Implementing Process Controls and Risk Management with Novell Compliance Management Platform extension for SAP environments
Upcoming SlideShare
Loading in...5
×
 

Implementing Process Controls and Risk Management with Novell Compliance Management Platform extension for SAP environments

on

  • 1,910 views

Managing processes, automatically testing controls within processes, and proactively managing risk through key performance/risk indicators are significant challenges to establishing GRC/IT-GRC ...

Managing processes, automatically testing controls within processes, and proactively managing risk through key performance/risk indicators are significant challenges to establishing GRC/IT-GRC practices and an effective compliance framework. This session will focus on the current and future capabilities of Novell Compliance Management Platform that can assist organizations with implementating process controls and risk management throughout the enterprise. We will provide specific examples with SAP GRC Access Control, Process Control and Risk Management.

Statistics

Views

Total Views
1,910
Views on SlideShare
1,904
Embed Views
6

Actions

Likes
0
Downloads
52
Comments
0

1 Embed 6

http://www.slideshare.net 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Implementing Process Controls and Risk Management with Novell Compliance Management Platform extension for SAP environments Implementing Process Controls and Risk Management with Novell Compliance Management Platform extension for SAP environments Presentation Transcript

  • Implementing Process Controls and Risk Management with Novell Compliance Management Platform ® extension for SAP Environments Mark Worwetz Volker Scheuber Senior Engineering Manager Consulting Engineer Novell Inc./mworwetz@novell.com Novell Inc./vscheuber@novell.com
  • Novell Compliance Management ® Platform • Integrated Identity and Security Management Platform – Software Components > Identity Vault > Novell Identity Manager with Roles Based Provisioning Module (RBPM) ® > Novell Sentinel ® ™ > Novell Access Manager ® ™ – Tools > Designer for Novell Identity Manager > Analyzer for Novell Identity Manager – Solution Content > Integrated Provisioning and Access Control Policies and Workflows > Identity Tracking > Identity and Security Monitoring and Reporting 2 © Novell, Inc. All rights reserved.
  • Extension for SAP Environments • Role Mapping Administrator – Tool for mapping SAP-specific authorizations to RBPM Business Roles • SAP Drivers – New or Enhanced – SAP User Management Fanout Driver – SAP Business Logic Driver – SAP Portal (UME) Driver – SAP BusinessObjects Access Control Driver • SAP Solution Pack – SAP-specific Sentinel Content • SAP-specific Identity Manager Content – Driver Configurations, Policies, Workflows 3 © Novell, Inc. All rights reserved.
  • Technical Integration Goals • Develop SAP-Oriented Solution Synergies – Allow Identity Manager customers to utilize the advanced Segregation of Duties and Risk Analysis/Remediation capabilities of SAP BusinessObjects Access Control – Extend the reach of SAP BusinessObjects Access Control to other Enterprise Systems via Identity Manager – Integrate Sentinel with the SAP Computing Center Management System ™ (CCMS) – Provide an SAP Solution Pack for Sentinel • Extend Existing Integrations with SAP Products – SAP ERP Human Capital Management (HCM) – SAP User Management – SAP User Management Engine (UME) • Provide a Roles-based Entitlement Content Framework 4 © Novell, Inc. All rights reserved.
  • Scenario 1: SAP User Provisioning
  • IDM Provisioning of SAP Users SAP HCM (ABAP) SAP Portal Abby Spencer Sales Rep SAP CRM (ABAP) Monitoring and Reporting 6 © Novell, Inc. All rights reserved.
  • IDM Provisioning of SAP Users SAP HCM (ABAP) SAP Portal Abby Spencer Mtn Region Sales Rep Sales Rep SAP CRM (ABAP) Monitoring and Reporting 7 © Novell, Inc. All rights reserved.
  • IDM Provisioning of SAP Users SAP HCM (Self-Service) SAP Portal Sales Rep Abby Spencer Mtn Region Sales Rep Sales Rep SAP CRM (Sales Rep) Monitoring and Reporting 8 © Novell, Inc. All rights reserved.
  • Role to Authorization Mapping Role “IT Specialist” • SAP System N4S (CRM) Client 100 – Single Role: SAP_ALM_ADMINISTRATOR – Single Role: SAP_BC_BASIS_ADMIN – Single Role: SAP_BC_DB_ADMIN – Composite Role: SAP_BC_MID_ALE_ADMIN • SAP System S7H (HR - SAPABAP) Client 300 – Profile: SAP_ALL • SAP Portal (CRM Portal) – Group: /VIRSA/VFAT_ADMINISTRATOR – Role: Administrator 9 © Novell, Inc. All rights reserved.
  • Role Mapping Administrator 10 © Novell, Inc. All rights reserved.
  • Scenario 2: SAP User Provisioning using SAP BusinessObjects Access Control
  • IDM Provisioning to Access Control Monitoring and Reporting 12 © Novell, Inc. All rights reserved.
  • Additional Security Benefits • Roles for all SAP systems are aggregated in Access Control • Risk Analysis can be run for all SAP role assignment requests • Risk Mitigation can be performed prior to approval of role assignments • IDM exposes the results of SAP Risk Analysis in Provisioning Workflow – Provides critical risk information to Role Approver – Provides information to guide tuning of Enterprise Role Model and Process Controls • Leaves the ultimate decision on SAP Provisioning Security in the domain of the SAP System and Business Owners 13 © Novell, Inc. All rights reserved.
  • SAP Risk Analysis Results 14 © Novell, Inc. All rights reserved.
  • IDM Provisioning Request Results 15 © Novell, Inc. All rights reserved.
  • Scenario 3: IDM User Provisioning using SAP BusinessObjects Access Control
  • Access Control Provisioning to IDM Monitoring and Reporting 17 © Novell, Inc. All rights reserved.
  • Scenario Characteristics • Roles for non-SAP systems are imported to Access Control • Risk Analysis Rules can be implemented for non-SAP systems • Risk Mitigation can be performed prior to requesting provisioning of role assignments to non-SAP systems • IDM can act as a Provisioning Agent to non-SAP systems 18 © Novell, Inc. All rights reserved.
  • Where Are We Going From Here?
  • Value Proposition Provide the Platform for a Comprehensive IT Compliance LifeCycle! 20 © Novell, Inc. All rights reserved.
  • IT Compliance Lifecycle Define business objectives, policies and Key Performance Indicators (KPIs) Evaluate processes and to help meet objectives business objectives to identify and qualify risks Monitor Real time risk and detect risk response Analyze risk versus thresholds Allow business to determine best long-term response 21 © Novell, Inc. All rights reserved.
  • Typical IT Concerns Never Stop for(;;) { Are the Business Service Level Agreements being met? Are my Employees as Productive as Possible? Is My Infrastructure Compliant? Are my IT System and Application Administrators following established processes? Are my Controls Adequate and Efficient? Are my Control Policies Protected? Can I Verify all of this? } 22 © Novell, Inc. All rights reserved.
  • Data Gathering... • Novell Compliance Management Platform ability to ® deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc. 23 © Novell, Inc. All rights reserved.
  • Plus Risk Management... • Novell Compliance Management Platform ability to ® deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc. • SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers 24 © Novell, Inc. All rights reserved.
  • SAP BusinessObjects Risk Management Integration • Novell Compliance Management Platform ability to ® deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc. • SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers Enterprise IT Risk Management Solutions! 25 © Novell, Inc. All rights reserved.
  • Novell IT Key Risk Indicators ® (KRI) • Gather Information about Risky Behaviors – Bad Login Attempts – Password Changes – Authorization Changes • Gather IT Performance Values – Metrics for System Availability – Workflow Run-Times – Provisioning / Deprovisioning Statistics • Monitor the Need for, and Effectiveness of, Controls – Identify Out-of-Policy Administration Activity – Verification of Performance of Control Tasks 26 © Novell, Inc. All rights reserved.
  • Risk Management Integration • Development of Key Risk Indicator Components – CMP KRI Gateway Driver – IT-related KRIs – KRI Dashboards – KRI Reports • Integration with SAP BusinessObjects Risk Management – Implementation of Event-Based KRI Interfaces – Scenario Development and Documentation 27 © Novell, Inc. All rights reserved.
  • IT Risk Management Integration 28 © Novell, Inc. All rights reserved.
  • IT Risk Management Integration (cont.) 29 © Novell, Inc. All rights reserved.
  • Process Control Integration • Integration with SAP BusinessObjects Process Control – Development of Process Control Alert Adapters > Occurrence of High-Risk Activities > Occurrence of Process Violations > Occurrence of Critical System Outages – Development of Automated Mitigation Controls > Restart Identity Services > Roll-back of Improper Data Changes > Account Locking – Scenario Development and Documentation 30 © Novell, Inc. All rights reserved.
  • Use Case Scenarios
  • Scenario 1 Workflow Efficiency • Process Policies: – All Access Approvals are granted via IDM Workflows – All Access Workflows must be completed within 24 hours • Business Problems: – How Long do Workflows really take to complete? – Are there any Bottlenecks in Approval Chains? – What is the current state of my Workflows? – Are my current Policies optimal for the Business? – Are my current Policies meeting my Security Needs? 32 © Novell, Inc. All rights reserved.
  • Scenario 1 Current View System Assets, Accounts, and Authorizations Role Provisioning 80% = 15% = 5% = Average Time = 36 Hours 33 © Novell, Inc. All rights reserved.
  • Scenario 1 Workflow Efficiency • Process Policies: – All Access Approvals are Processed via IDM Workflows – All Access Workflows must be completed within 24 hours – All Low Threat Access will have Automated Approval – All Medium Threat Access must have 1 Approval – All High Threat Access must have 2 Approvals 34 © Novell, Inc. All rights reserved.
  • Scenario 1 Revised Policies Multiple Approvals based on Role Level System Asset Values and Authorization Threats Valued by Asset Owner Automated Approvals based on Role Level 80% = (12 mins) 15% = (8 hours) 5% = (24 hours) Average Time = 2.56 Hours 35 © Novell, Inc. All rights reserved.
  • Scenario 1 Workflow Efficiency • Process Policies: – All Access Approvals are Processed via IDM Workflows – All Access Workflows must be completed within 24 hours – All Low Threat Access will have Automated Approval – All Medium Threat Access must have 1 Approval – All High Threat Access must have 2 Approvals • Process Improvements: – All Access Approvals are completed faster! – Security Posture Improved! – Bottlenecks Removed! 36 © Novell, Inc. All rights reserved.
  • Scenario 2 Rogue Administration • Process Policies: – All Access Approvals are granted via IDM Workflows – All Access Rights changes are performed via IDM Drivers after approval • Business Problems: – Can I detect if these policies are violated? – Can I remediate violations at an IT level? – Can Process Owners receive notification of violations? 37 © Novell, Inc. All rights reserved.
  • Scenario 2 Process Control Jim requests IT to Jim's Acces is reset “Rogue Administration” Temporarily give him in the SAP CRM work flow is started to access rights to perform a system remediate IT security task Novell CMP receives event ® And begins IT and Process remediation Violating Policy, Natasha grants Jim SAP_ALL rights in the SAP CRM system. GRC Process control A notification is sent to forwards the item to Glen to Process administrators review the effect on SAP to remediate controls applications violation 38 © Novell, Inc. All rights reserved.
  • Questions and Answers
  • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.