SlideShare a Scribd company logo

Grc eng

Positive Hack Days
Positive Hack Days
Technology
1 of 39
Building a GRC System for SAP Alexey Yudin The Head of DBs and Business Applications Security Department Positive Technologies PHDays III
Plan ― Another three-letter acronym: GRC ― GRC market ― Access Control ― Fraud Management ― SAP authorization concept ― How to build access control mechanism in SAP ― How to build SOD check mechanism in SAP ― Fraud schemes in SAP MM ― Conclusions: to buy, to build or …?
GRC intro
GRC Governance Top management sets the company’s goals and wants to control them Risk Management A company identifies risks for business and wants to avoid them Compliance Inner and outer controls, regulations, laws, that a company must obey An integrated approach used by corporations to act in accordance with the guidelines set for each category. Governance, risk management and compliance (GRC) is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories.
What does business really want? Governance To make money Risk management To save money Compliance To save money
― Detecting an unauthorized access to critical business actions ― Detecting segregation of duties violations ― Detecting fraudulent actions ― IdM integration and automated access control Russian companies are interested in
GRC market leaders
GRC market leaders ― ERP vendors solutions • SAP • Oracle ― GRC vendors solutions • EMC-RSA • Protivity • MetricStream • SAS • Software AG • …..
SAP GRC components Risk Management Access Control Process Control FraudManagementThe most demanded part of SAP GRC Access Control
Possible approaches 1. Deployment one of the existing solutions (SAP GRC for SAP ERP) • High price • Long term implementation • High IT operations cost • Too complicated • Need much customization 2. Building own solution • Need development from scratch
GRC implementation process ― Analyze critical business process ― Assess business actions ― Develop SoD matrix with possible violations ― Create and redesign roles (remove unnecessary roles) ― Map business actions to roles ― Check current usage of roles ― Find users with SoD violations ― Minimize number of SoD violations ― Control role modifications ― Develop and automate user access process
SAP terminology ― SAP Transaction is the execution of a program. The normal way of executing ABAP code in the SAP system is by entering a transaction code (for instance, PA30 is the transaction code for "Maintain HR Master Data"). ― Authorization objects are composed of a groups of fields that are related to AND. These fields’ values are used in authorization check. For example, authorization object S_TCODE has one field TCD (transaction code). ― Authorization is a definition of an authorization object, that is a combination of permissible values in each authorization field of an authorization object. For example, authorization S_TCODE: TCD=SE16.
Business Processes in SAP Authorization 2Authorization 1 Business Action 1 Business Action 2 Business Process
SOD in SAP Business Action 1 Business Action 2 Authorization 2 Authorization 1 Authorization 4 Authorization 3 SOD
Where to find SoD matrix ― ISACA - Security, Audit and Control Features SAP ERP, 3rd Edition ― Australian National Office - SAP ECC 6.0 Security and Control ― http://scn.sap.com ― Google :)
SAP MM ― purchasing, ― goods receiving, ― material storage, ― consumption-based planning, ― inventory.
Procurement cycle overview
Purchasing activities
Critical actions in purchasing ― MM01 – Create Material ― MK01 – Create Vendor ― ME01 – Maintain Source List ― MD11 – Create Planned Order ― ME51N – Create Purchase Requisition ― ME41 – Create RFQ ― ME21N – Create PO ― MIRO – Enter Invoice
How to build a control mechanism Module Action Transaction Role 1/Profile 1/User 1 Role N/Profile N/User 1 MM Create Purchase Order ME21 ME21N Z_Role_1 Z_Role_N ― Create XL table with critical actions ― Run check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
XL example
SOD in purchasing Create SOD matrix based on particular business processes Purchasing Document Creator Purchasing Document Approver Purchasing Document Creator X Purchasing Document Approver X
How to build a SOD check mechanism ― Create XL table based on SOD matrix SOD Name Action 1 Transaction (Action 1) Action 2 Transaction (Action 2) Role/Profile/ User CREATE PURCHASE ORDER & CREATE VENDOR MASTER RECORD Create Purchase Order ME21 ME21N ME25 ME27 ME31 Create Vendor Master Record FK01 MK01 XK01
How to build a SOD check mechanism ― Run roles check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
How to build a SOD check mechanism ― Run users check on regular basis • Report RSUSR002 • Transaction SUIM ― Compare results in XL
Max Patrol Now ― Helps to analyze roles and authorization profiles ― Monitors users with critical administrative privileges ― Regular control of roles assigned to users ― Regular control of roles modifications (creating, updating and role removal)
Max Patrol Near futures ― Create customer business actions ― Map roles to business actions ― Automatically find matches of roles and business action rules ― Automation in creating and control users and roles that violate SoD matrix ― Check usage of roles and transactions
MaxPatrol – Role Control
MaxPatrol – Authorization profile control
MaxPatrol –Control administrative privileges
Fraudulent activity in purchasing ― Purchasing without purchase requisition ― Abuse of one-time vendor accounts
How to build a fraud check mechanism ― Build a possible fraud scheme ― Divide a scheme into separate actions ― Describe each action in SAP terms ― Go to logs and get all users who perform actions ― Analyze users, performed sequence of actions which suits to a fraud scheme
One-time vendor (OTV) payments ― SAP provides one-time vendor functionality to reduce administration over the vendor master file by paying infrequent vendors through a one-time vendor account. ― The use of the one-time vendor function overcomes typical vendor master file authorization and review controls and may be used to process unauthorized payments.
How to control OTV payments? ― Periodically review one-time vendor payments. • The vendor line item report RFKEPL00, transaction code S_ALR_87012103, is the best report to view one-time vendor payments. • Payments are also be viewed through the Purchasing Overview by Vendor Report.
Best Practices ― Focus on prevention ― Automate as many controls as possible ― Automate the flow of manual controls ― Identify business actions that produce risks when executed by one person ― Perform risk analysis before committing and approving changes to access controls ― SoD risk identification and remediation should be performed automatically across multiple ERP environments and instances ― Automate user provisioning and changes ― Control real transaction and role usage
Conclusions ― GRC is an information security trend ― The most demanded GRC-features: • Critical actions control • SOD violation control • Fraud control ― It’s possible to build a GRC system that satisfies top management without large-scale deployments.
Thank you for your attention! Q&A
Grc eng

Recommended

Alexey Yudin
Alexey YudinAlexey Yudin
Alexey YudinPositive Hack Days
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
I tlecture2
I tlecture2I tlecture2
I tlecture2Imen Charfeddine
 
Business Process Modelling via BPMN, Session I
Business Process Modelling via BPMN, Session IBusiness Process Modelling via BPMN, Session I
Business Process Modelling via BPMN, Session IAmirHossein Aghdassi
 
Sap business process flows
Sap business process flowsSap business process flows
Sap business process flowsVerity Solutions
 
12order to-cash
12order to-cash12order to-cash
12order to-cashSaurabh Kashyap
 
Advance audit
Advance auditAdvance audit
Advance auditpreeti garg
 
Business Process Automation and Data Processing Workflows
Business Process Automation and Data Processing WorkflowsBusiness Process Automation and Data Processing Workflows
Business Process Automation and Data Processing WorkflowsMarlon Dumas
 

Recommended

Alexey Yudin
Alexey YudinAlexey Yudin
Alexey YudinPositive Hack Days
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
I tlecture2
I tlecture2I tlecture2
I tlecture2Imen Charfeddine
 
Business Process Modelling via BPMN, Session I
Business Process Modelling via BPMN, Session IBusiness Process Modelling via BPMN, Session I
Business Process Modelling via BPMN, Session IAmirHossein Aghdassi
 
Sap business process flows
Sap business process flowsSap business process flows
Sap business process flowsVerity Solutions
 
12order to-cash
12order to-cash12order to-cash
12order to-cashSaurabh Kashyap
 
Advance audit
Advance auditAdvance audit
Advance auditpreeti garg
 
Business Process Automation and Data Processing Workflows
Business Process Automation and Data Processing WorkflowsBusiness Process Automation and Data Processing Workflows
Business Process Automation and Data Processing WorkflowsMarlon Dumas
 
V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013Positive Hack Days
 
Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)Riaz Safir
 
Desarrollos tecnologicos
Desarrollos tecnologicosDesarrollos tecnologicos
Desarrollos tecnologicosmafecruzdrdd
 
Marketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pediaMarketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pediaaditya ghuge
 
Ch03 4
Ch03 4Ch03 4
Ch03 4Rendy Robert
 
ออกแบบเสาเข็ม
ออกแบบเสาเข็มออกแบบเสาเข็ม
ออกแบบเสาเข็มnsumato
 
Dadabhainaoroji
DadabhainaorojiDadabhainaoroji
DadabhainaorojiSibabrata Balabantaray
 
E potseluevskaya ru
E potseluevskaya ruE potseluevskaya ru
E potseluevskaya ruPositive Hack Days
 
Poka-Yoke in Software Testing
Poka-Yoke in Software TestingPoka-Yoke in Software Testing
Poka-Yoke in Software TestingAbhinandan Shekar
 
La nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekkLa nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekkanavalverdebio
 
Disney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to ChildrenDisney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to Childrenaditya ghuge
 
Python GUI Course Summary - 7 Modules
Python GUI Course Summary - 7 ModulesPython GUI Course Summary - 7 Modules
Python GUI Course Summary - 7 ModulesKCC Software Ltd. & Easylearning.guru
 
Pointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary GradesPointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary GradesJessica Ilene Capinig
 
Trends in Classroom Practices and Techniques
Trends in Classroom Practices and TechniquesTrends in Classroom Practices and Techniques
Trends in Classroom Practices and TechniquesJessica Ilene Capinig
 
Grc eng
Grc engGrc eng
Grc engPositive Hack Days
 
Alexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAPAlexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAPPositive Hack Days
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questionsIT LearnMore
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsDan Aldridge, ERP Software Evangelist, LION
 

More Related Content

Viewers also liked

V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013Positive Hack Days
 
Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)Riaz Safir
 
Desarrollos tecnologicos
Desarrollos tecnologicosDesarrollos tecnologicos
Desarrollos tecnologicosmafecruzdrdd
 
Marketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pediaMarketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pediaaditya ghuge
 
ออกแบบเสาเข็ม
ออกแบบเสาเข็มออกแบบเสาเข็ม
ออกแบบเสาเข็มnsumato
 
Poka-Yoke in Software Testing
Poka-Yoke in Software TestingPoka-Yoke in Software Testing
Poka-Yoke in Software TestingAbhinandan Shekar
 
La nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekkLa nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekkanavalverdebio
 
Disney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to ChildrenDisney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to Childrenaditya ghuge
 
Pointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary GradesPointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary GradesJessica Ilene Capinig
 
Trends in Classroom Practices and Techniques
Trends in Classroom Practices and TechniquesTrends in Classroom Practices and Techniques
Trends in Classroom Practices and TechniquesJessica Ilene Capinig
 

Viewers also liked (14)

V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013V defense veniamin levtsov-kl_24 may 2013
V defense veniamin levtsov-kl_24 may 2013
 
Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)Comp tia a+ (2009 edition) certificate (1)
Comp tia a+ (2009 edition) certificate (1)
 
Desarrollos tecnologicos
Desarrollos tecnologicosDesarrollos tecnologicos
Desarrollos tecnologicos
 
Marketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pediaMarketing of a new App Tour-o-pedia
Marketing of a new App Tour-o-pedia
 
Ch03 4
Ch03 4Ch03 4
Ch03 4
 
ออกแบบเสาเข็ม
ออกแบบเสาเข็มออกแบบเสาเข็ม
ออกแบบเสาเข็ม
 
Dadabhainaoroji
DadabhainaorojiDadabhainaoroji
Dadabhainaoroji
 
E potseluevskaya ru
E potseluevskaya ruE potseluevskaya ru
E potseluevskaya ru
 
Poka-Yoke in Software Testing
Poka-Yoke in Software TestingPoka-Yoke in Software Testing
Poka-Yoke in Software Testing
 
La nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekkLa nasa ‘’exculpa’’ a un asteroid ekk
La nasa ‘’exculpa’’ a un asteroid ekk
 
Disney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to ChildrenDisney Consumer Products: Marketing Nutrition to Children
Disney Consumer Products: Marketing Nutrition to Children
 
Python GUI Course Summary - 7 Modules
Python GUI Course Summary - 7 ModulesPython GUI Course Summary - 7 Modules
Python GUI Course Summary - 7 Modules
 
Pointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary GradesPointers to Consider in Teaching Spelling in Elementary Grades
Pointers to Consider in Teaching Spelling in Elementary Grades
 
Trends in Classroom Practices and Techniques
Trends in Classroom Practices and TechniquesTrends in Classroom Practices and Techniques
Trends in Classroom Practices and Techniques
 

Similar to Grc eng

Alexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAPAlexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAPPositive Hack Days
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questionsIT LearnMore
 
Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology SoHo Dragon
 
Overview of Dynaflow Solution
Overview of Dynaflow Solution Overview of Dynaflow Solution
Overview of Dynaflow Solution bpmgeek09
 
Oracle eBS Overview.pptx
Oracle eBS Overview.pptxOracle eBS Overview.pptx
Oracle eBS Overview.pptxssuser9dce1e1
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015Frank Castelluccio
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex-Solutions
 
Transaction Watchdog by Controls Force
Transaction Watchdog by Controls ForceTransaction Watchdog by Controls Force
Transaction Watchdog by Controls ForceSGB Media Group
 

Similar to Grc eng (20)

Grc eng
Grc engGrc eng
Grc eng
 
Alexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAPAlexey Yudin. Building a GRC System for SAP
Alexey Yudin. Building a GRC System for SAP
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of Nickerson
 
SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questions
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology
 
Overview of Dynaflow Solution
Overview of Dynaflow Solution Overview of Dynaflow Solution
Overview of Dynaflow Solution
 
Oracle eBS Overview.pptx
Oracle eBS Overview.pptxOracle eBS Overview.pptx
Oracle eBS Overview.pptx
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
 
eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015
 
Auxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPAAuxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPA
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
Just in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules MiningJust in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules Mining
 
Dora ppt1
Dora ppt1Dora ppt1
Dora ppt1
 
dheeraj
dheerajdheeraj
dheeraj
 
Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.
 
Transaction Watchdog by Controls Force
Transaction Watchdog by Controls ForceTransaction Watchdog by Controls Force
Transaction Watchdog by Controls Force
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Grc eng

  • 1.
  • 2. Building a GRC System for SAP Alexey Yudin The Head of DBs and Business Applications Security Department Positive Technologies PHDays III
  • 3. Plan ― Another three-letter acronym: GRC ― GRC market ― Access Control ― Fraud Management ― SAP authorization concept ― How to build access control mechanism in SAP ― How to build SOD check mechanism in SAP ― Fraud schemes in SAP MM ― Conclusions: to buy, to build or …?
  • 5. GRC Governance Top management sets the company’s goals and wants to control them Risk Management A company identifies risks for business and wants to avoid them Compliance Inner and outer controls, regulations, laws, that a company must obey An integrated approach used by corporations to act in accordance with the guidelines set for each category. Governance, risk management and compliance (GRC) is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories.
  • 6. What does business really want? Governance To make money Risk management To save money Compliance To save money
  • 7. ― Detecting an unauthorized access to critical business actions ― Detecting segregation of duties violations ― Detecting fraudulent actions ― IdM integration and automated access control Russian companies are interested in
  • 9. GRC market leaders ― ERP vendors solutions • SAP • Oracle ― GRC vendors solutions • EMC-RSA • Protivity • MetricStream • SAS • Software AG • …..
  • 10. SAP GRC components Risk Management Access Control Process Control FraudManagementThe most demanded part of SAP GRC Access Control
  • 11. Possible approaches 1. Deployment one of the existing solutions (SAP GRC for SAP ERP) • High price • Long term implementation • High IT operations cost • Too complicated • Need much customization 2. Building own solution • Need development from scratch
  • 12. GRC implementation process ― Analyze critical business process ― Assess business actions ― Develop SoD matrix with possible violations ― Create and redesign roles (remove unnecessary roles) ― Map business actions to roles ― Check current usage of roles ― Find users with SoD violations ― Minimize number of SoD violations ― Control role modifications ― Develop and automate user access process
  • 13. SAP terminology ― SAP Transaction is the execution of a program. The normal way of executing ABAP code in the SAP system is by entering a transaction code (for instance, PA30 is the transaction code for "Maintain HR Master Data"). ― Authorization objects are composed of a groups of fields that are related to AND. These fields’ values are used in authorization check. For example, authorization object S_TCODE has one field TCD (transaction code). ― Authorization is a definition of an authorization object, that is a combination of permissible values in each authorization field of an authorization object. For example, authorization S_TCODE: TCD=SE16.
  • 14. Business Processes in SAP Authorization 2Authorization 1 Business Action 1 Business Action 2 Business Process
  • 15. SOD in SAP Business Action 1 Business Action 2 Authorization 2 Authorization 1 Authorization 4 Authorization 3 SOD
  • 16. Where to find SoD matrix ― ISACA - Security, Audit and Control Features SAP ERP, 3rd Edition ― Australian National Office - SAP ECC 6.0 Security and Control ― http://scn.sap.com ― Google :)
  • 17. SAP MM ― purchasing, ― goods receiving, ― material storage, ― consumption-based planning, ― inventory.
  • 20. Critical actions in purchasing ― MM01 – Create Material ― MK01 – Create Vendor ― ME01 – Maintain Source List ― MD11 – Create Planned Order ― ME51N – Create Purchase Requisition ― ME41 – Create RFQ ― ME21N – Create PO ― MIRO – Enter Invoice
  • 21. How to build a control mechanism Module Action Transaction Role 1/Profile 1/User 1 Role N/Profile N/User 1 MM Create Purchase Order ME21 ME21N Z_Role_1 Z_Role_N ― Create XL table with critical actions ― Run check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
  • 23. SOD in purchasing Create SOD matrix based on particular business processes Purchasing Document Creator Purchasing Document Approver Purchasing Document Creator X Purchasing Document Approver X
  • 24. How to build a SOD check mechanism ― Create XL table based on SOD matrix SOD Name Action 1 Transaction (Action 1) Action 2 Transaction (Action 2) Role/Profile/ User CREATE PURCHASE ORDER & CREATE VENDOR MASTER RECORD Create Purchase Order ME21 ME21N ME25 ME27 ME31 Create Vendor Master Record FK01 MK01 XK01
  • 25. How to build a SOD check mechanism ― Run roles check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
  • 26. How to build a SOD check mechanism ― Run users check on regular basis • Report RSUSR002 • Transaction SUIM ― Compare results in XL
  • 27. Max Patrol Now ― Helps to analyze roles and authorization profiles ― Monitors users with critical administrative privileges ― Regular control of roles assigned to users ― Regular control of roles modifications (creating, updating and role removal)
  • 28. Max Patrol Near futures ― Create customer business actions ― Map roles to business actions ― Automatically find matches of roles and business action rules ― Automation in creating and control users and roles that violate SoD matrix ― Check usage of roles and transactions
  • 30. MaxPatrol – Authorization profile control
  • 32. Fraudulent activity in purchasing ― Purchasing without purchase requisition ― Abuse of one-time vendor accounts
  • 33. How to build a fraud check mechanism ― Build a possible fraud scheme ― Divide a scheme into separate actions ― Describe each action in SAP terms ― Go to logs and get all users who perform actions ― Analyze users, performed sequence of actions which suits to a fraud scheme
  • 34. One-time vendor (OTV) payments ― SAP provides one-time vendor functionality to reduce administration over the vendor master file by paying infrequent vendors through a one-time vendor account. ― The use of the one-time vendor function overcomes typical vendor master file authorization and review controls and may be used to process unauthorized payments.
  • 35. How to control OTV payments? ― Periodically review one-time vendor payments. • The vendor line item report RFKEPL00, transaction code S_ALR_87012103, is the best report to view one-time vendor payments. • Payments are also be viewed through the Purchasing Overview by Vendor Report.
  • 36. Best Practices ― Focus on prevention ― Automate as many controls as possible ― Automate the flow of manual controls ― Identify business actions that produce risks when executed by one person ― Perform risk analysis before committing and approving changes to access controls ― SoD risk identification and remediation should be performed automatically across multiple ERP environments and instances ― Automate user provisioning and changes ― Control real transaction and role usage
  • 37. Conclusions ― GRC is an information security trend ― The most demanded GRC-features: • Critical actions control • SOD violation control • Fraud control ― It’s possible to build a GRC system that satisfies top management without large-scale deployments.
  • 38. Thank you for your attention! Q&A