Reduce Access Risks While Decreasing Costs

Charlie Singh

Sr. Manager, Compliance

American Water

2

We are American Water

Treat and

deliver more

than 1 billion

gallons of

water a day

46,000 miles of pipeline

Invest approximately $900 million annually

in our systems

Serve 1,100

communities

in 30 states

Serve over 15 million people Manage and maintain

more than 100

wastewater treatment

plants

Approx 7,000

employees

Approximately 89 percent of our operations are regulated utilities

Greater than 99 percent compliance rate meeting state and federal drinking

water and wastewater standards

First U.S. water utility named to the Dow Jones

Sustainability North America Index

3

American Water Footprint – HQ in Voorhees, NJ

4

American Water’s Business - The Integrated Water Cycle

Our goal is to consistently provide customers with safe, high quality drinking water

and reliable water and wastewater services

5

AW Business Transformation Project – SAP SCOPE

CIS ERP

Record to Report

(RTR)

Hire to Retire

(HTR)

Procure to Pay

(PTP)

EAM

Request to

Complete

(RTC)

Plan to Build

(PTB)

Order to Cash

(OTC)

• Organization

Management

• Talent

Management

• HR Service &

Administration

• HR Operations &

Support

• Develop Plan &

Budget

• Develop & File

Rates

• Close Subsidiary

General Ledgers

• Consolidate

Financial

Statements

• Report to Internal

Parties

• Report to External

Parties

• Support Close

• Identify needs

(Goods & Services)

• Source Supplier

• Purchase Goods &

Services

• Receive Goods &

Services

• Pay Supplier

• Manage Items

• Classify Items

• Move Material

• Manage Inventory

Accuracy

• Manage Supplier

Returns

• Vendor Managed

Inventory

• Develop Asset

Strategy & Plan

• Optimize

Investments &

Budgets

• Manage Resources

• Manage Work

• Execute Work

• Plan Work

• Receive Inquiry

• Initiate Work

• Design/ Estimate/

Final Approval

• Schedule Work

• Assign Work

• Execute Work

• Close Work

• Manage Complaints

& Issues

• Establish Customer

Account

• Collect Meter

Reads

• Edit and Pull Data

for Billing

• Billing

• Post Charges

• Monitor

Receivables

• Credits &

Collections

ECC, BI/BW, SRM, SAP Portal,

Nakisa, SuccessFactors

CRM, KRONOS

GIS, Click Mobile/Scheduling

Release 1 Go-live August 1st, 2012 Release 2 – EAM /CIS Go-live in Q2 and Q3, 2013

6

Business Transformation (BT) Project Questions that had to be answered

• How to embed proper security controls during the project

• How to utilize existing infrastructure and resources

• How and where should the SOD rule set and mitigating controls reside… considering desire to avoid duplicate control repositories, documentation, and responses

• How do we manage emergency access management (FireFighters)

• How do we manage enterprise role management

• How do we standardize and automate the user provisioning process

• How do we ensure compliance and provide automated tools to evaluate security risk and mitigate exceptions

• Future integration with IdM / IAM

7

SAP Access Control and SAP Process Control 10.0 A Clear Choice for BT Implementation

SAP Access Control and SAP Process Control aligned with American Water’s

Business Transformation strategic objectives by increasing cross-function

accountability and standardization, increasing visibility across risk and compliance

initiatives, along with reducing total cost of ownership. The result is an expanded

ability to monitor strategic, financial, compliance, and operational risks and controls.

Current

Future

SAP Access Control benefits to American Water

Reduce access risk across SAP application modules

Robust database of validated segregation of duties (SoD) rules

Risk analysis of user access request and role definition

Streamline compliance process

Automated user access review and collaboration; Conduct user access and role recertification

Ability to provide automated self-service user access request and approval

Obtain real-time oversight

Real time access risks analysis and reporting dashboards

Emergency access privileges with integrated monitoring

Repository of SOX and non-SOX controls to support compliance and other regulatory activities

Dynamic electronic catalog of controls

Continuous monitoring of key controls

Efficient audit process for external and internal audits

Management and assignment of testing and mitigating controls

Evaluate and manage organizational process and control changes through questionnaires and

remediation plans

Increase sustainability of processes and controls through policy life-cycle management

8

SAP Process Control benefits to American Water

Benefits SAP Access Control and existing IAM integration was easy

9

10

Benefits Tie-in of SAP Access Control to existing IT Processes

Policies and Procedures Control Frameworks

Password Management

Application Access Management

User Provisioning Emergency and Privileged Access

New User

Access

Modify

Existing

Access

Terminate

Existing

Access

Access Approval

Preventative SoD Check

Emergency

Access

Provisioning

Emergency

Access

Monitoring

and Review

Role Management

Create New

Role

Modify

Existing Role

Disable

Existing Role

IT A

cce

ss

Ma

na

ge

me

nt

Pro

ces

s

Periodic User

Recertification

Periodic

Role Recertification

Compliance and Monitoring

Periodic Segregation

of Duties Review

Periodic Sensitive

Access Review

Remediation Mitigating

Controls

User Access Provisioning Business Role Management Access Risk Analysis Emergency Access Management

11

Benefits - SAP Access Control and SAP Process Control

integration with SAP was straightforward

GRC AC Team

11

Go-Live Design Deployment Plan / Analyze Build Test

BT Change

Management

BT SMEs

Internal

Controls - PC

focus

ITS

Transaction to

Role Mapping

GRC Maintenance Strategy

SoD & SA Risk

Definition

Design SOD &

SA Rules

Build SOD

Rules Build GRC (Risk Analysis, Role Management,

Emergency Access Mgmt, User Provisioning)

Provide Technical Support

(GRC installation, Other key linkages)

Role-User

Mapping

Internal Controls

– SOD focus

BT Security

Input to Role Definition , Controls Design, Job Design, SOD Remediation

User Training

Role SOD

Check

Business Role

SOD

Check

User SOD

Check

User SOD

Remediation

& Mitigation

Business Role

Definition

GRC Reqs.

Controls

Definition Controls

Design Controls

Build

SAP Process Control Deployment, ARIS & Mitigation SoD

Linkage, SOX Reporting

04/01/2011 09/30/11 12/31/11 04/15/12 08/01/12

GRC AC

Support

GRC Install

Role Design

Methodology Build Master

Roles

Build Business

Roles

Assign Users

To Roles

Business Role

Mapping

GRC Activity Controls Activity BT Activity

Benefits of having implemented SAP Access Control and

SAP Process Control in conjunction with BT Project

Utilized same resources from SAP ERP go-live to gain efficiencies

System Implementer; AW Subject Matter Experts; AW Security and Compliance teams

SAP Access Control and SAP Process Control run on same platform as SAP ECC

Netweaver Platform

Standard and ABAP Reports

AW reduced costs as workshops, meetings and compliance activity discussions

included GRC topics along with the ERP scope.

Requirements workshops

Compliance meetings

Unified Master Data (SAP Access Control / SAP Process Control integration benefits)

Common and shared organization hierarchy, process and sub-process definition

Provides consistent data to enable analysis & reporting for access/controls management

Mitigation Control library hosted and shared from SAP Process Control

Common controls repository and shared with SAP Access Control for SOD mitigation controls

External Audit’s review of GRC solutions occurred along with SAP pre-imp audit

SOD rule set engine and SAP Configuration/Workflow review

12

13

Charlie Singh

Sr. Manager - Compliance

Email: charlie.singh@amwater.com