Learn how to reduce financial fraud and improve risks management. What are the most common risks for activities and business processes? How a SoD repository is commonly set up? Learn the top 3 SoD conflict types and how to implement a methodology in order to leverage your SAP governance.
Main points covered:
• How to reduce financial fraud and improve risks management
• What are the most common risks for activities and business processes?
• How a SoD repository is commonly set up?
• Learn the top 3 SoD conflict types
Presenter:
The webinar was presented by M. Roseau, director of business development for In Fidem, a Canadian company based in Montreal, Quebec.
Link of the recorded session published on YouTube: https://youtu.be/bRsiWx2NodA
Fostering Friendships - Enhancing Social Bonds in the Classroom
Governance Risk and Compliance for SAP
1. GOVERNANCE, RISK AND COMPLIANCE FOR
SAP,
REDUCE COSTS AND RISKS WITH
GOVERNANCE ACROSS YOUR INFORMATION
SYSTEM
WEBINAR
2016
2. 2
Mathieu Roseau
Job Positions
Mathieu Roseau is a director of business development for In Fidem, a Canadian company based in
Montreal, Quebec. He's been working in the IT sector for more than 8 years, as a security solution
specialist. As a security consultant, M.Roseau has been working on numerous projects for several types
of industries.
514 699-6834
mathieu.roseau@infidem.biz www.infidem.biz
https://www.linkedin.com/in/mathieuroseau/en
3. In Fidem in an nutshell
3
GOVERNANCE, RISKS & COMPLIANCE (GRC)
Experts to help you manage your security governance, risks & compliance framework (GRC) around
the globe – PCI-DSS – SOX - ISO 27001 – NIST compliance – NERC CIP - and many others.
CYBER-MONITORING
To implement the right detection mechanisms of security issues before it’s too late. Experts to help
you to implement right incident management processes.
ERP & WEB APPLICATIONS SECURITY
To implement the right security measures into your business applications services & software
development life cycle (SDLC) – Training – Code Review – application security software's.
IDENTITY ANALYTICS & INTELLIGENCE
To ensure that people having access to your critical IT systems are the right persons & have the right
access level - Automation of regular accesses review for application & IT systems review.
FRAUD MANAGEMENT & FORENSIC INVESTIGATION
Fraud management systems & investigation methods designed to detect computer fraud and
preserve the integrity of the evidence collected.
4. Security is a business problem
FINANCIAL RISKS
REPUTATION RISKS
COMPLIANCE RISKS
5. Failure to adequately manage Access Rights is at the root of
most security incidents and compliance issues
55% of companies have been victims of a security incident over
the last 24 months
56% of fraudsters are internal workers and cause the most impact
Types of Security Incidents
PwC, Global Economic Crime Survey PwC, Global Information Security Survey
Top 3 Audit Findings
Deloitte, DTTL Global Financial Services Industry Security Study
Excessive access rights
Removal of access rights
Segregation of Duties
Internal
Employee
Excecutive Man
Age between
31 and 40
Employed for
more
than 3 years
Typical Fraudster
Security issues behind incidents
6. Definition - wording
Risk definition : An opportunity for a physical loss, fraud, process disruption, or
productivity loss that occurs when individuals exploit a weakness.
A risk is a combination of two functions.
Inside a domain, it is not authorized :
To handle the 2 following responsibility levels :
Operational level, « the one who executes »,
Supervision level, « the one who controls ».
To cumulate 2 risky functions in the same process
It’s not authorized for the manager to cumulate the functions of his team
Display functions and reports are not risky
7. Risks Management concerns
Address risks in a comprehensive and consolidated approach
Increase the visibility of the impact of risks on performance
Having the ability to automatically monitor key risks
Meet the requirements of your regulation
8. Key Customers risk issues
• Risks events become loss events
• Risk management activities are too costly
• Limited ability to prioritize and manage the most critical risks
9. Establishing SoD rules is specific to each
company
• Segregation of duties is obviously based on the establishment of a
repository of best practices and common audit rules
• Indeed, in practice, the implementation of the segregation of duties
repository does not solve all incompatibilities:
• The segregation of duties repository reflects the risks arising from conflicts
of activities against which the company wants to protect itself
10. What most SoD issues in SAP customers
are facing ?
Top 3 conflict types in SOD risks
Core Model
misconception
User Rights assignments
generates incompatibility
Rights assignment
process weaknesses
11. Risk mitigation and remediation
Process Principles in 5 Steps
•Appreciate if SOD
discrepancies generate
real risk in business
context, and adapt
accordingly Risk matrix
Risk matrix life cycle
•Check conformity between
SOD rules
•Add / delete transactions
and authorization objects in
roles
•Cut existing roles in
multiple roles
Role model update
life cycle •Check conformity in user
role assignment
•Check that role
combination assignment
is conform with SOD rules
Role combination -
User assignment life
cycle
•Be sure that roles are
assigned accordingly with
organization rules
•Be sure that functions are
defined accordingly with
SOD rules
Organization life
cycle •Set up complementary
controls to mitigate the
risk
Compensatory
controls
12. Periodic
User Access
Review
iMDM for
Data Quality &
Identity Correlation
Continuous
Monitoring, Alerting
& Remediation
Behavioral
and
Data Analytics
Risk Scoring
and Evaluation
Audit, Compliance
Forensic
Our proposition, Brainwave IGRC
13. Gartner Terminology
•Audit, Controls, Analyses and DashboardsIAI
Identity Analytics and Intelligence
•Roles and RecertificationIAG
Identity and Access Governance
•Account and password managementIAM
Identity and Access Management
Business
IT
14. Main Features
•Entitlements and granular permission analysis
•Audit controls (including SoD)
•Tracking of changes over time
•KPI and reporting Dashboards
IAI
Identity Analytics and Intelligence
•Access Rights Recertification Workflows
•Access Request Workflows
•Role Modelling
•Role provisioning
IAG
Identity and Access Governance
•Joiner/Leaver workflows
•Account provisioning
•Directory synchronization
•Password reset
IAM
Identity and Access Management
Business
IT
15. • A unified approach to GRC, integrated to your
landscape
• Automated monitoring for risks and controls in very
different and heterogeneous technologies
• An interface thought to deliver best user centred
experience
• A soft to meet all the necessary features for the
establishment of a global risk management system
Added value on your project by
Brainwave
16. Fine grained SoD implementation
– Users <=> Roles <=> Activities <=> Authorization Objects…
Core model analysis & cleanup
User Role analysis & cleanup
360° Dynamic browsing of users, roles, permissions,
discrepancies…
SoD across SAP modules and with SAP and other
business critical applications
What benefits iGRC can Provide to
Stakeholders?
17. Classic Timeline for a project Pilot
M2.M1.M0. M5.
Phase A
Sod Matrix
review and
upload
Phase B
Core Model
Clean-up
Phase C
Entity clean-up
M3. M4. M6
Hypothesis :
- SoD Matrix based on
standard matrix, or existing
business customer matrix
- Core model cleaned, and not
fully redesigned
- Entity pilot deployed having
less than 100 Users
Testings
Support
Post-Golive
Remediation plan for
the entity Users
Technical
SET UP
Remediation plan for
CORE MODEL
Technical load of the
Matix in Brainwave
Project Management
Sod Risks matrix definition, design
and challenge
Support
Post-
Golive
18. 18
Fully Web-based; nothing to install
One unique place for:
Browsing data within your organization
Generating reports
Analyzing SoD
Getting dashboards
Web portal: the home page
22. Build a 360°cartography about Who-Does-What:
Use standard controls to improve the quality of the SAP security model:
Identify Segregation of Duties (SoD) issues:
Make cross analysis with other applications and data repository like HR, Active Directory
and Shared Files
Investigate on suspicious activities by following-up:
- Business transaction activities
- Right administration activities
Follow-up on issues and improve your situation
What can I do with it?
23. Security policies
- SOD Matrix
- …
- People
- Job title
- Organization
- …
- Accounts
- Groups
- …
SAP® ECC
SAP® SRM …
- Authorization
model
- Acts of
administration
- Logs
Analyse and report
Review &
Remediate
Collect and
Consolidate
- User authorization cartography
- Risk analysis and trends
- Control reporting
- Dashboards
Automated data discovery,
data mapping and loading
into Brainwave data model
Risk mitigation and
remediation
…
Why Brainwave
for SAP ?
How does it
work?
What does it
need to work ?
What kind of data do Brainwave
need ?
Hi everyone, thank you for being here today, to see this webinar about best practices for access reviews.
im introducing myself, im Mathieu Roseau, director of business development for In fidem
In Fidem has been working in the area of governance, risk management and compliance since it was founded 10 years ago. ,
In Fidem’s mission is to support organizations and theirs businesses through the protection of one of their most valuable assets: information.
We keep tracks of the latest developments and analyze current trends in the field
We create content, methodologies, approaches, analysis models and tools specific to customer
We have established 5 expertise that enable us to innovate:
GOVERNANCE, RISKS & COMPLIANCE (GRC) – helping you over your security reglementation whatever it is
IDENTITY ANALYTICS & INTELLIGENCE, as gartner named it – we are going to see that today together
ERP & WEB APPLICATIONS SECURITY
CYBER-MONITORING – incident management / incident response
FRAUD MANAGEMENT & FORENSIC INVESTIGATION – e-discovery – legal proof of an electronic felony
we have all that is required to provide 360 security
even if not all c-level management is aware of that, security is a bunisess problem
Reports of data breaches, data loss and cyber criminality are multiplying these days and are more and more becoming front line news.
Luxleaks 2014 data leaks
JP Morgan cyber- criminal hacking
Morgan Stanley hacking/ data theft scandal
each time its several pilars of the compagny who are impacted, financial, reputation and compliance side
The cost of cyber criminally stolen data continues to rise, year after years
Companies continue to focus most of their investment dollars and attention on external fraud applications, despite the fact that internal fraud is the larger problem. Reportedly, 6% of frauds were internal frauds caused by employees who took advantage of user access issues to commit their forfeits.
Actually, in that respect, the figures are very telling:
A Deloitte report the biggest audit challenges and issues were founded monitoring of user accounts and access privileges
It is important to realize what is going on here:
-that these are committed by employees and internal staff (usually an executive, 3 to 5 years n, college educated)
-and that fraud committed by employees are the most pernicious because these guys know the house and where to look!
Employees, former employees, contractors, former contractors
and a big part of the problem is the ability to keep history of access demands or movements, in order to deactivate them
Lets see know how to handle risks challenge in SAP, in the governance side!
FIRST A DEFINITION OF RISK IN THE SAP CONTEXT
Risk definition : An opportunity for a physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a weakness.
A risk is a combination of two functions that can lead to a fraud
It’s not authorized for the manager to cumulate the functions of his team
But Display functions and reports are not risky
Managament of risks have some concerns :
How to identify, evaluate and compensate for risks across departments operating in silos?
How to access and manage all data that will impact my risk?
How to assess the impact of risk qualitatively and quantitatively?
How to model different compensation plans of my risk to make sure to put in place the best response plan
How continuous monitoring can reduce my risk of events?
How to compensate my keys risks before they impact my performance?
How to ensure the effectiveness of internal controls and risk management?
OPERATE THE RISK HAVE MANY ISSUES
Inability to identify and mitigate risks proactively before events become risk losses and events that negatively impact performance
No integration of risk management in corporate strategy and operational business processes
Risk management solutions based on MS Office are inefficient , inadequate, and based on manual processes and not auditable
Manual activities for risk management across multiple entities lead to a limited visibility and ROI
Inability to identify and prioritize critical risk management led to incur non-aligned action plans with strategy
Limited ability to analyze the impact of risks on business processes and how the risks interfere with each other
Dealing with risks leads to have a SoD (or seggregation of duties) control plan
SOD IS BASED ON a repository of best practices and commun audit rules
* usually the big four like BDO, Deloitte and othes can help on that
But MUST BE ADAPTED in relevant activities for the company
its stakes through the risk assessment of the identified conflicts..
IN PRACTICE
In information systemsdealing with the entire conflict by defining profiles would lead to define a large number of particularly complex profile which the user management process
In entities of limited size combination of responsibilities is inevitable
First one /Core Model misconception
SAP Core Models for authorization often designed before SoD projects, and SoD awareness
SoD best Practice building rules not followed during the build phase
No real SoD challenge during the maintenance phase
Second/User Rights assignments generates incompatibility
No real « Process Owner » for user rights challenge
No challenge on the organizational perimeter
No frequent global user assignments review
Third/Rights assignment process weaknesses
Active account assigned to people who left the company or people who changed their responsibility
Over allocated rights vs job title and responsibilities
Right not updated after reorganization
No Organizational perimeter assignment approval
First step: check adequation between theory and real life on your sod dispreencies and update your risk matrix
Second: adap your role model accordingly
Third: valid your user role assigment and role combinaison regarding sod rule
Forth : ensure role are align with organization rules
Firth : implement complementary controls to mitigate the risk
Brainwave mission is to help you to identify and mitigate all the risks related to the users and their permissions on the IT systems
We do this by consolidating information from the IT system in order to be able to know :
Who is working for you, employees, contractors, trainees, as well as their belonging organisation, their job title, …
What they can do on the information systems, whatever the application and the permission level (on premise, cloud application, mainframe, fileshares, …)
What they have been allowed to do through the security policies and the access granting workflow
And we mix all this information to ensure that all is consistent, therefore ensuring least privilege principles and enforcing seggregation of duties
European compagny, french based and offices in Canada too, more than 60 customers since the creation 5 years ago, named in gartner iam magic quadrant 3 years ago, cool vendor and vendor to watch since then
the way Gartner see the identity is by identity and access administration, first level is management, account creation modification delete. you have after the governance,, reports and indicator evolving through time and at the end, intelligencem BI dashboard, sod controls and fine grained analyses
Having a way to implement sod control plan, cross applications and having reviews on identity data is a identityy analytics and intelligence approach
BUT ALSO
Dashboards (global overview, trends, problem metrics, insights…)
Review processes…
Methodological approach:
Review of your existing sod matrix
Clean up of the core model
Implementation of remediation plan
You have a whole set of reports where you can navigate freely into the data, without complexity and you can add some reports easily too
You can split the view by the organisional side, dispaching the risks by families and percentage of users having the risks
Get a overview dashboard of your risk as security controls and disprepancies
See the top three risks by roles, organisation, job, etc
You can also see the number of accecess to critical transactions granted per organization. So how many times those persons have been using those transactions over the time?
Build a 360°cartography about Who-Does-What:
From permissions* to identities**
From identities** to permissions*
Use standard controls to improve the quality of the SAP security model:
Dormant accounts, privilege accounts …
Critical profiles and transactions …
Identify Segregation of Duties (SoD) issues:
Statistics on SoD
Investigation and root cause analysis
Proposal for remediation scenario
Brainwave needs HR information, crossed with active directory and of course sap ecc, with authorization model and logs. We can provide abap scrips to perform those extractions
Brainwave use a Business Intelligence approach to secure the assets.
we are not focus only on permissions and user rights, but also on organisation, job titles, and commitments
Well, how does it work?
Import information into an Identity model - no connectors no agents on server
The Identity model allows you to link this information to the IT commitments, such as account details, access permissions and when available access logs.
Access logs allows to perform behavior analysis.
You can also import the law, the security policy which is a top down authority.