Governance Risk and Compliance for SAP
•Download as PPTX, PDF•
1 like•1,476 views
Learn how to reduce financial fraud and improve risks management. What are the most common risks for activities and business processes? How a SoD repository is commonly set up? Learn the top 3 SoD conflict types and how to implement a methodology in order to leverage your SAP governance. Main points covered: • How to reduce financial fraud and improve risks management • What are the most common risks for activities and business processes? • How a SoD repository is commonly set up? • Learn the top 3 SoD conflict types Presenter: The webinar was presented by M. Roseau, director of business development for In Fidem, a Canadian company based in Montreal, Quebec. Link of the recorded session published on YouTube: https://youtu.be/bRsiWx2NodA
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (9)
Similar to Governance Risk and Compliance for SAP
Similar to Governance Risk and Compliance for SAP (20)
More from PECB
More from PECB (20)
Recently uploaded
Recently uploaded (20)
Governance Risk and Compliance for SAP
- 1. GOVERNANCE, RISK AND COMPLIANCE FOR SAP, REDUCE COSTS AND RISKS WITH GOVERNANCE ACROSS YOUR INFORMATION SYSTEM WEBINAR 2016
- 2. 2 Mathieu Roseau Job Positions Mathieu Roseau is a director of business development for In Fidem, a Canadian company based in Montreal, Quebec. He's been working in the IT sector for more than 8 years, as a security solution specialist. As a security consultant, M.Roseau has been working on numerous projects for several types of industries. 514 699-6834 mathieu.roseau@infidem.biz www.infidem.biz https://www.linkedin.com/in/mathieuroseau/en
- 3. In Fidem in an nutshell 3 GOVERNANCE, RISKS & COMPLIANCE (GRC) Experts to help you manage your security governance, risks & compliance framework (GRC) around the globe – PCI-DSS – SOX - ISO 27001 – NIST compliance – NERC CIP - and many others. CYBER-MONITORING To implement the right detection mechanisms of security issues before it’s too late. Experts to help you to implement right incident management processes. ERP & WEB APPLICATIONS SECURITY To implement the right security measures into your business applications services & software development life cycle (SDLC) – Training – Code Review – application security software's. IDENTITY ANALYTICS & INTELLIGENCE To ensure that people having access to your critical IT systems are the right persons & have the right access level - Automation of regular accesses review for application & IT systems review. FRAUD MANAGEMENT & FORENSIC INVESTIGATION Fraud management systems & investigation methods designed to detect computer fraud and preserve the integrity of the evidence collected.
- 4. Security is a business problem FINANCIAL RISKS REPUTATION RISKS COMPLIANCE RISKS
- 5. Failure to adequately manage Access Rights is at the root of most security incidents and compliance issues 55% of companies have been victims of a security incident over the last 24 months 56% of fraudsters are internal workers and cause the most impact Types of Security Incidents PwC, Global Economic Crime Survey PwC, Global Information Security Survey Top 3 Audit Findings Deloitte, DTTL Global Financial Services Industry Security Study Excessive access rights Removal of access rights Segregation of Duties Internal Employee Excecutive Man Age between 31 and 40 Employed for more than 3 years Typical Fraudster Security issues behind incidents
- 6. Definition - wording Risk definition : An opportunity for a physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a weakness. A risk is a combination of two functions. Inside a domain, it is not authorized : To handle the 2 following responsibility levels : Operational level, « the one who executes », Supervision level, « the one who controls ». To cumulate 2 risky functions in the same process It’s not authorized for the manager to cumulate the functions of his team Display functions and reports are not risky
- 7. Risks Management concerns Address risks in a comprehensive and consolidated approach Increase the visibility of the impact of risks on performance Having the ability to automatically monitor key risks Meet the requirements of your regulation
- 8. Key Customers risk issues • Risks events become loss events • Risk management activities are too costly • Limited ability to prioritize and manage the most critical risks
- 9. Establishing SoD rules is specific to each company • Segregation of duties is obviously based on the establishment of a repository of best practices and common audit rules • Indeed, in practice, the implementation of the segregation of duties repository does not solve all incompatibilities: • The segregation of duties repository reflects the risks arising from conflicts of activities against which the company wants to protect itself
- 10. What most SoD issues in SAP customers are facing ? Top 3 conflict types in SOD risks Core Model misconception User Rights assignments generates incompatibility Rights assignment process weaknesses
- 11. Risk mitigation and remediation Process Principles in 5 Steps •Appreciate if SOD discrepancies generate real risk in business context, and adapt accordingly Risk matrix Risk matrix life cycle •Check conformity between SOD rules •Add / delete transactions and authorization objects in roles •Cut existing roles in multiple roles Role model update life cycle •Check conformity in user role assignment •Check that role combination assignment is conform with SOD rules Role combination - User assignment life cycle •Be sure that roles are assigned accordingly with organization rules •Be sure that functions are defined accordingly with SOD rules Organization life cycle •Set up complementary controls to mitigate the risk Compensatory controls
- 12. Periodic User Access Review iMDM for Data Quality & Identity Correlation Continuous Monitoring, Alerting & Remediation Behavioral and Data Analytics Risk Scoring and Evaluation Audit, Compliance Forensic Our proposition, Brainwave IGRC
- 13. Gartner Terminology •Audit, Controls, Analyses and DashboardsIAI Identity Analytics and Intelligence •Roles and RecertificationIAG Identity and Access Governance •Account and password managementIAM Identity and Access Management Business IT
- 14. Main Features •Entitlements and granular permission analysis •Audit controls (including SoD) •Tracking of changes over time •KPI and reporting Dashboards IAI Identity Analytics and Intelligence •Access Rights Recertification Workflows •Access Request Workflows •Role Modelling •Role provisioning IAG Identity and Access Governance •Joiner/Leaver workflows •Account provisioning •Directory synchronization •Password reset IAM Identity and Access Management Business IT
- 15. • A unified approach to GRC, integrated to your landscape • Automated monitoring for risks and controls in very different and heterogeneous technologies • An interface thought to deliver best user centred experience • A soft to meet all the necessary features for the establishment of a global risk management system Added value on your project by Brainwave
- 16. Fine grained SoD implementation – Users <=> Roles <=> Activities <=> Authorization Objects… Core model analysis & cleanup User Role analysis & cleanup 360° Dynamic browsing of users, roles, permissions, discrepancies… SoD across SAP modules and with SAP and other business critical applications What benefits iGRC can Provide to Stakeholders?
- 17. Classic Timeline for a project Pilot M2.M1.M0. M5. Phase A Sod Matrix review and upload Phase B Core Model Clean-up Phase C Entity clean-up M3. M4. M6 Hypothesis : - SoD Matrix based on standard matrix, or existing business customer matrix - Core model cleaned, and not fully redesigned - Entity pilot deployed having less than 100 Users Testings Support Post-Golive Remediation plan for the entity Users Technical SET UP Remediation plan for CORE MODEL Technical load of the Matix in Brainwave Project Management Sod Risks matrix definition, design and challenge Support Post- Golive
- 18. 18 Fully Web-based; nothing to install One unique place for: Browsing data within your organization Generating reports Analyzing SoD Getting dashboards Web portal: the home page
- 19. 19 Organization Risk families % of users with risks in the organization Showing the risks by organizational unit
- 20. 20 Supplying the global risk dashboard with the latest trends
- 21. 21 All users in Sales Division Transaction Usage counter Get the global risk dashboard with the last trends Critical transaction monitoring (4/4)
- 22. Build a 360°cartography about Who-Does-What: Use standard controls to improve the quality of the SAP security model: Identify Segregation of Duties (SoD) issues: Make cross analysis with other applications and data repository like HR, Active Directory and Shared Files Investigate on suspicious activities by following-up: - Business transaction activities - Right administration activities Follow-up on issues and improve your situation What can I do with it?
- 23. Security policies - SOD Matrix - … - People - Job title - Organization - … - Accounts - Groups - … SAP® ECC SAP® SRM … - Authorization model - Acts of administration - Logs Analyse and report Review & Remediate Collect and Consolidate - User authorization cartography - Risk analysis and trends - Control reporting - Dashboards Automated data discovery, data mapping and loading into Brainwave data model Risk mitigation and remediation … Why Brainwave for SAP ? How does it work? What does it need to work ? What kind of data do Brainwave need ?
- 24. Data Reconciliation Cloud Business applications ERP, HR, etc. Security systems IAM, SIEM, etc. User access controls (SoD, policies, rules, etc.) Brainwave uses BI analytics to correlate data Report + Analysis : • Who can access what? • User privileges • User access risks • Which control is deficient? • Am I compliant ?
- 25. ? QUESTIONS THANK YOU 514 699-6834 mathieu.roseau@infidem.biz www.infidem.biz https://www.linkedin.com/in/mathieuroseau/en
Editor's Notes
- Hi everyone, thank you for being here today, to see this webinar about best practices for access reviews. im introducing myself, im Mathieu Roseau, director of business development for In fidem
- In Fidem has been working in the area of governance, risk management and compliance since it was founded 10 years ago. , In Fidem’s mission is to support organizations and theirs businesses through the protection of one of their most valuable assets: information. We keep tracks of the latest developments and analyze current trends in the field We create content, methodologies, approaches, analysis models and tools specific to customer We have established 5 expertise that enable us to innovate: GOVERNANCE, RISKS & COMPLIANCE (GRC) – helping you over your security reglementation whatever it is IDENTITY ANALYTICS & INTELLIGENCE, as gartner named it – we are going to see that today together ERP & WEB APPLICATIONS SECURITY CYBER-MONITORING – incident management / incident response FRAUD MANAGEMENT & FORENSIC INVESTIGATION – e-discovery – legal proof of an electronic felony we have all that is required to provide 360 security
- even if not all c-level management is aware of that, security is a bunisess problem Reports of data breaches, data loss and cyber criminality are multiplying these days and are more and more becoming front line news. Luxleaks 2014 data leaks JP Morgan cyber- criminal hacking Morgan Stanley hacking/ data theft scandal each time its several pilars of the compagny who are impacted, financial, reputation and compliance side The cost of cyber criminally stolen data continues to rise, year after years
- Companies continue to focus most of their investment dollars and attention on external fraud applications, despite the fact that internal fraud is the larger problem. Reportedly, 6% of frauds were internal frauds caused by employees who took advantage of user access issues to commit their forfeits. Actually, in that respect, the figures are very telling: A Deloitte report the biggest audit challenges and issues were founded monitoring of user accounts and access privileges It is important to realize what is going on here: -that these are committed by employees and internal staff (usually an executive, 3 to 5 years n, college educated) -and that fraud committed by employees are the most pernicious because these guys know the house and where to look! Employees, former employees, contractors, former contractors and a big part of the problem is the ability to keep history of access demands or movements, in order to deactivate them Lets see know how to handle risks challenge in SAP, in the governance side!
- FIRST A DEFINITION OF RISK IN THE SAP CONTEXT Risk definition : An opportunity for a physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a weakness. A risk is a combination of two functions that can lead to a fraud It’s not authorized for the manager to cumulate the functions of his team But Display functions and reports are not risky
- Managament of risks have some concerns : How to identify, evaluate and compensate for risks across departments operating in silos? How to access and manage all data that will impact my risk? How to assess the impact of risk qualitatively and quantitatively? How to model different compensation plans of my risk to make sure to put in place the best response plan How continuous monitoring can reduce my risk of events? How to compensate my keys risks before they impact my performance? How to ensure the effectiveness of internal controls and risk management?
- OPERATE THE RISK HAVE MANY ISSUES Inability to identify and mitigate risks proactively before events become risk losses and events that negatively impact performance No integration of risk management in corporate strategy and operational business processes Risk management solutions based on MS Office are inefficient , inadequate, and based on manual processes and not auditable Manual activities for risk management across multiple entities lead to a limited visibility and ROI Inability to identify and prioritize critical risk management led to incur non-aligned action plans with strategy Limited ability to analyze the impact of risks on business processes and how the risks interfere with each other
- Dealing with risks leads to have a SoD (or seggregation of duties) control plan SOD IS BASED ON a repository of best practices and commun audit rules * usually the big four like BDO, Deloitte and othes can help on that But MUST BE ADAPTED in relevant activities for the company its stakes through the risk assessment of the identified conflicts.. IN PRACTICE In information systemsdealing with the entire conflict by defining profiles would lead to define a large number of particularly complex profile which the user management process In entities of limited size combination of responsibilities is inevitable
- First one /Core Model misconception SAP Core Models for authorization often designed before SoD projects, and SoD awareness SoD best Practice building rules not followed during the build phase No real SoD challenge during the maintenance phase Second/User Rights assignments generates incompatibility No real « Process Owner » for user rights challenge No challenge on the organizational perimeter No frequent global user assignments review Third/Rights assignment process weaknesses Active account assigned to people who left the company or people who changed their responsibility Over allocated rights vs job title and responsibilities Right not updated after reorganization No Organizational perimeter assignment approval
- First step: check adequation between theory and real life on your sod dispreencies and update your risk matrix Second: adap your role model accordingly Third: valid your user role assigment and role combinaison regarding sod rule Forth : ensure role are align with organization rules Firth : implement complementary controls to mitigate the risk
- Brainwave mission is to help you to identify and mitigate all the risks related to the users and their permissions on the IT systems We do this by consolidating information from the IT system in order to be able to know : Who is working for you, employees, contractors, trainees, as well as their belonging organisation, their job title, … What they can do on the information systems, whatever the application and the permission level (on premise, cloud application, mainframe, fileshares, …) What they have been allowed to do through the security policies and the access granting workflow And we mix all this information to ensure that all is consistent, therefore ensuring least privilege principles and enforcing seggregation of duties European compagny, french based and offices in Canada too, more than 60 customers since the creation 5 years ago, named in gartner iam magic quadrant 3 years ago, cool vendor and vendor to watch since then
- the way Gartner see the identity is by identity and access administration, first level is management, account creation modification delete. you have after the governance,, reports and indicator evolving through time and at the end, intelligencem BI dashboard, sod controls and fine grained analyses
- Having a way to implement sod control plan, cross applications and having reviews on identity data is a identityy analytics and intelligence approach
- BUT ALSO Dashboards (global overview, trends, problem metrics, insights…) Review processes…
- Methodological approach: Review of your existing sod matrix Clean up of the core model Implementation of remediation plan
- You have a whole set of reports where you can navigate freely into the data, without complexity and you can add some reports easily too
- You can split the view by the organisional side, dispaching the risks by families and percentage of users having the risks
- Get a overview dashboard of your risk as security controls and disprepancies See the top three risks by roles, organisation, job, etc
- You can also see the number of accecess to critical transactions granted per organization. So how many times those persons have been using those transactions over the time?
- Build a 360°cartography about Who-Does-What: From permissions* to identities** From identities** to permissions* Use standard controls to improve the quality of the SAP security model: Dormant accounts, privilege accounts … Critical profiles and transactions … Identify Segregation of Duties (SoD) issues: Statistics on SoD Investigation and root cause analysis Proposal for remediation scenario
- Brainwave needs HR information, crossed with active directory and of course sap ecc, with authorization model and logs. We can provide abap scrips to perform those extractions
- Brainwave use a Business Intelligence approach to secure the assets. we are not focus only on permissions and user rights, but also on organisation, job titles, and commitments Well, how does it work? Import information into an Identity model - no connectors no agents on server The Identity model allows you to link this information to the IT commitments, such as account details, access permissions and when available access logs. Access logs allows to perform behavior analysis. You can also import the law, the security policy which is a top down authority.