EMC Hybrid Cloud for SAP - Enhanced Security and Compliance

White Paper
EMC Solutions
Abstract
This White Paper details the integration between the RSA Archer ®
and SAP
products by prototyping integration processes that help a customer understand
how the two products can work together to provide a unified eGRC solution.
This solution satisfies business and management priorities across IT, finance,
operations, and legal domains, and helps achieve automated compliance with
regulatory requirements.
August 2014
EMC HYBRID CLOUD FOR SAP
Enhanced Security and Compliance
 Centralize compliance information into a single repository
 Automate application control verification
 Integrate RSA Archer with SAP

EMC Hybrid Cloud for SAP
2
Copyright © 2014 EMC Corporation. All Rights Reserved.
EMC believes the information in this publication is accurate as of its
publication date. The information is subject to change without notice.
The information in this publication is provided as is. EMC Corporation makes no
representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or
fitness for a particular purpose.
Use, copying, and distribution of any EMC software described in this
publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation
Trademarks on EMC.com.
All trademarks used herein are the property of their respective owners.
Part Number H13328

3EMC Hybrid Cloud for SAP
Table of contents
Executive summary............................................................................................................................... 5
Business case.................................................................................................................................. 5
Solution overview ............................................................................................................................ 5
Key results/ recommendations ........................................................................................................ 6
Introduction.......................................................................................................................................... 7
Purpose ........................................................................................................................................... 7
Scope .............................................................................................................................................. 7
Audience ......................................................................................................................................... 7
Terminology..................................................................................................................................... 7
Solution overview................................................................................................................................. 8
Current situation.............................................................................................................................. 8
Our solution..................................................................................................................................... 9
Solution architecture................................................................................................................. 10
Key components ............................................................................................................................ 11
SAP Business Suite ................................................................................................................... 11
SAP GRC.................................................................................................................................... 11
RSA Archer ................................................................................................................................ 12
EHC overview ................................................................................................................................. 13
Use cases and verifications ................................................................................................................ 15
Overview........................................................................................................................................ 15
Using an automated application to control verification .................................................................. 15
Process ..................................................................................................................................... 15
Summary................................................................................................................................... 15
Monitoring client opening and closing for configuration................................................................. 15
Process ..................................................................................................................................... 16
Summary................................................................................................................................... 16
Assigning high-risk profiles............................................................................................................ 16
Process ..................................................................................................................................... 16
Summary................................................................................................................................... 16
Identifying and deleting inactive SAP user accounts....................................................................... 17
Process ..................................................................................................................................... 17
Summary................................................................................................................................... 17
Monitoring SoD user violation rates ............................................................................................... 17
Process ..................................................................................................................................... 18
Summary................................................................................................................................... 18
Monitoring SoD role violation rates ................................................................................................ 18
Process ..................................................................................................................................... 18

4
Summary................................................................................................................................... 19
Monitoring of opening/closing of financial and material periods for posting .................................. 19
Process ..................................................................................................................................... 19
Summary................................................................................................................................... 19
Conclusion ......................................................................................................................................... 20
Summary ....................................................................................................................................... 20
Findings......................................................................................................................................... 20
Professional Services..................................................................................................................... 20
References.......................................................................................................................................... 22
White papers ................................................................................................................................. 22
Product documentation.................................................................................................................. 22

Executive summary
Organizations recognize that their ability to compete in a global marketplace is
increasingly tied to the efficiency and agility of their IT solutions and their ability to
remain flexible as the business environment evolves. Enterprise Governance, Risk,
and Compliance (eGRC) strategy is a key component to this evolution as it ensures
effective risk management and organizational compliance, which are critical to the
organization’s mission. The impact of unmanaged risk to this mission is highly visible
and detrimental to the organization’s bottom line.
For the Chief Information Security Officer (CISO), and other executives performing
similar duties, the increased focus on an organization’s compliance posture has led
to increased focus on financial risks, operational risks, strategic risks and the close
management of operationalizing security initiatives. For IT professionals, this requires
translating IT risks into digestible terms for the business so that they can prioritize
the risks appropriately at the enterprise level. Compliance should be embedded in
core processes, not the afterthought following a significant event.
This compliance revolution is taking place as businesses are moving core
applications into the cloud and facing the challenges of big data, explosive
information growth, data mobility, and social media. The ability to manage risks and
effectively meet compliance requirements in this networked and mobile world
enables the enterprise to meet these challenges head on.
Alternatively, in some cases, the compliance landscape is fragmented with multiple
applications housing GRC-related data. This GRC landscape has many disadvantages
including the delayed processing of manual tasks, complex management of IT
architecture, data inefficiency, and overburdened resources. This lack of consolidated
data hinders the organization from achieving timely compliance and managing risk
effectively.
As part of the EMC Hybrid Cloud for SAP solution, the EMC Solutions team in
collaboration with the RSA Archer®
team and EMC/RSA partner, S3, has created a
solution that directly integrates the RSA Archer and SAP products. This will assist
customers in addressing the challenges of centralizing and consolidating
governance, risk, and controls information from SAP and non-SAP applications into a
single repository to support ongoing compliance activities. Figure 1 represents the
basic elements of this solution.
Figure 1. Unified eGRC solution
Business case
Solution overview

6
This solution builds and tests the integration between RSA Archer and SAP products
by prototyping the processes that aid customers in understanding how the two
products can work together. This combined, unified eGRC solution satisfies business
and management priorities and facilitates the automated compliance with regulatory
requirements.
Organizations using both SAP and RSA Archer GRC will be able to:
 Assess their current eGRC operations and identify processes that are resource
intensive, time consuming, manual and repetitive.
 Automate control and compliance data collection.
 Receive direct data feeds from SAP into Archer to consolidate compliance
results.
 Use Archer’s advanced user interface, dashboard, analytics and reports to
improve eGRC maturity.
 Reduce manual effort spent on data collection, research, and analysis of GRC
results from multiple sources.
 Increase resource efficiency and the ability to evolve towards a predictive risk
posture.
 Eliminate manual action plan task assignment for compliance failures.
 Immediately respond to both internal and external compliance inquiries with
automated verification of detailed results.
Key results/
recommendations

Introduction
The purpose of this document is to provide information about integration between
RSA Archer GRC and SAP, which is provided as a service by RSA.
This White Paper focuses on the integration between RSA Archer GRC and SAP. The
solution design, architecture and a sample of seven use cases are discussed in
detail. The paper does not cover step-by-step configuration, infrastructure, or non-
SAP application compliance management.
This document is intended for information security, risk, and controls (ISRC)
leadership, Chief Information Security Officers, governance officers, internal audit,
and SAP security managers. Readers should be familiar with Enterprise Compliance
regulations and requirements, the RSA Archer GRC platform and its applications, SAP
Business Suite, SAP GRC, and general IT functions requirements. Knowledge of EMC
Hybrid Cloud is recommended but not mandatory.
Table 1 lists terminology included in this white paper.
Table 1. Terminology
Term Definition
CISO Chief Information Security Officer
eGRC Enterprise Governance, Risk, and Compliance
GRC Governance, Risk, and Compliance
SoD Segregation of Duties
SOX Sarbanes-Oxley Act
Purpose
Scope
Audience
Terminology

8
Solution overview
SAP Business Suite is the pre-eminent business software suite used by enterprises all
over the world. All major business processes are covered by its components such as
ERP, CRM, and SRM. SAP GRC or similar third-party tools are widely used by
organizations to provide governance, risk and control to their SAP systems. The RSA
Archer GRC solution is not only widely recognized as the eGRC market leader by
Gartner and Forrester IT, but is in use in over 25 of the Fortune 100. This results in
many of these organizations using both the SAP GRC (or similar third-party tools) and
RSA Archer GRC. It also may result in the use of two separate GRC systems in many of
these enterprises. Typically, SAP GRC manages compliance efforts within the SAP
applications while Archer eGRC manages enterprise-wide non-SAP applications as
well as infrastructure requirements.
Figure 2 shows how SAP applications communicate together but are separate from
the Archer platform. The Archer application needs manual input for validation from
non-SAP applications.
Figure 2. Current Archer/SAP environment
This scenario has several major disadvantages, including the effort required, the
manual documentation needed, and the use of two separate but similar tools.
Significant effort required
Regulatory compliance within SAP is a resource-intensive activity that requires large
amounts of time and distracts the focus of security team members who would be
more productive focusing on more strategic preventative and predictive risk
management activities.
Manual documentation
The current method of reporting compliance consists of manual testing followed by
manually recording the results into Archer. This generates a huge amount of data to
satisfy regulatory requirements. Furthermore, External Audit is far less comfortable
with manually created documents than it is with trusted system-to-system interfaces
or data transfers.
Current situation

Separate tools
Having two separate GRC tools (Archer and SAP) both addressing “Compliance” and
“Risk” objectives creates confusion about the purpose of each system. This
confusion often leads to duplication of effort and overlapping resource
responsibilities. In fact, these applications have quite different business objectives.
The SAP GRC tool supports activities such as access management or compliant user
provisioning (including segregation-of-duties reviews and mitigating controls),
emergency access management, role management, and process controls. The Archer
eGRC tool takes an enterprise focus that allows you to manage the complete lifecycle
of corporate policies and report compliance with controls and regulatory
requirements across the organization.
The Archer/SAP integration approach eliminates the manual intervention required to
report results and generate action plans. It addresses GRC from both a business and
an IT perspective simultaneously. This enterprise-wide GRC strategy reduces risk with
measurable and consistent metrics. It assists the company in becoming more cost-
efficient in addressing risk and allows greater flexibility in adjusting its business
model as the market demands without significantly increasing risk.
Figure 3 shows how SAP applications, non-SAP applications, and infrastructure
integrate and feed into the Archer enterprise platform.
Figure 3. Archer/SAP integration
Compliance management and incident management
In this solution, the compliance management application directly communicates the
adherence to or failure of the SAP applications to comply with client-specific settings
and SOX regulations as identified within policy management. This results in tailored
compliance solutions automatically distributing email notification of results related
to your compliance levels. Compliance status is immediately visible within the
dashboard reporting metrics and action can be taken based on automated workflow
notification. This further advances the maturity of the organization and its ability to
take action based on ongoing automated monitoring efforts rather than audit
findings.
Our solution

10
When Archer's incident management application identifies a non-compliant policy, it
generates an incident which, in turn, creates a work task for the responsible party.
In this solution, not only will the Compliance Management dashboards display
current compliance levels, but Incident Management will also track open items to
achieve resolution for any temporary failures.
Each solution includes automated workflow notification functionality to communicate
status. This is available to distribute updates to any interested or responsible parties.
Figure 4 illustrates an example of integrated compliance management, incident
management and email notification.
Figure 4. Integrated compliance/incident management and email notification
Solution architecture
This solution consists of an SAP GRC system and an RSA Archer GRC system. To
demonstrate the use cases of this solution, an SAP ERP IDES system was prepared as
a source system to the SAP GRC system. A shared file repository is required and
should be accessible from both the SAP GRC system and Archer GRC.
Note: While a standalone SAP GRC system was used in this solution, it is not mandatory.
The tools can be integrated with an SAP system or an SAP GRC system.
Figure 5 shows the architecture of this solution.

Figure 5. Archer/SAP integration architecture
Table 2 lists the software components and their versions used in the solution lab.
Table 2. Solution software
Software Version Purpose
SAP GRC 10 SP13/NW 7.0 EhP2 SAP GRC system
SAP ERP ECC 6.0 EhP6 SAP ERP IDES system
RSA Archer GRC 5.4 SP1 P2 RSA Archer GRC system
SAP Business Suite
SAP Business Suite is a collection of business applications that integrates enterprise-
wide information and processes, collaboration, and functionality for specific
industries. It consists of the following applications:
 SAP ERP (Enterprise Resource Planning)
 SAP CRM (Customer Relationship Management)
 SAP SRM (Supplier Relationship Management)
 SAP SCM (Supply Chain Management)
 SAP PLM (Product Lifecycle Management)
The SAP ERP application provides the core of the SAP Business Suite. Augmented
with the CRM, SRM, SCM, and PLM applications, it is used to manage all the key
business processes involved in the daily business of companies all over the world.
Manufacturing, inventory, sales, marketing, human resources, and accounting—there
is hardly any aspect of modern business that SAP Business Suite does not handle.
SAP GRC
The SAP Business Suite includes multiple modules and products that cover all
aspects of business operations (supply chain, finance, asset management,
procurement, and so on). Each of these areas carries inherent compliance and risk
components that need to be monitored by a centralized tool.
Key components

12
SAP-GRC is the tool used to ensure that SAP-related application, access, and process
controls comply with standard regulatory statutes.
SAP GRC reviews access controls, process controls, and role management activities
within the SAP applications to provide detailed feedback on internal control
violations based on configured Segregation-of-Duties (SoD) matrices or process
control violations based on defined policies. It is particularly effective in the
monitoring of segregation-of-duties and process control capabilities within SAP
applications, which are critical to assessing the overall GRC risk posture for the
organization.
SAP GRC also supports firefighter or emergency access to SAP applications with
tracking for audit purposes. These activities carry a compliance requirement to ensure
that this special access is managed appropriately, reviewed in a timely manner, and
is not used excessively.
RSA Archer
RSA Archer provides a technology architecture that integrates with EMC/VMware
systems to provide a cohesive view into the organization’s eGRC operations. The
integrated solution not only provides compliance data for configuration violations
and vulnerabilities but also blends with risk analytics, loss events, logs, document
and records retention data, and accounting information. This data is often scattered
across multiple tools and systems. RSA Archer aggregates the data, putting risks,
threats, incidents and compliance deficiencies into a business context and enabling
managers to prioritize the response based on what is most significant to the
organization.
Key characteristics
The key characteristics of the RSA Archer platform include:
 Centralized views—A central view of risk and compliance activities provides a
single lens through which stakeholders can identify threats early and prioritize
issues, as well as improve efficiencies by applying a single process to multiple
regulations. Archer’s dashboards provide easy-to-read information at executive
and administrative levels. They include metrics on risk, compliance, incidents,
and threat management, giving the organization valuable insight to drive its
risk management processes. Figure 6 shows an example Archer dashboard.

Figure 6. Archer dashboard
 Automation—Through automation, organizations achieve continuous risk and
controls monitoring as opposed to the point-in-time spot checks of the past.
Technological capabilities required include advanced risk analytics and
modeling, automated controls tied to business rules engines, advanced
content and process management capabilities, and embedded GRC control
points.
 Integration—Multiple point solutions that span different areas of the
infrastructure are costly to manage, fail to deliver a holistic view of the
enterprise, and cannot correlate analysis to provide reliable conclusions.
Archer’s level of integration enables management and reporting across the
enterprise.
 Flexibility—The Archer platform is adaptable and can evolve as the business
evolves. Furthermore, business is able to make changes and build out
applications to solve business programs without relying on costly, time-
intensive custom development.
The EMC Hybrid Cloud solution empowers IT organizations to accelerate
implementation and adoption of an on-premises hybrid cloud that delivers
infrastructure as a service (IaaS) to their business, while still enabling customer
choice for the compute and networking infrastructure within the data center. It
integrates the best of EMC and VMware products and services, and enables
customers to build an enterprise-class, scalable, multitenant infrastructure that
provides features and functionalities including:
 Self-service and automation
 Multitenancy and secure separation
 Security and compliance
 Monitoring and service assurance
 Data protection, continuous availability, and disaster recovery
EHC overview

14
 Metering
Particularly regarding security and compliance, this solution addresses the
challenges of securing authentication and configuration management to aid in
compliance with industry and regulatory standards through:
 Securing the infrastructure by integrating with a public key infrastructure (PKI)
to provide authenticity, nonrepudiation, and encryption
 Converging the various authentication sources into a single directory to enable
a centralized point of administration and policy enforcement
 Using configuration management tools to audit the infrastructure and
demonstrate compliance.
This solution seamlessly integrates with EMC Hybrid Cloud to provide enhanced
security compliance on top of the previously mentioned security and compliance
measures. In addition, it can be implemented as a standalone solution for those who
would like to enjoy the benefit before transforming their existing IT infrastructure to
EMC Hybrid Cloud.

Use cases and verifications
The following use cases provide a glimpse into the extensive automation possibilities
between the SAP and Archer GRC applications. Each of the following SAP-related
procedures has been created and tested. They can be implemented with the basic
configuration framework to customize the solution based on the specific needs of an
individual customer’s SAP landscape.
Note: These use cases are only a small representative sample of the many that are possible
with SAP and Archer GRC integration.
Automating the detailed confirmation of RSPARAM or IT application control settings
enables customers to monitor specific application controls within SAP for regulatory
compliance purposes. The existing parameters are identified and reported to Archer
to note current settings (passed tests) and/or deviations from the configured
requirements (failed tests).
Process
The following table describes the process of this use case.
Table 3. Using an automated application to control verification
Step Description
1 Each test is executed based on scheduled batch job execution within the SAP
system.
2 Results are written to a text file on a shared file server.
3 Archer selects the file and creates a Scan ID or Automated Configuration Check to
provide evidence of the current settings for each target application.
4 Each parameter reviewed within every SAP client is reported as text within the
automated configuration check or test execution and emailed to procedure owners
for investigation based on any failures.
Summary
This automation eliminates the manual verification process that typically can take
hundreds of hours of review (annually) across the SAP landscape. This results in a
reduction in manual verification procedures and investigation time for internal
resources.
Integration between Archer and SAP target systems documents the opening and
closing of the SAP client for configuration. Each target system is monitored based on
scheduled batch job execution within the SAP system, creating a text file on a shared
file server. Archer selects the file and then creates a Scan ID or Automated
Configuration Check to provide evidence of the current client configuration settings
for each target application. These settings should be monitored to confirm that
production and validated environments are set correctly. When a ticket is submitted
to change the settings, opening the client for configuration should be extremely brief
and monitored by system administrators. Automating this process to integrate into
Overview
Using an
automated
application to
control verification
Monitoring client
opening and
closing for
configuration

16
Archer for visibility, continuous monitoring, and awareness to confirm correctness will
facilitate the communication of this high-risk activity.
Process
Table 4. Monitor client opening and closing for configuration
Step Description
1 Data from each SAP client is reported as text within the automated configuration
check or test execution.
2 The data is emailed to procedure owners for investigation of any failures.
3 Based on standard internal control reviews for SAP, production systems and
validated environments are monitored to confirm adherence to general control
settings.
Summary
This automation eliminates the manual client setting monitoring and verification
process that typically occurs reactively after the identification of an incident. Our
automated monitoring results in a reduction of manual verification procedures and
investigation time for internal resources as well as providing more accurate and
timely information on a high-risk SAP setting.
Integration between Archer and SAP target systems monitors the assignment of
standard delivered SAP profiles to ensure that users are not assigned high-risk
profiles directly. Each target system is monitored based on scheduled batch job
execution within the SAP system creating a text file on a shared file server to identify
any direct profile assignments. Archer will select the file and then create a Scan ID or
Automated Configuration Check to provide evidence of the current profile assignment
occurrences for each target application.
Process
Table 5. Standard delivered SAP profiles
Step Description
1 Data from each SAP client is reported as text within the automated user to profile
assignment report or test execution.
2 The data is emailed to procedure owners for investigation based on any user
assignments.
3 Standard SAP security reporting programs are executed to identify any profile-
related user assignments to relay to Archer.
Summary
Generating and automating reports eliminates the manual verification process across
the SAP landscape and reduces investigation time for internal resources.
Assigning high-
risk profiles

Integration between Archer and SAP target systems monitors inactive user accounts
to identify those that can be stripped of transactional access and eliminated. This use
case is customized for each client based on internal Information Protection Protocols
to migrate inactive user accounts into a retired user group or to dispose of them, as
required. De-provision inactive accounts to remove any current access assignments,
and modify user groups when necessary.
Each target system is monitored based on a scheduled batch job execution within the
SAP system creating a text file on a shared file server to identify the inactive user
accounts. Archer selects the file and then creates a Scan ID or Automated
Configuration Check to provide evidence of the current profile assignment
occurrences for each target application. Standard SAP security reporting and
programs identify inactive user accounts based on last logon dates and the
customer’s inactive account parameters; these accounts are then relayed to Archer.
Process
Table 6. Identifying and deleting inactive SAP user accounts
Step Description
1 Data from each SAP client is reported as text within the automated last logon
report or test execution.
2 Data is emailed to procedure owners for investigation of any accounts that should
be retired.
3 Based on each client’s workflow needs, automatic GRC-Access Controls
provisioning requests are created to eliminate role assignments identified during
the review of stale user accounts.
4 Once accounts are identified based on the standard Last Logon report, an
automatic deprovisioning request is submitted to retire the account.
Summary
Generating automated reports eliminates the manual verification process across the
SAP landscape, reducing investigation time for internal resources.
Integration between Archer and SAP target systems monitors users with unmitigated
SoD violations to identify those that require further remediation. Outstanding user
SoD violation rates should be below customer-defined tolerances and automatically
monitored or remediated on an ongoing basis. When user violations occur, it is likely
that role provisioning has occurred that is outside of the mitigation process. This
increases the risks related to provisioning and potential misuse of the applications.
When users are identified after execution of the standard batch jobs within SAP-GRC,
the scheduled batch job creates an aggregated SAP target system text file on a
shared file server to identify users for mitigation. Archer selects the file and creates a
Scan ID or Automated Configuration Check to provide evidence of the current open
user SoD violations. This use case is supported based on standard SAP security
Identifying and
deleting inactive
SAP user accounts
Monitoring SoD
user violation
rates

18
reporting and programs to identify user accounts with unmitigated SoD violations to
relay to Archer.
Process
Table 7. Monitoring SoD user violation rates
Step Description
1 Data from each SAP client is reported as text within the GRC reports for
unmitigated users.
2 Data is emailed to procedure owners for investigation and mitigation.
3 Standard SAP security reporting and programs identify users with unmitigated SoD
violations.
4 These users are relayed to Archer for distribution.
5 Based on each client’s mitigation needs, automatic GRC-Access Controls
provisioning requests can be created to request user mitigation during the review
of SoD occurrences within existing active user accounts.
6 Once the accounts are identified, an automatic deprovisioning request can be
submitted to retire the account.
Summary
Automating this process facilitates the visibility of the recertification process and
aligns continuous monitoring to the overall organization risk profile. This results in a
reduction in manual verification procedures and investigation time for internal
resources while increasing the automation of the mitigation and evidence-gathering
processes.
Integration between Archer and SAP target systems monitors open SoD role violation
rates to identify single or composite roles that maintain unmitigated SoD violations.
Outstanding role SoD violation rates should be zero and need to be automatically
monitored or remediated on an ongoing basis. This information is aggregated in GRC
for all target applications and provided in an attachment to Archer for notification and
distribution on a periodic basis. This automation reduces the risk that violations exist
but are not monitored by the appropriate business personnel. By integrating the
remediation and continuous monitoring process into the Archer platform, the results
are visible to management to ensure compliance and role recertification.
Process
Monitoring SoD
role violation rates

Table 8. Monitoring SoD role violation rates
Step Description
1 When roles with open SoD violations are identified after execution of the standard
batch jobs within SAP-GRC, the scheduled batch job aggregating data from each
SAP target system creates a text file on a shared file server to identify roles for
mitigation.
2 Archer selects the file and creates a Scan ID or Automated Configuration Check
with an attachment (or link) with supporting evidence of the current open SoD role
violations for per target application.
3 Standard SAP security reporting and programs identify roles with unmitigated SoD
violations and relay them to Archer for distribution.
Summary
Automating this process improves the visibility of the recertification process and
aligns continuous monitoring to the overall organization risk profile. This reduces
manual verification procedures and investigation time for internal resources, while
increasingly automating the mitigation and evidence gathering process.
Integration between Archer and SAP target systems identifies the current setting
based on scheduled batch job execution to report the status of the opening and
closing of the SAP financial and material posting periods for configuration. The risk to
an organization is that the posting period for a prior (or future) period is open and
posting is allowed into the wrong period, affecting revenue recognition.
Each target system is reported based on scheduled batch job execution within the
SAP target systems and creating a text file on a shared file server. Archer selects the
file and creates a Scan ID or Automated Configuration Check to provide
documentation of the current posting period settings for each target application.
Process
Table 9. Monitoring of opening/closing of financial and material periods for posting
Step Description
1 Data from each SAP client is reported as text within the automated configuration
check or test execution.
2 The data is emailed to procedure owners for confirmation.
3 Based on standard internal control reviews for SAP, production systems and
validated environments are monitored to confirm adherence to general control
settings, and to confirm that the financial and material posting periods are aligned
with the desired settings.
Summary
This automation eliminates the manual verification process and avoids uncertainty
about the status of the application while reducing investigation time for internal
resources.
Monitoring of
opening/closing of
financial and
material periods
for posting

20
Conclusion
The integration of RSA Archer and SAP provides a solution that enables customers to
address the challenges posed by the disjointed nature of GRC as it currently exists in
the SAP landscape. This solution centralizes and consolidates audit information from
SAP and non-SAP applications in a single repository. This unified eGRC solution
satisfies both business and IT priorities and enables automated compliance with
regulatory requirements.
Archer’s Professional Services personnel can transform the fragmented and largely
manual governance programs into automated analysis solutions. Their services can
apply sophisticated dashboard reporting, integrated data connections, and real-time
analysis to what is (in many cases) the biggest and most important business
application used in the enterprise. The complete visibility afforded by this solution
facilitates executive decision-making, supports current regulatory compliance needs,
and meets the predictive risk and eGRC needs of tomorrow.
Customers who employ both RSA Archer and SAP should:
 Assess their current eGRC practice and identify processes that are time-
consuming, manual, and repetitive.
 Automate to the greatest extent possible the collection of control and
compliance data.
 Implement direct data feeds from SAP to Archer to consolidate compliance
results.
 Use Archer’s advanced user interface, dashboard, analytics and reports to
improve eGRC maturity.
These highly integrated solutions enable Professional Services personnel to
transform your existing manual governance programs into fully automated predictive
analysis solutions. Service experts inject technology efficiency and automation into
your processes to drive immediate results.
With enhanced dashboard reporting, integrated data connections, and immediately
available analysis to your largest and key applications we provide a 360° glimpse
into your risk environment. This complete visibility facilitates executive decision-
making, immediate risk management results, and is the foundation to evolve your IT
department to enable business operations.
A Professional Services team provides solutions that can immediately reduce your IT
spend in the areas of regulatory compliance and support by:
 Identifying client-specific SAP configuration for core Archer integration and
automation
 Providing recommendations and a roadmap for further automation and overall
program enhancements
 Providing a detailed assessment of your Archer, SAP, and eGRC landscape
Summary
Findings
Professional
Services

Professional Services can transform your organization to meet the predictive risk and
eGRC needs of tomorrow while smoothly supporting the regulatory compliance needs
of today.
Additional services
A sample of additional professional services and technology solutions related to
SAP/Security/IAM/eGRC include:
 Complete SAP security deployments
 Role redesign and/or remediation
 GRC deployments, upgrades, assessments
 IAM/IdM integration and deployment
 Full life cycle identity, authorization, and authentication solutions
 Further customizations of Archer, SAP, and IdM solutions
 Automation of SAP continuous monitoring tasks, including
 Identification of incomplete, manual, or changed authorizations
 Identification and analysis of out-of-synch roles (mismatched parent-to-
child or incorrect child role values)
 Identification of roles with non-compliant technical names
 Identification of non-compliant user group elements

22
References
For additional information, see the white papers listed below.
 EMC Hybrid Cloud Solution with VMware: Foundation Infrastructure Reference
Architecture 2.5
 EMC Hybrid Cloud Solution with VMware: Foundation Infrastructure Solution
Guide 2.5
 EMC Hybrid Cloud Solution with VMware: Security Solution Guide 2.5
 EMC Hybrid Cloud for SAP: VMware vCloud Automation Center, VMware vCloud
Application Director, EMC ViPR, EMC ViPR SRM
For additional information, see the product documents listed below.
 RSA Archer GRC Platform Administration Guide
 RSA Archer GRC Platform 5.4 Solutions User Guide
White papers
Product
documentation

EMC Hybrid Cloud for SAP - Enhanced Security and Compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to EMC Hybrid Cloud for SAP - Enhanced Security and Compliance

Similar to EMC Hybrid Cloud for SAP - Enhanced Security and Compliance (20)

More from EMC

More from EMC (20)

Recently uploaded

Recently uploaded (20)

EMC Hybrid Cloud for SAP - Enhanced Security and Compliance