reduce access risks while decreasing costs access risks while decreasing costs ... hire to retire...
TRANSCRIPT
Reduce Access Risks While Decreasing Costs
Charlie Singh
Sr. Manager, Compliance
American Water
2
We are American Water
Treat and
deliver more
than 1 billion
gallons of
water a day
46,000 miles of pipeline
Invest approximately $900 million annually
in our systems
Serve 1,100
communities
in 30 states
Serve over 15 million people Manage and maintain
more than 100
wastewater treatment
plants
Approx 7,000
employees
Approximately 89 percent of our operations are regulated utilities
Greater than 99 percent compliance rate meeting state and federal drinking
water and wastewater standards
First U.S. water utility named to the Dow Jones
Sustainability North America Index
3
American Water Footprint – HQ in Voorhees, NJ
4
American Water’s Business - The Integrated Water Cycle
Our goal is to consistently provide customers with safe, high quality drinking water
and reliable water and wastewater services
5
AW Business Transformation Project – SAP SCOPE
CIS ERP
Record to Report
(RTR)
Hire to Retire
(HTR)
Procure to Pay
(PTP)
EAM
Request to
Complete
(RTC)
Plan to Build
(PTB)
Order to Cash
(OTC)
• Organization
Management
• Talent
Management
• HR Service &
Administration
• HR Operations &
Support
• Develop Plan &
Budget
• Develop & File
Rates
• Close Subsidiary
General Ledgers
• Consolidate
Financial
Statements
• Report to Internal
Parties
• Report to External
Parties
• Support Close
• Identify needs
(Goods & Services)
• Source Supplier
• Purchase Goods &
Services
• Receive Goods &
Services
• Pay Supplier
• Manage Items
• Classify Items
• Move Material
• Manage Inventory
Accuracy
• Manage Supplier
Returns
• Vendor Managed
Inventory
• Develop Asset
Strategy & Plan
• Optimize
Investments &
Budgets
• Manage Resources
• Manage Work
• Execute Work
• Plan Work
• Receive Inquiry
• Initiate Work
• Design/ Estimate/
Final Approval
• Schedule Work
• Assign Work
• Execute Work
• Close Work
• Manage Complaints
& Issues
• Establish Customer
Account
• Collect Meter
Reads
• Edit and Pull Data
for Billing
• Billing
• Post Charges
• Monitor
Receivables
• Credits &
Collections
ECC, BI/BW, SRM, SAP Portal,
Nakisa, SuccessFactors
CRM, KRONOS
GIS, Click Mobile/Scheduling
Release 1 Go-live August 1st, 2012 Release 2 – EAM /CIS Go-live in Q2 and Q3, 2013
6
Business Transformation (BT) Project Questions that had to be answered
• How to embed proper security controls during the project
• How to utilize existing infrastructure and resources
• How and where should the SOD rule set and mitigating controls reside… considering desire to avoid duplicate control repositories, documentation, and responses
• How do we manage emergency access management (FireFighters)
• How do we manage enterprise role management
• How do we standardize and automate the user provisioning process
• How do we ensure compliance and provide automated tools to evaluate security risk and mitigate exceptions
• Future integration with IdM / IAM
7
SAP Access Control and SAP Process Control 10.0 A Clear Choice for BT Implementation
SAP Access Control and SAP Process Control aligned with American Water’s
Business Transformation strategic objectives by increasing cross-function
accountability and standardization, increasing visibility across risk and compliance
initiatives, along with reducing total cost of ownership. The result is an expanded
ability to monitor strategic, financial, compliance, and operational risks and controls.
Current
Future
SAP Access Control benefits to American Water
Reduce access risk across SAP application modules
Robust database of validated segregation of duties (SoD) rules
Risk analysis of user access request and role definition
Streamline compliance process
Automated user access review and collaboration; Conduct user access and role recertification
Ability to provide automated self-service user access request and approval
Obtain real-time oversight
Real time access risks analysis and reporting dashboards
Emergency access privileges with integrated monitoring
Repository of SOX and non-SOX controls to support compliance and other regulatory activities
Dynamic electronic catalog of controls
Continuous monitoring of key controls
Efficient audit process for external and internal audits
Management and assignment of testing and mitigating controls
Evaluate and manage organizational process and control changes through questionnaires and
remediation plans
Increase sustainability of processes and controls through policy life-cycle management
8
SAP Process Control benefits to American Water
Benefits SAP Access Control and existing IAM integration was easy
9
10
Benefits Tie-in of SAP Access Control to existing IT Processes
Policies and Procedures Control Frameworks
Password Management
Application Access Management
User Provisioning Emergency and Privileged Access
New User
Access
Modify
Existing
Access
Terminate
Existing
Access
Access Approval
Preventative SoD Check
Emergency
Access
Provisioning
Emergency
Access
Monitoring
and Review
Role Management
Create New
Role
Modify
Existing Role
Disable
Existing Role
IT A
cce
ss
Ma
na
ge
me
nt
Pro
ces
s
Periodic User
Recertification
Periodic
Role Recertification
Compliance and Monitoring
Periodic Segregation
of Duties Review
Periodic Sensitive
Access Review
Remediation Mitigating
Controls
User Access Provisioning Business Role Management Access Risk Analysis Emergency Access Management
11
Benefits - SAP Access Control and SAP Process Control
integration with SAP was straightforward
GRC AC Team
11
Go-Live Design Deployment Plan / Analyze Build Test
BT Change
Management
BT SMEs
Internal
Controls - PC
focus
ITS
Transaction to
Role Mapping
GRC Maintenance Strategy
SoD & SA Risk
Definition
Design SOD &
SA Rules
Build SOD
Rules Build GRC (Risk Analysis, Role Management,
Emergency Access Mgmt, User Provisioning)
Provide Technical Support
(GRC installation, Other key linkages)
Role-User
Mapping
Internal Controls
– SOD focus
BT Security
Input to Role Definition , Controls Design, Job Design, SOD Remediation
User Training
Role SOD
Check
Business Role
SOD
Check
User SOD
Check
User SOD
Remediation
& Mitigation
Business Role
Definition
GRC Reqs.
Controls
Definition Controls
Design Controls
Build
SAP Process Control Deployment, ARIS & Mitigation SoD
Linkage, SOX Reporting
04/01/2011 09/30/11 12/31/11 04/15/12 08/01/12
GRC AC
Support
GRC Install
Role Design
Methodology Build Master
Roles
Build Business
Roles
Assign Users
To Roles
Business Role
Mapping
GRC Activity Controls Activity BT Activity
Benefits of having implemented SAP Access Control and
SAP Process Control in conjunction with BT Project
Utilized same resources from SAP ERP go-live to gain efficiencies
System Implementer; AW Subject Matter Experts; AW Security and Compliance teams
SAP Access Control and SAP Process Control run on same platform as SAP ECC
Netweaver Platform
Standard and ABAP Reports
AW reduced costs as workshops, meetings and compliance activity discussions
included GRC topics along with the ERP scope.
Requirements workshops
Compliance meetings
Unified Master Data (SAP Access Control / SAP Process Control integration benefits)
Common and shared organization hierarchy, process and sub-process definition
Provides consistent data to enable analysis & reporting for access/controls management
Mitigation Control library hosted and shared from SAP Process Control
Common controls repository and shared with SAP Access Control for SOD mitigation controls
External Audit’s review of GRC solutions occurred along with SAP pre-imp audit
SOD rule set engine and SAP Configuration/Workflow review
12