0
How to implement SAP GRC Access    Control 10.0 successfullyThe National Lottery Belgium case                     Gert De ...
Agenda                                              Your logo Key Facts about the National Lottery Project challenges / ma...
The National Lottery                                                                          Your logo                   ...
The National Lottery                                                                       Your logo                      ...
The Project Challenges                                        Your logo Business  • Access too broad with impact on perfor...
The Project Challenges                                            Your logo Business  • Reduce the accesses on a need to h...
Delaware                                                             Your logoHistory• Founded in 1981; has been part of B...
Expertum                                                               Your logoHistory• Founded in April 2006 by 2 ex-SAP...
The Project Approach                                                                             Your logo      Transition...
The Project Approach                                                                                      Your logo       ...
The Project Approach - AMR                                  Your logo Create understanding & ownership of the rule set Val...
The Project Approach - AMR                                   Your logo Results workshops:  • Review user lists with rule s...
The Project Approach - EAM                                      Your logo Workshops for identifying:  •   What Firefighter...
The Project Approach - EAM                                               Your logo                        Central GRC     ...
The Project Approach - PMU                                      Your logo Automatic workflow provisioning  • New user trig...
Benefits                                              Your logo Business  •   Understanding  •   Transparency  •   Ownersh...
Success Factors                                        Your logo Key user / business involvement from the start Technical ...
Lessons Learned / Pitfalls                                    Your logo Usually existing authorizations concepts are not f...
The Next Steps                                            Your logo Business Roles  • Redesign technical roles  • Define b...
Your logoContact Details   Chris Walravens                   Gert De Pauw   GRC Competence Lead               Senior SAP M...
Thank you!       Your logo  SAPience.be Tech Day 2012   21
Upcoming SlideShare
Loading in...5
×

1.3. sa pience be tech day 2012 nationale-loterij presentation - cwagdp

131

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
131
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "1.3. sa pience be tech day 2012 nationale-loterij presentation - cwagdp"

  1. 1. How to implement SAP GRC Access Control 10.0 successfullyThe National Lottery Belgium case Gert De Pauw Your logo The National Lottery Chris Walravens Expertum SAPience.be Tech Day 2012 1
  2. 2. Agenda Your logo Key Facts about the National Lottery Project challenges / major reasons Key Facts about Delaware / Expertum Project Approach / solutions Benefits for business & IT Success Factors Lessons learned / pitfalls Next steps SAPience.be Tech Day 2012 2
  3. 3. The National Lottery Your logo Wet van 19 april 2002 + het beheerscontract tussen de Belgische Staat en de Nationale Loterij: “sociaal verantwoordelijke en professionele aanbieder van spelplezier” met twee essentiële Kanalisatie doelstellingen : • het spelgedrag kanaliseren en zo een alternatief bieden voor privé en/of illegale spelen • de bestaande gebruikers van loterijen en kansspelen aantrekken met een modern en aantrekkelijk aanbod, zonder evenwel de omvang van de markt uit te breiden Financiële steun aan organisaties en manifestaties van publiek belang: Grootste • 225,3 miljoen euro aan subsidies rond de themas sociaal, sport, cultuur, familie, wetenschap en nationaal prestige worden door mecenas de ministerraad goedgekeurd. Sinds 2002 stort de Nationale van België Loterij 27,44% van het globale jaarlijkse subsidiebedrag rechtstreeks aan de drie (Vlaamse, Franse en Duitstalige) Gemeenschappen. • Sociale of naamsponsoring van initiatieven ten voordele van de integratie en het welzijn van minderbegoede bevolkingsgroepen (b.v. Restos du Coeur, eindejaarsdiners, bezoeken aan evenementen en tentoonstellingen aan verminderd tarief) Op een verantwoorde Actief en op een autonome manier bijdragen tot de preventie en manier behandeling van gokverslaving dankzij de steun aan initiatieven in die richting SAPience.be Tech Day 2012 3
  4. 4. The National Lottery Your logo Enkele kerncijfers RK VTE VTE ops/log sales RK Brussel (Jette) 3 6 RK Antwerpen 4 8 RK Brugge 3 6 RK Tienen 3 7 RK Gent 5 7 RK Namen 3 7 RK Mons 4 6 RK Liège 4 6 Totaal Decentraal 29 53• Eén van de grootste retailnetwerken van België• 5240 winkelpunten – zelfstandigen werken op commissie en verkopen onze producten SAPience.be Tech Day 2012 4
  5. 5. The Project Challenges Your logo Business • Access too broad with impact on performance / fraud / errors • No transparency regarding content of authorizations IT • Mainly manual processes • No prevention of access risk possible SOD (Segregation of Duties) • Hardly any segregation of duties enforced • No clear responsibilities defined • Difficult overview for Internal and External Audit SAPience.be Tech Day 2012 5
  6. 6. The Project Challenges Your logo Business • Reduce the accesses on a need to have basis • Enhance transparency to enhance understanding • Introduce role / risk ownership to allow a clear approval process IT • Automate user provisioning processes • Enforce preventive SOD checks Audit • Enforce segregation of duties • Obtain audit trail for user provisioning processes • Monitoring & Reporting tool for Internal and External Audit SAPience.be Tech Day 2012 6
  7. 7. Delaware Your logoHistory• Founded in 1981; has been part of Bekaert, Andersen and Deloitte• Independent partnership since 2003Today• 750 professionals• Belgium, China, Singapore, France, Luxembourg, The Netherlands & USRecipe• Aligning business and technology• Combining strengths, delivering solutionsPhilosophy• Entrepreneurship, Care, Respect, Team spirit, Commitment SAPience.be Tech Day 2012 7
  8. 8. Expertum Your logoHistory• Founded in April 2006 by 2 ex-SAP Belux employees• PartnershipsToday• Team of 50+ SAP Experts and Project ManagersMission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growthStrength• Highly skilled & experienced SAP consultants in all SAP areas, combined with awide industry knowledge in several domains SAPience.be Tech Day 2012 8
  9. 9. The Project Approach Your logo Transition plan • SAP GRC Access Control 10.0 • AMR (Analyse & Manage Risk) • EAM (Emergency Access Management) • PMU (Provision & Manage Users) TO BE Monitoring / Reporting Business Role Business Roles Situering: Monitoring SAP GRC Reporting Access Control 10.001/11/2011 01/05/2012 08/11/2012 01/05/2013 SAPience.be Tech Day 2012 9
  10. 10. The Project Approach Your logo Effective Minimal Continuous Management Oversight Time To Compliance Access Management and Audit (Get Clean) (Stay Clean) (Stay in Control)Analyze & Manage Risk Business Role Provision & Manage Emergency Access Periodic Access Review (AMR) Management (BRM) Users (PMU) Management (EAM) and Audit Customizing “PFCG” Provisioning Fire fighters: who ? Focus on remaining Master Data (existing authorization Approval Approval: who ? challenges during Rule set vs used concept remains) Procedures Access: what ? periodic audits functionality Workflow GRC AC 10.0 authorizations SAPience.be Tech Day 2012 10
  11. 11. The Project Approach - AMR Your logo Create understanding & ownership of the rule set Validation workshops for the rule set: • Business processes (department / ECC module / owners) • Risks (classification / owners) • Segregation of Duties conflicts • Critical functionality • Integration of own developed transaction codes Input from key users was crucial Validation of the rule set from internal audit SAPience.be Tech Day 2012 11
  12. 12. The Project Approach - AMR Your logo Results workshops: • Review user lists with rule set violations • Indicate remove / keep • Parts of the Segregation of Duties conflicts • Critical functionality • Detailed testing of the rule set • Preparation for the remediation activities Remediation activities • Remove / update roles • Assign a mitigating control (« access accepted ») • Split roles  postponed until the business roles setup SAPience.be Tech Day 2012 12
  13. 13. The Project Approach - EAM Your logo Workshops for identifying: • What Firefighter IDs are needed • What specific authorizations are needed per firefighter • Which users can use which firefighter • What the Firefighter owners & controllers are • What the allowed Reason Codes are Input from key users was crucial SAPience.be Tech Day 2012 13
  14. 14. The Project Approach - EAM Your logo Central GRC Logging & dashboard Firefighter ECC ReportingEnd user FF user-ID 1 FF session 1 Report 1 FF user-ID 2 FF session 2 Report 2 FF user-ID 3 FF session 3 Report 3 Owner Approval SAPience.be Tech Day 2012 14
  15. 15. The Project Approach - PMU Your logo Automatic workflow provisioning • New user triggered by HR department • Role assignments / removals approved by role owner(s) • Requests / approvals / changes automatically logged Preventive risk analysis • Role assignment requests include risk analysis • Risk violations approved / mitigated / rejected by risk owner(s) SAPience.be Tech Day 2012 15
  16. 16. Benefits Your logo Business • Understanding • Transparency • Ownership • Approvals with (more) knowledge IT • Automation • Process is business driven • Ownership lies with business SAPience.be Tech Day 2012 16
  17. 17. Success Factors Your logo Key user / business involvement from the start Technical knowledge of the software Knowledge of user and role administration processes Combining technical and process knowledge into optimal solution and application setup SAPience.be Tech Day 2012 17
  18. 18. Lessons Learned / Pitfalls Your logo Usually existing authorizations concepts are not fully suited to allow: • Advanced remediation activities • Full transparency to fully allow ownership and understanding Don’t overestimate the possibilities • Firefighter log only logs what is in CDHDR & CDPOS tables • Webdynpro’s are customizable, but to a point • Portal integration (UWL) not fully possible SAPience.be Tech Day 2012 18
  19. 19. The Next Steps Your logo Business Roles • Redesign technical roles • Define business roles corresponding to positions • Setup BRM module Automate HR trigger • Currently user creation triggered by manual request • Automated request will be implemented Approval Delegation SAPience.be Tech Day 2012 19
  20. 20. Your logoContact Details Chris Walravens Gert De Pauw GRC Competence Lead Senior SAP Manager T. +32 474 47 59 83 T. +32 475 22 49 56 E. Chris.Walravens@expertum.net E. Gert.depauw@nationale-loterij.be www.nationale-loterij.be www.expertum.net 20
  21. 21. Thank you! Your logo SAPience.be Tech Day 2012 21
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×