ap system security

1.
Case Study
Major motion picture studios employ a tried and true formula to manage the risk
associated with a new film release: Start with a great screenplay, sign a
bankable star, and entrust the project to a director with a résumé of hits and a
track record of staying on budget. A studio holding steady with this strategy will
have its share of successes, such as Universal Pictures’ Jurassic Park, Jaws,
ET: The Extra­Terrestrial, and the Bourne series.
For NBCUniversal, which owns and operates television and cable networks such
as NBC, Bravo, and USA, and theme parks like Universal Studios Hollywood in
addition to its Universal Pictures film business — the formula it adheres to in
churning out both big­screen and small­screen hits is akin to its corporate
governance, risk, and compliance (GRC) strategy: Have a vision, stay within
budget, and keep surprises to a minimum.
At a Glance
Goal: Meet auditor requirements for critical access, achieve Sarbanes­Oxley (SOX)
compliance, minimize segregation of duties (SoD) conflicts, and establish SAP user
access process and guidelines
Strategy: Integrated Security Weaver Secure Provisioning, Emergency Repair, and
Separations Enforcer with existing SAP systems
Outcome: Eliminated SoD conflicts, provided business unit ownership of access
provisioning through self­service model, lowered the cost of compliance, and reduced
access provisioning process from seven to three business days
This strategy was especially important for NBCUniversal in solving its user
provisioning challenge of approximately 5,400 users across a complex SAP
landscape running globally in more than a dozen countries across about 120
businesses. An SAP customer since 2002, the organization now runs SAP
Business Suite across nearly every component of its vast news and
entertainment operations. To protect this investment, the business needed to
ensure SAP users stay “on­script.” For instance, an employee responsible for set
construction shouldn’t have free rein over creating, approving, and paying
invoices. While protecting against segregation of duties (SoD) risks has always
been a concern, the organization’s approach toward mitigating this risk had to
change when Comcast Corporation completed its acquisition of NBCUniversal
from GE in 2011. The new owners made a new GRC strategy and an investment
Lights, Camera, Action: NBCUniversal Puts SAP
System Security in the Spotlight
by Ken Murphy, Features Editor | insiderPROFILES, Volume­4, Issue 4
October 1, 2013
This article explores NBCUniversal's journey to solve a user provisioning challenge for roughly 5,400
SAP users across a complex global landscape in more than a dozen countries and across roughly 120
businesses. Learn how NBCUniversal met auditor requirements for critical access, achieved Sarbanes­
Oxley (SOX) compliance, and minimized segregation of duties (SoD) conflicts, while establishing SAP
user access guidelines.
YOU MAY ALSO LIKE THESE
ARTICLES FROM
Best Practices for Setting Up Authorization in
Process Control 10.0
Portal and SAP System Provisioning in One
Step
Harness Risk Threshold Definition to Drive Ad
Hoc Risk Escalation
Q&As | Case Studies | Blogs | White Papers | Webinars | Videos | Podcasts | Books | Events | Magazines | Why Subscribe?
Search
FINANCIALS HR BI HANA SCM CRM ADMIN/DEV GRC PROJECT MANAGEMENT ROADMAP
ShareShareShareShareMore
A Blockbuster
Partnership
SAP partner Security
Weaver was instrumental
in helping NBCUniversal
solve its user
provisioning challenge of
around 5,400 users
across more than 12
countries and 120
businesses. To find out
more about Security
Weaver’s integral role in
the project and download
a PDF version of this
article click here.
TRENDING TOPICS

2. in more stringent security controls a priority and established an oversight
committee to supervise how IT would monitor the SAP landscape, instituting a
system of checks and balances. It was also made clear that the IT organization
would adopt a proactive approach to risk, as opposed to auditing costs and
addressing problems after detection.
“When the acquisition completed, we had a new parent company, a new board of
directors, and new governance and risk policies. Change at that level
unavoidably results in change cascading down. It was a daunting challenge to
meet the new mandates while at the same time increasing the speed of our
operations and even taking costs out of the system, but we did it by having an
excellent IT and business team, an effective oversight committee, and solid
technology partners,” says David Meyers, Vice President and Assistant
Corporate Controller at NBCUniversal.
“It was never a question of whether we would meet the governance and security
requirements for our SAP platform, but we had to be wise,” says Bruno Singh,
Head of SAP Programs at NBCUniversal. “When it comes to SAP security, it is
easy to save money and then fail your audit — and it is even easier to create a
GRC program that lets you pass your audits while sacrificing the funds needed
for other important initiatives. We were looking for the right balance of enterprise­
grade security with a low cost of ownership.”
Pulling Back the Curtain
For the project to be a success, it would require a true partnership with a
technology provider. The business carefully evaluated several GRC solutions
from different software vendors. “When I shared my vision with the Security
Weaver team, they said that they could help implement my vision and provide
the technical layer to achieve it all,” said Goel. “Because they were able to do a
quick prototype in their systems that mirrored what we were planning, it gave us
confidence that this project would be successful.”
For automated monitoring and provisioning of NBCUniversal’s SAP landscape,
once the target use cases were satisfied, the main selection criteria were overall

3. cost effectiveness and ease of implementation. Consequently, the business
chose to implement the SAP­certified Security Weaver suite of GRC applications
to address its SoD risks, tighten access controls, and become Sarbanes­Oxley
(SOX) compliant. (For more information about the Security Weaver suite of
applications, refer to the sidebar to the left.)
“Failing an audit or failing to meet board­level mandates are never options for us,
so it was nice to find that Security Weaver’s solutions addressed our security and
governance needs for user provisioning without breaking our budget either with
licenses or services,” says Chris Berry, Senior Director of the SAP Center of
Excellence at NBCUniversal.
Early in the project, with Security Weaver’s Separations Enforcer in place,
NBCUniversal set out to determine its immediate level of risk exposure.
According to Goel, roughly 75% of the employees with direct access to SAP
applications were found to have at least one SoD conflict. However, with
Separations Enforcer in place, analytics and support were provided to the
business leads as SAP roles and positions were reviewed, and the right SAP
system access was determined for each particular role. This made the
subsequent and significant role redesign at NBCUniversal work much more
efficiently, and easy for business leaders to validate.
Rethinking the role design was a concern of even the most senior leaders of the
organization. “The CFO challenged us, and that led our thinking about predefined
access,” said Goel. The team wanted everyone comfortable that the role design
project would mean no predefined risk would occur at the operational business
unit level. If there was an exception allowed, it would be controlled at the
corporate level.
To make the role redesign and predefined access both effective and efficient,
NBCUniversal knew even the best technology needed empowered people driving
it. “We established a business liaison for every operation with SAP users and
asked each of them to provide a list of each position’s requirements,” says Goel.
“With Separations Enforcer, we could look at those requirements to determine
SoD risks, and by changing some of our business processes or shifting
responsibilities, we could eliminate them.”
Having addressed SoD risks, a key objective for the company was to ensure
continual compliance by establishing access rules and integrating this rule set
with the Secure Provisioning solution. By automating the process, IT would no
longer be the gatekeeper or on the critical path for granting SAP system access
on a daily basis. “Predefining access policies saves time and helps us ensure
additional risks aren’t introduced into the business. We are now able to skip daily
conversations with an internal auditor over access requests or business
changes,” Goel says.
While the IT organization is still occasionally consulted over access issues, by
transferring ownership of user provisioning to operational teams and making
them aware of its overall importance, the business was able to change its
security mindset from a reactive guardian to a more proactive one where IT
automates business policies. As Goel says, “There is no more
miscommunication, and the IT team is doing more productive work versus
predominantly focusing on granting access. Overall, security is much more
aligned with the business changes, and business is proactive when it reaches
out to IT. They understand that security is part of the process, not an
afterthought.”
The challenge to IT, then, was how to meet the new mandates, which required
overhauling the existing system without adding significant costs. For
NBCUniversal, this meant ensuring a comprehensive security system that could
both enable changes to business operations and, just as importantly, adapt to
changing business practices. The solution was definitely not to simply plug in a
tool to monitor the existing setup.
“We needed a technical blueprint for correcting and sustaining the business
processes,” says Vikas Goel, Global Production Support, Finance at
NBCUniversal, and GRC Leader for the SAP Center of Excellence. “The first
step was to identify the SoD risks, the various roles or job positions, and
establish business ownership within each particular business unit for the users
with SAP access.”
“When it comes to SAP
security, it is easy to save
money and then fail your
audit — and it is even
easier to create a GRC
program that lets you
pass your audits while
sacrificing the funds
needed for other
important initiatives. We
were looking for the right
balance of enterprise­
grade security with a low
cost of ownership.”
— Bruno Singh, Head of
SAP Programs,
NBCUniversal

4. Following the Script
To ensure effective communication between IT and business users during the
implementation — the project began in February 2012, and completed the
following November — NBCUniversal created a functional resources team as a
liaison between the affected groups. During the requirements gathering phase of
the project, the team members were responsible for articulating the needs of
their business units. They validated test cases during the project and led any
process redesign work required of their business units in order to meet security
requirements. The team proved additional value by eliminating disruptions to
business users and helping them adjust on the fly to the new access controls.
“The functional team acted as a layer to translate technical language into terms
the business could understand and vice versa,” Goel says. “So a business user
busy doing a daily or month­end close could lean on this team, and it helped us
complete a lot of unit testing.”
The built­in layer of support empowered operational teams to take ownership of
the testing process, viewing themselves as vested partners rather than
disinterested observers. These teams then didn’t have to be hounded when it
came time to sign off on changes after final testing.
An unexpected technical hurdle presented the project team with one of its
biggest challenges. According to Goel, a technical upgrade in the SAP Supplier
Relationship Management (SAP SRM) environment during implementation
necessitated supporting both the old and the new systems, essentially doubling
the work for user provisioning across an array of affected roles. “Fortunately,
Security Weaver’s applications were flexible enough to handle the multi­system
challenge, but as with any organizational­level effort, it’s important to make sure
that other projects that impact user security are aligned accordingly,” he says.
And with approximately 120 businesses around the world using SAP solutions,
the implementation certainly qualified as an organizational­level project. To
handle the scope, Goel’s project team grouped the various organizations into 44
geographies and gradually moved them into production over the course of eight
weeks immediately preceding the November 2012 global rollout. The team
ensured the various business units across the globe would go live and avoid
issues during the weekly releases affecting each business.
That’s a Wrap
To complete the scope of change demanded and achieve the GRC vision,
NBCUniversal required a top­tier technology partnership. According to Goel,
“Security Weaver’s solution did operate very well, but just as importantly to us, as
the project developed, they were quick to customize their solution to
NBCUniversal’s unique requirements. They adjusted the functionality and even
added features for us.”
Even prior to the project’s completion, NBCUniversal’s legwork and collaboration
with Security Weaver’s professional services in redesigning roles and changing
the business mindset concerning the GRC strategy helped eliminate SoD
conflicts. Other tangible benefits came post­implementation. Chief among them
was cutting the user provisioning process from seven business days down to
three, despite receiving more than 400 new user access requests each month —
all primarily without the IT organization’s involvement.
“Our CIO, CFO, and
COO all feel safer with
predefined access as a
vehicle for increasing
overall security.”
— Vikas Goel, Global
Production Support,
Finance, and GRC
Leader for the SAP
Center of Excellence,
NBCUniversal

5. Not only have the new GRC controls ensured compliance, but the transparency
provided through automated reporting has preempted the need for a constant
revolving internal audit, thereby lowering the costs and inconvenience of proving
compliance. “It is hard to calculate exact savings, but my expectation is that we
lowered our audits costs in half so far,” says Goel. “Of course, because audits
are recurring, the total savings keeps growing each year.”
Another benefit achieved is the ability to better manage SAP licenses now that
position­based roles are more clearly defined. Improved licenses management
not only means a better negotiating position during support renewal discussions,
but it affords each business unit with better understanding of current and
expected user costs.
“Like many complex enterprises, our SAP environment is in a constant state of
flux, so our security and compliance requirements are demanding,” Singh says.
“However, thanks to a great project team and to Security Weaver, we’ve been
able to meet our access management challenges while simultaneously improving
our operational cost structure.”
Company Snapshot
NBCUniversal
Headquarters: New York, New York
Industry: Media and entertainment
Employees: Approximately 37,000
Company details:
• NBC was the first major broadcast network in the US, founded in 1926 by the Radio
Corporation of America
• First released in 1982, ET: The Extra Terrestrial is the most successful Universal
Studios picture of all time, grossing roughly $360 million
• Universal Studios Japan opened in Osaka in 2001 and hosted 11 million guests in its
first year
• In 2003, Universal Pictures became the first studio to have five movies surpass $100
million in domestic box office draw and achieve blockbuster status: American Wedding,
Bruce Almighty, 2 Fast 2 Furious, The Hulk, and Seabiscuit
• Comcast Corporation acquired NBCUniversal from GE in January 2011
• The NBC Sports Group has aired the most­watched event and program in US television
history: the 2012 London Olympic Games drew more than 217 million viewers, while as a
single event more than 111 million people watched Super Bowl XLVI in 2012
• NBC Sports Group’s Sunday Night Football was the No. 1 show in the Nielson ratings
for the 2012­2013 season ending May 2013, averaging 21.5 million viewers per week
SAP solutions:
• SAP ERP (functionality for financials and HR) (x2)
• SAP NetWeaver BW (x2)
• SAP SCM
• SAP SRM
• SAP NetWeaver Portal (multiple)
• SAP Solution Manager
• SAP NetWeaver PI
SAP partner solutions highlighted:

6. High-Security Support for
SAP Solutions
Many companies contain vital
assets that, if compromised,
could have devastating effects.
This article takes a look at how
SAP National Security Services
(SAP NS2), a subsidiary of SAP
based ...
From Reactive to Proactive
Changes in an organization, like
new solutions or acquisitions
and reorganizations, can cause
negative affects like increased
workload and confusion. As a
result, important tasks can be
swept aside and ...
A Top Concern for CFOs:
Effectively Managing Risk
to Drive Performance
CFOs have to consider many
different elements that affect a
company’s bottom line, including
governance, risk, and
compliance management
(GRC). While every organization
has a different approach
to GRC, a comprehensive
strategy ...
• Security Weaver Separations Enforcer
• Security Weaver Secure Provisioning
• Security Weaver Emergency Repair
At NBCUniversal, automated emails regarding access requests are now more
intuitive for the business user, the request for access interfaces are more user­
friendly, and operations are faster and less costly, but NBCUniversal is not done.
The large­scale SAP user turnover inherent with its roughly 5,400 users means
more work is still to come. Increasing self­service capabilities with Security
Weaver for managers to set up or deactivate team members is next in the queue.
Goel’s early confidence in a successful project has been justified.
NBCUniversal’s alignment of its business around a common GRC strategy with
stricter controls has been as satisfying to the teams involved as coming out of a
feel­good movie. “Now, we’re SOX compliant, the auditors aren’t escalating
access risks to the audit committee, and our CIO, CFO, and COO all feel safer
with predefined access as a vehicle for increasing overall security,” Goel says.
COMMENTS
Please log in to post a comment.
More from SAPinsider
SAPinsider is published by WIS Publishing, a
division of Wellesley Information Services.
20 Carematrix Drive, Dedham, MA 02026 USA
Sales and Customer Service: 1(781)751­8799;
customer@wispubs.com
© 2014 Wellesley Information Services. All rights
reserved.
Online ISSN #2155­2444, Print ISSN #1537­145X
SAPinsider
SAPinsider Conferences & Seminars
SAPinsider Seminars on Demand
SAPinsider Store
insiderPROFILES
insiderRESEARCH
SAPexperts
ABOUT US CONTACT US PRESS ROOM MEDIA KIT FAQ PRIVACY POLICY SITEMAP

7. SAP and the SAP logo are trademarks or
registered trademarks of SAP SE in Germany and
other countries.