SAP GRC access control
OJAYO
Agenda
an all round university
§ 17,000 students
§ 3,800 foreign students
§ 80 nationalities
§ 3,200 graduates a year
§ Budget : 269 millions Euros which 50 % are allocated to research
§ 3,400 employees, of which 2,200 are teachers and researchers
§ 3,000 employed at the University Hospital Centre (CHU)
§ Around 1,500 jobs at the Liège Science Park (60 businesses)
§ 900 jobs in spin-offs resulting from scientific research
OJAYO – SAP Implementation
§ SAP for Finance & Logistics : MM, SD, EP, CATS, PS, RRB, PCA, BI, PI, GRC
§ 600 Users – 1000 Roles
§ HR non SAP, SLCM non SAP
Context
§ Trends in the OJAYO ecosystem: growing pressure to control the exposure to fraud and data tampering
- External: More & more controls from public grantors, with concerns on access procedure. This has resulted in audits driven by some of them & focused on segregation of duties
- Internal concern as well
Solution selection : SAP GRC Access control
§ GRC : Governance, Risk & Compliance
- Governance: Manages the strategic directives a company wants to follow
- Risk : Management assesses the areas of exposures and potential impacts
- Compliance: Tactical action to metigate risk
§ SAP GRC Access Control monitor, test, and enforce access and authorization controls across the enterprise.
Scope of the project : Access Control
Scope of the project : Phase 1
§ GRC Installation
- Version 5.2
- Connected to ECC instance
§ Proof-of-Concept : first risk assessment
- About 300.000 Violations
- First action: drastically reduce
SAP_ALL, SAP_NEW
§ Scoping of phase 1
- Risk have been grouped by BPO:
§ FLC (Financial & Closing)
§ OTC (Order to Cash)
§ P2P (Procure to Pay)
§ I2P (Idea to Project)
- Basis Component : out of scope
Risks per Business Process
ü BP : Finance & PS 32 risks SoD
ü BP : Material Management 14 risks SoD
ü BP : Purchasing 67 risks SoD
ü BP : Customer (& grantors) invoicing 29 risks SoD
ü BP : Basis – technical 19 risks SoD
û BP : EC-CS Consolidation 14 risks SoD
û BP : HR & payroll 21 risks SoD
û BP : APO 16 risks SoD
û BP : CRM 20 risks SoD
û BP : EBP & SRM 24 risks SoD
Step 2: Risk Assessment
• Workshops: Adapt the standard SOD matrix
§ Are the risks proposed in the standard matrix relevant ?
§ Do we have to add some risks ?
§ Do we have to consider additional transactions (transaction Z* ) ?
§ Adapt GRC standard risks : Critical, High, Medium & Low
• Design (update) the SOD matrix in the SAP GRC system
• Run the risk assessment
• Perform analysis
Ecrans GRC – CC
Ecrans GRC – CC
Ecrans GRC – CC
Ecrans GRC – CC
Risk assessment
§ Results
- 98 % (516 out of 525) of the SAP users have SOD risks
- SOD violations on role “display” !!!
§ Recommendations on naming convention
- The naming of the role gives an information on the underlying business process
- Use simple roles
- Aggregate simple roles in composite role
- Identify quickly the different roles :
§ Roles simples : « Z:xxx », roles composites : « ZC:xxx »
§ Roles display : « Z:xxx_V »
§ Create one specific role dedicated per critical risk
§ Remark on traceability : the system keeps the history of the violations related to the risk assessment è perform the first analysis in the acceptance system
Step 3 : on progress
§ Remediation : no role can content a SOD violation
§ Mitigation : accept the risk for some user & enforce the control on it
§ Use Firefighter : to track actions performed by super users during certain period of time (closing period for example)
§ Integration on SAP EP
Questions ?
OJAYO.com@gmail.com
Google+
SAP GRC by OJAYO.com
