Archer and SAP - community.rsa.com
Transcript of Archer and SAP - community.rsa.com
1 © Copyright 2012 EMC Corporation. All rights reserved.
Archer and SAP
Working Together for Enterprise Compliance
Presented by LyondellBasell and KPMG LLP
2 © Copyright 2012 EMC Corporation. All rights reserved.
Agenda …what you’re going to get
Speakers and Companies
GRC Technology Landscape
Background and Case
Integrating SAP GRC and Archer
LyondellBasell’s Roadmap to Integration
Questions
3 © Copyright 2012 EMC Corporation. All rights reserved.
Speakers
Scott von Fischer Chief Information Security Officer LyondellBasell Industries, NV CISSP, CIPP/IT.
Scott vonFischer is the CISO for LyondellBasell and manages the IT compliance and protection of corporate electronic data assets. In Scott’s 25 plus years of IT experience, he has led several Archer deployments, built large global event management solutions, secure e-commerce sites, and the security architecture that protect customer information for the world’s largest financial institutions.
Scott is a frequent speaker on best practices for information privacy for young adults. As a classically-trained chef from Johnson and Wales University in Rhode Island, Scott also has experience opening and managing restaurants.
Gavin Mead Director, Advisory KPMG
Gavin Mead is a director in KPMG’s Atlanta office with over 14 years of information security management experience. Gavin leads KPMG Information Protection’s innovation program, spanning Identity and Access Management, Security and Technology Assessment, Business and Technology Resiliency, Information Privacy, Security Strategy and Governance, and Security and IT GRC.
Gavin has led projects including IT transformation, access governance and identity management strategy, virtualization strategy, vulnerability assessment, penetration testing, governance framework alignment, GRC deployment, and compliance management program development.
Gavin previously led the Security and Technology Assessment and IT-GRC Centers of Enablement, and has delivered services across many industries.
4 © Copyright 2012 EMC Corporation. All rights reserved.
Company Profiles
LyondellBasell participates in the entire petrochemical value chain, from refining to specialized petrochemical product end uses. We are the largest producer of polypropylene and polypropylene compounds; a leading producer of propylene oxide, polyethylene, ethylene and propylene; a global leader in polyolefins technology; and a producer of refined products, including biofuels. Additionally, LyondellBasell is a leading provider of technology licenses and a supplier of catalysts for polyolefin production.
We are geographically diverse with an extensive global manufacturing, supply, technical and commercial infrastructure. We market and sell our products in more than 100 countries. As economies around the globe develop, the demand for our products continues to grow.
KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative ("KPMG International"). KPMG International’s member firms have 145,000 professionals, including more than 8,000 partners, in 152 countries.
KPMG’s Information Protection and Business Resiliency (IPBR) consists of over 800 dedicated professionals from network member firms around the world, focused on security, privacy, and continuity. IPBR’s service network has over 200 trained and certified Archer resources and has completed over 100 Archer projects for some of the largest companies in the world.
Materials presented remain the intellectual property of the company presenting it.
5 © Copyright 2012 EMC Corporation. All rights reserved.
GRC Technology Landscape …more than one GRC?
Strategic – Supports Enterprise
Assurance by providing Executive
Monitoring capabilities in the form
of dashboards and macro level
analysis
Tactical – Supports GRC management by
providing a repository for documenting
business processes, policies, risks, control
objectives and risks. Control assessments
and remediation management is automated
through workflows and approvals. Reports
provide information on Risk and Compliance
Management
Operational – Supports the GRC
Operational model by providing
capabilities in the areas of:
Configurable Controls Monitoring
Access Controls/SOD analysis
Automation of access authorization
Periodic attestation of system
privileges
Transaction analysis
Archer Data Feed Manager
Archer API
Archer Data Publication Manager
SAP
BLACKLINE
Oversight Systems Approva
Trintech
6 © Copyright 2012 EMC Corporation. All rights reserved.
Integrating SAP GRC and Archer …complimentary technologies
Why SAP GRC? SAP GRC provides clear benefit to organizations leveraging the SAP ERP package, specifically:
– Firefighter access management – Segregation of duties analysis – Real-time access monitoring and enforcement
How does this fit the GRC Technology Model? These functions exist at the “Operational” layer of the GRC Pyramid: enforcing and analyzing risk in business processes through the enabling applications
Why Archer? Archer enables broader enterprise GRC via a unified library of risk and control, and through its customization capabilities, aligns process automation closely with business processes for risk assessment and compliance management throughout a global enterprise
Bringing together SAP GRC’s ability to analyze the activities and access models inside SAP ERP along with Archer’s ability to gather multiple enterprise data sets and unify with a common library of control means:
– Reduced cost of compliance – Increased risk transparency
7 © Copyright 2012 EMC Corporation. All rights reserved.
Integrating SAP GRC and Archer Continued
Integration Objectives – Assimilate SAP GRC Findings/Issues into Archer and link them to risks to move
the needle on risk profile – Integrate Automated Controls Monitoring results from SAP GRC and report on
Overall Compliance
Achieving Integration Archer’s integration features provide the potential ability to perform integration of SAP GRC data
– Utilize Data Imports for one time upload of SAP GRC data like processes, sub processes, controls, risks etc.
– Utilize Data Feed Manager for periodic updates of SAP GRC Findings and Automated Test Results into Archer
lyondellbasell.com
Archer as a Complimentary eGRC
Archer Threat Manageent
Business Continuity
Management
(Disaster Recovery)
Vendor Management
(Contract Management)
Incident Management
Audit Management
Policy Management
Risk Management
Compliance / Enterprise
Management
Automated Compliance Monitoring
Automated Monitoring for non-SAP
(e.g. Microsoft, Qualsys, and point solutions)
SAP GRC SOD & Access
Controls
(currently owned & being implemented)
SAP Continuous
Control Monitoring
Policy Management
Risk Management
Compliance Management
Additional Capability
SAP Access
Controls Risk Management Modules
Maturing products
Workflow Automation for Remediation
SAP Process
Controls
Strategic
Tactical
Operational
CCM
9 © Copyright 2012 EMC Corporation. All rights reserved.
Integrating SAP GRC and Archer Continued
Org Structure
Processes
Sub Processes
Controls Risks
Account Groups
Assessment
Effectiveness Testing
Automated Controls
Monitoring
Issue Remediation
Enterprise Management
Compliance Management
Risk Management
Issue Management
Archer eGRC
SAP GRC Process Control
Control Documentation Evaluation Issue Management
Archer Data Integration Services
Integration Architecture between SAP GRC PC and Archer
10 © Copyright 2012 EMC Corporation. All rights reserved.
LyondellBasell’s Roadmap to Integration
Tool Procurement and Initial Configuration
Archer Enterprise Mgmt
- Product governance established / admin training
Archer Compliance Mgmt
- IT GRC
- Enterprise SOX
Rollout & Deployment
Archer Compliance Mgmt
- User tools training & Rollout
Archer Risk Mgmt
- General rollout and ITGRC Risk mgmt. to align with ISO27001
Archer Policy Mgmt
- IT GRC Policy::Standards refresh to align with ISO27001
Archer Audit Management
- Integrated Internal Audit and IT Audit management platform
Extension Opportunities
Archer Policy Mgmt
- Enterprise policy management
Archer Incident Mgmt
- IT GRC CSIRT Process
Archer Vendor Mgmt
- IT GRC Vendor Assessments
- Enterprise Procurement mgmt
Archer BCP Mgmt
- Enterprise BCP mgmt
Q4, 11 Q3, 12 Q4, 12 and Beyond
11 © Copyright 2012 EMC Corporation. All rights reserved.
Adoption Strategy
Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.
Policy Management Centrally manage policies, map them to control objectives and guidelines, and promote awareness to support a culture of corporate governance.
Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.
Build the foundation…
SOX Compliance
Create Control Repository
Enhance policies and control frameworks
IT GCC Testing
Map compliance activities and
controls to enterprise assets
Archer capabilities LYB objectives
Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation/acceptance.
Establish risk and control
relationships
Repository for ERM activities
12 © Copyright 2012 EMC Corporation. All rights reserved.
Sharing ownership, building trust Engage the business as an equal partner
Share ownership with business partners early in the adoption process
– Show clarity of strategic, tactical, and operational component roles
– Partner with industry experts to understand their requirements and show relevant opportunities
Be wary of module (“Archer solution”) specific silo discussions. – The answer to the business problem could cross solutions… and the
business really doesn’t care.
Develop an adoption strategy that allows an incremental investment
– Give business time to see success and value in a complimentary technology model
– Incremental adoptions will increase probability of success
13 © Copyright 2012 EMC Corporation. All rights reserved.
Questions?
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.