to facilitate role assignment
� Translates technical security roles into “business speak”
� Simplifies the role design and build process
� Requesters can more easily identify and define new
requirements
• Simplified role maintenance and administration
� Central design repository
� Easier to control build process in a larger organization
� Role derivation is easier to manage with prepopulated org
levels
� Option to store role owner information
![Page 30: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/30.jpg)
29
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 31: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/31.jpg)
30
Standard SAP Tools
• Use Solution Manager central monitoring and reporting
� Earlywatch Alerts
� Security related SAP Notes (High Level)
� Users with critical authorizations
� Default passwords of standard users
� Report through SAP BW (SM 7.10 SP3)
• RSECNOTE
� Detailed information on security related notes and
implementation status
� Requires configuration. SAP Note 888889.
![Page 32: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/32.jpg)
31
Security Optimization Self-Service
• Perform detailed security analysis
� Recommend to run quarterly as part of security housekeeping
� Wider coverage than just using ARA
� Access to sensitive functionality
� Security related parameter settings
� External authentication
� SAP Router
� JAVA configuration and administration
� SOS-S checks are regularly updated
� Audit firms are waking up to external threats
![Page 33: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/33.jpg)
32
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
![Page 34: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/34.jpg)
33
Where to Find More Information
• www.isaca.org
� Contains useful information regarding risk management,
compliance, governance including COBIT
• http://scn.sap.com/community/grc
� SCN Resource Area for GRC
• https://websmp207.sap-ag.de/securitynotes
� SAP security patch day information
• https://support.sap.com/content/dam/library/support/support-
programs-services/support-services/SIS262_presentation.pdf
� Cross-system reporting on security notes
![Page 35: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/35.jpg)
34
7 Key Points to Take Home
• Projects (new implementations, upgrades) are a good opportunity
to improve compliance
• Ownership and decision-making authority is the foundation for
getting and remaining compliant
• KPIs are essential for baselining and maintaining compliance
initiatives
• Effective business engagement is needed to ensure that
compliance is not “something IT does”
• Training and education are key tools for developing appropriate
skills and behaviors
• Use GRC to automate compliance activities where possible
• SAP provides useful tools to monitor and report on areas that are
key focus areas for internal and external auditors
![Page 36: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/36.jpg)
35
Your Turn!
How to contact me:
Barun Kumar
@TwitterUserName
Please remember to complete your session evaluation
![Page 37: GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]](https://reader031.vdocuments.mx/reader031/viewer/2022030310/58f09aea1a28abea6a8b45ed/html5/thumbnails/37.jpg)
36
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.