SAP GRC
-
Upload
harsh-jain -
Category
Documents
-
view
32 -
download
6
description
Transcript of SAP GRC
• GRC Introduction - day1
• Access Controls 5.x and 10.0 - day1
• Access Risk Analysis - day2
• Emergency Access Management - day2
• Access Request Management - day3
• Business Role Management - day3
• AC 10 implementation process and Sample Project - day4
• Rule set and SoD analysis -day5
• GRC assessments- day5
GRC – Governance Risk & Compliance
GRC Categories and Vendors
Category Business View Representative Vendors
Finance Management GRC Management, workflow, Documentation and reporting associated with financial controls
Axentis, Certus, IBM, Movaris,OpenPages, Oracle, PaisleyConsulting, Qumas, SAP
Audit Management
Internal audit work papers, task management and workflow
PricewaterhouseCoopers, PaisleyConsulting
Audit Data Extraction andAnalysis
Tools for extracting data frombusiness applications and running ad hoc analysis or template queries
ACL, IDEA (Case Ware)
Segregation of Duties Ensuring that personnel do nothave access to data in a way thatcreates the potential for fraud
Approva, Oversight Systems,Virsa Systems (SAP)
Business Rule Management Monitoring transactional data in accordance with business rules established as controls 170 Systems, Infogix,
web Method
Sarbanes–Oxley Section 404: Assessment of internal controlThe most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICOFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.
SAP GRC• Access risk management (AC) – Confidently manage and reduce access risk across the enterprise with a single solution to manage a centralized strategy for governance, risk, and compliance.• Enterprise GRC (PC & RM) – Automate risk management, compliance, and monitoring activities and minimize the associated cost and effort required.•Global trade services (GTS) – Minimize global trade violations with a single, integrated platform to meet complex and ever-changing global trade compliance requirements.• Environment, health, and safety management – Empower your organization to address regulatory compliance; integrate the management of operational risks related to environment, health, and safety; and address corporate sustainability initiatives.• Sustainability performance management (SuPM) – Help your organization track and communicate sustainability performance, set goals and objectives, manage risks, and monitor activities.
Access Controls – Manage Access & AuthorizationsSAP Governance, Risk, and Compliance (GRC) Access Control provides end-to-endautomation for documenting, detecting, remediating, mitigating, and preventing access andauthorization risk enterprise wide, resulting in proper segregation of duties, lower costs,reduced risk, and better business performance.
Access Control includes the following capabilities:
• Access Risk Analysis, which supports real-time compliance to detect, remove, and prevent access and authorization risks by preventing security and control violations before they occur.• Access Request Management, which automates provisioning, tests for segregation of duties (SoD) risks, and streamlines approvals by the appropriate business approvers to unburden IT staff and provide a complete history of user access.• Business Role Management, which standardizes and centralizes role creation and maintenance.• Emergency Access Management, which enables users to perform emergency activities outside their roles as privileged users in a controlled and auditable environment.
End-To-End Compliance with SAP GRC Access Controls
Architecture – GRC 10
*Crystal Reports Adapter and Active Component Framework – needed for viewing GRC Crystal Reports
SAP NetWeaverAS ABAP 7.02
AC, PC & RM(Software Component: GRCFND_A)
SAP GRC 10.0
GTS(Software Component:
SLL-LEG)
Nota Fiscal Eletronica(Software Component: SLL-NFE)
Content Lifecycle Management (CLM)
SAP ERP (4.6C – 7.1)
Non-SAP Business ApplicationsAdapter
NW Function Modules(Plug-in: GRCPINW)
HR Function ModulesPC Automated Cntrls
(Plug-in: GRCPIERP) GTS Plug-in
(Plug-in: SLL-PI)
SAP NW Portal 7.01
GRC Portal Content
SAP NW BW 7.02BI Content 7.06GRC BW Content
Identity Management Solutions
(SAP or Non-SAP)
optional
optional
optional
http
RFC
webservices
RFC
optional
SAP GUI7.10
Web Browser
Front End Client
Adobe Flash Player
RFC
RFC
DIAGhttp
CRA*
RFCSAP NetWeaver 7.02Search/Classification
GRC Search
recommended for GTS/SPL
SAP NW Java 7.01Adobe Document
Services
required for RM and GTS
SAP Net Weaver PI Nota Fiscal Content
Required for Nota Fiscal E.
optional
AC 5.3 Dashboard
AC 10 Dash board
SPRO Settings
Common Settings • User Roles• BC Sets• AC Parameters• Connector and Connector Settings• Plug-in CustomizingComponents Configuration• ARA • EAM • ARM• BRM
Configuration
AC Roles• Admin Users: SAP_GRAC_SETUP, SAP_GRAC_RULE_SETUP
• Risk Analysis: SAP_GRAC_RISK_ANALYSIS, SAP_GRAC_RISK_OWNER,
• MSMP: SAP_GRC_MSMP_WF_ADMIN_ALL ,SAP_GRC_MSMP_CONFIG_ALL
• Role Mgt: SAP_GRAC_ROLE_MGMT_ADMIN, SAP_GRAC_ROLE_MGMT_DESIGNER
•Super User Admin: SAP_GRAC_SUPER_USER_MGMT_ADMIN,
SAP_GRAC_SUPER_USER_MGMT_OWNER, SAP_GRAC_SUPER_USER_MGMT_CNTLR
• End Users: SAP_GRAC_NWBC , SAP_GRAC_BASE.
• Access Request Roles: SAP_GRAC_ACCESS_REQUESTER, SAP_GRAC_ACCESS_APPROVER,
SAP_GRAC_ACCESS_REQUEST_ADMIN
BC SetsThe following are the BC Sets need to be activated for Access Control to work by default
•GRAC_RA_RULESET_COMMONand respective back-end rule-set(s) e.g. GRAC_RA_RULESET_SAP_R3 for R/3•GRAC_ACCESS_REQUEST_REQ_TYPE•GRAC_ACCESS_REQUEST_EUP•GRAC_ACCESS_REQUEST_APPL_MAPPING•GRAC_ACCESS_REQUEST_PRIORITY•GRAC_ROLE_MGMT_SENTIVITY•GRAC_ROLE_MGMT_METHODOLOGY•GRAC_ROLE_MGMT_ROLE_STATUS•GRAC_ROLE_MGMT_PRE_REQ_TYPE•GRAC_SPM_CRITICALITY_LEVEL•GRC_MSMP_CONFIGURATION
Connectors
Integration Framework settings include:
• Create Connectors
• Maintain Connectors and Connection Types
• Maintain Connection Settings
• Maintain Service Providers and Consumer Proxies in SOA Manager
• Event-Based Monitoring
Configuration Parameters - 1
Configuration Parameters - 2
• Plug-in Connector (pointing to the ERP itself)
• GRC connector (pointing to the AC server & client, logical name)
• Rule set (what Rule set to use in AC)
• HR Triggers Activation
• The Risk Terminator settings
Plug-in Settings
Access Risk Analysis• Ruleset setup
• Mitigation Controls Setup
• Repository Sync
• User/ Roles/ Profiles Sync
• Authorization Sync
• Batch Risk Analysis
• Reviewing risk analysis reports
• Performing user/ role/ profile level analysis
• User/ role Simulation
Emergency Access Management
• FFID Creation
• FFID Owners
• FFID Controllers
• Reason Codes creation
• Firefighter assignment
• FFID activity log sync
• Using EAM -GRAC_SPM/ GRAC_EAM
Access Request Management
• Number ranges creation
• Request Type configuration
• Provisioning Settings
• BRF+ rule creation
• MSMP configuration
• Process ID
• Maintaining rules
• Maintaining agents
• Notification settings
• Path creation
• Routing setup
• Activation
• Access request creation/ review/ approval
Business Role Management• Role attributes creation
• Naming conventions
• BRF rules for methodology and role approvers
• Methodology setup
• Organization creation
• Condition groups
• Role Creation/ review and approval
• Mass Role Maintenance
• Role import
• Mass role derivation