Profiling for sap compliance management access control and segregation of duties
Download
1 / 32

Profiling for SAP - Compliance Management, Access Control an - PowerPoint PPT Presentation


  • 415 Views
  • Uploaded on

Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Profiling for SAP - Compliance Management, Access Control an' - TransWare


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Profiling for sap compliance management access control and segregation of duties l.jpg

Understand

Optimize

Control

Profiling for SAP® Compliance Management Access Control and Segregation of Duties

Understand, Optimize and Control your Business and IT


Agenda l.jpg
Agenda

Profiling for SAP supporting Security Compliance for SAP®

1

Access Management and Segregation of Duties

2

Optimization of Authorizations

3

Project Support for SAP Blueprints

4

Profiling for SAP® Application

Page 2


Profiling for sap for compliance and access control l.jpg
Profiling for SAP for Compliance and Access Control

“Profiling your SAP® Solution delivers our Clients all needed insights to understand, optimize and control their Business and complex SAP® Landscapes.”

Heinz-Jürgen Scherer, CEO TransWare AG

Understand

Optimize

Control

Page 3


Profiling for sap featuring sap compliance management l.jpg

TransWare’s reengineering and optimization solution for SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction.

The solution reveals the quality of the implementation by analyzing transaction logs, document types, user authorizations with roles and profiles, SAP® HR info types, SAP® customizing and object modifications and other configuration items.

It shows the overall picture of customizing and utilization of the current SAP® system with business related KPIs.

Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®. Reporting of the results can be done per job role, so you know what each role entails in terms of process activities, SAP® business blueprint process steps, SAP® roles and transactions.

Profiling for SAP® featuring SAP Compliance Management

Technical, Functional and Processual Analysis and Optimization of SAP

Page 4


Profiling for sap smartly supports the transition phase from as is into an optimized sap landscape l.jpg
Profiling for SAP SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction. ® smartly supports the Transition Phase from As-Is into an optimized SAP® Landscape

As-Is Landscape

To-Be Transition

Optimize Landscape

Run SAP

Process IT Support

ASAPProject Methodology

Run SAP

Process IT Support

BusinessReengineering

 Understand

Process

Management

 Optimize

ComplianceManagement

 Control

Access Control and Segregation of Duty

TechnicalAnalysis

Processual

Analysis

FunctionalAnalysis

Profiling for SAP® Compliance Management

Profiling for SAP® Compliance Management is based on the technical, functional and processual analysis tool components.

Page 5


Access management and segregation of duties l.jpg

Introduction of an cost efficient compliance management SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction.

access Management and Segregation of Duties

Page 6


Increased focus on security and control l.jpg
Increased Focus on Security and Control SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction.

  • Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...)

  • Security breaches (UCs, BC, Stanford, ...)

  • Regulatory Compliance

    • Sarbanes-Oxley (SOX, EuroSOX)

    • Family Educational Rights and Privacy Act (FERPA)

    • Federal Information Security Management Act of 2002 (FISMA)

    • Gramm-Leach-Bliley Act (GLBA)

    • Health Insurance Portability and Accountability Act (HIPAA)

    • Joint Commission (TJC)

Page 7


Security risks security compliance and internal controls l.jpg
Security Risks, Security Compliance and Internal Controls SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction.

  • Access Control

    • Do some users have too much access?

    • Sufficient access restrictions to private information?

  • Control for Segregation of Duties (SoD)

    • Every time a user is added ensure his rights are not in conflict with SoD risk rules

    • A user's profile is amended and the change must not cause any SoD conflict

    • Review of the company SoD requirements on a periodic base

Are there any SoD violations?

Who has access to sensitive transactions?

“Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives.” (From MIT’s Guidelines For Financial Review and Control)

Page 8


Profiling for sap compliance management l.jpg
Profiling for SAP SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction. ® Compliance Management

A Software Solution for SAP Project and Compliance Process Support

  • Reduce time and efforts when providing ongoing information to internal and external auditors

  • Remove access or assign mitigating controls

  • Used during implementation of new SAP modules and processes or optimizing SAP systems

  • Monitoring transaction and data access based on SAP background job for 24/7 security and compliance control

  • Optionally runs on central SAP Solution Manager to manage complex SAP landscapes as a non-invasive solution

  • Web based BI solution based on a Business Warehouse for Compliance Management

Page 9


Profiling for sap compliance application l.jpg
Profiling for SAP SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction. ® Compliance Application

A solution for compliance management based on standard software

Profiling is a configurable custom application with integration into SAP that ensures all user’s authorizations are compliant with the company’s compliance rules

  • Useful during all phases of the deployment lifecycle

    • Design – Identify roles, build composite roles based upon team requirements

    • Implementation – Test and verify SoD compliance of roles

    • Production – Ensure compliance of existing users and roles

  • Tight integration within SAP to manage complex SAP Landscapes and to leverage SAP standards

  • Applicable to SAP’s ERP, CRM, SCM and other ECC-based products

  • Web based product, non-invasive, non-deployment solution regarding SAP production systems

Page 10


Set of risk rules based on sod conflicts and critical actions l.jpg
Set of Risk Rules SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction. based on SoD conflicts and critical actions

Risk RulesSet

  • Set of Risk Rules for different business domains like FI-GL, MM, SAP Basis, CRM or etc.

  • Define SoD rules and critical actions and add standard or custom transactions to the rule set

  • Define rules on Functional, Transactional or the most detailed Authorization-Object level

  • Define critical rules with high financial risks or potential security risks

  • Modify predefined configuration with a set of rules for SoD best practice

SoD

Rule

Critical

Actions

and

Function

Function

Function

Transaction

Transaction

Transaction

Author.-

Object

Author.-

Object

Author.-

Object

Page 11


Procedure for the definition of sod risk rules on a functional level l.jpg
Procedure for the Definition of SoD Risk Rules on a Functional Level

  • Define SoD Functions (logical group of tasks)

    • Example:

      • Function A: – Process Sales Order

      • Function B: – Maintain credits master data

  • Assign Transactions to SoD Function

    • Example:

      • Function A – V-01, VA01, VA02, …

      • Function B – FD24, FD32, FD37, …

    • 3. Define and Characterize the SoD Functions with Risk Rules

    • Define a conflict: Function A & Group B

    • Characterize the conflict with financial risk indicators:

      • High, Medium, Low

    • Exclude Rules from predefined configuration as N/A for your organization with a description

DefineFunctions

Assign Transactions

Define Conflicts and Risks

Page 12



Sod conflict matrix l.jpg
SoD Conflict Matrix Functional Level

Page 14



Generated excel report of sod conflict matrix l.jpg
Generated Excel-Report Functional Levelof SoD Conflict Matrix

X=Financial Risk Exists, M = Medium Risk, H = High Risk

Page 16


Critical transactions and assigned risks l.jpg
Critical Transactions and assigned Risks Functional Level

Page 17


Benefits l.jpg
Benefits Functional Level

  • Using the same kind of tools used by chartered accountants reduces service costs for external audit and advisory

  • Reduction of project efforts and establishment of SoD compliant authorizations from the start

  • Fully automated SoD analysis reduces TCO for the ongoing security control process

  • Auditors and IT security staff work on functional level even for complex authorization scenarios

  • Avoidance of manual analysis and false positive assessments

  • Flexible configuration includes custom “Z” transactions or external applications like Portals using BAPI or direct RFC calls

  • Easy identification of users with access to sensitive data by internal security teams lowers costs of the compliance process

Page 18


Optimization of authorizations l.jpg

Slimline authorization management of complex SAP Functional Level® landscapes

Optimization of Authorizations

Page 19


Profiling for sap and sap authorizations l.jpg
Profiling for SAP Functional Level® and SAP® Authorizations

  • Profiling for SAP combines information from different data sources like SAP usage, user authorization and SoD configuration with BI based reporting for a comprehensive security analysis.

  • Actions are subject to authorization checks that are performed before the start of a program or table maintenance and mandatory for the SAP applications :

  • · Starting SAP transactions (authorization object S_TCODE)

  • · Starting reports (authorization object S_PROGRAM)

  • · Calling RFC function modules (authorization object S_RFC)

  • · Table maintenance with generic tools (authorization object S_TABU_DIS)

Page 20


Slimline your sap authorization management l.jpg
Slimline your SAP Functional Level® Authorization Management

  • Identify needless access rights by SAP Modules, Accounts, Transactions, …

  • Optimize your custom roles by identifying critical roles and access overlap

  • Setup segregation of duties by best practice and company compliance

Assigned Role not relevant for execution

of the custom “Y” YXPROC transaction

Example Report:

Page 21


Benefits22 l.jpg
Benefits Functional Level

  • Efficient establishment of a tradeoff between Business Requirements and Company Compliance

  • Substantial reduction of project efforts in company compliance initiatives

  • Simplification of information access to complex SAP data for company auditors reduces costs for the compliance process

  • Uniformed use of tools by chartered accountants reduces external audit and advisory services costs

  • Allows the handling of complex SAP landscapes with automatic data retrieval and cross-SAP system analytics

  • Automatic monitoring of changes of user authorizations given by organizational requirements lowers costs for audits and security control

Page 22


Project support for sap blueprints l.jpg

Being compliant from the beginning Functional Level

Project Support for SAP Blueprints

Page 23


Blueprinting with asap and sap solution manager l.jpg
Blueprinting with ASAP and SAP Solution Manager Functional Level

SAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build and run aspects of ERP solutions based on SAP® NetWeaver and covers all needs for ITIL-compliant application lifecycle management (ALM).

SAP® describes ALM by the Run SAP® operational support methodology and the Accelerate SAP® (ASAP) project methodology. SSM serves as an interface between technology and business processes.

For SAP solution development like upgrades or implementations, the SAP solution is consistently documented in SSM by the Blueprint that describes the business processes and the resulting system configuration.

An important part of the SAP solution development is the configuration of organizational structures and optimized business and security compliance requirements.

Profiling for SAP® supports this aspect of SAP ALM to lower development and maintenance costs and improve process and compliance quality

Page 24


Sap blueprint procedure for compliant authorizations l.jpg
SAP Blueprint Procedure for Compliant Authorizations Functional Level

Support ASAP methodology and SAP Solution Manager Projects

  • Define your functional Task Groups in SAP Solution Manger as Jobs or Org.-Units as End-User-Roles

  • Setup the Blueprint Process Structure by Business Process Management Methodology including organizational assignments to End-User-Roles

  • Assign Transactions manually or use predefined Reference Models with T-Codes assigned like the SAP Business Process Repository (BPR )

  • Run Reports to analyze organizational Access Requirements

  • Automatically identify standard SAP right roles or profiles supported

  • Customize Roles (PCFG) and assign users

  • Run analytic reports for SoD compliance and risk control

Define Blueprint

Analyze AccessRequirements

Define Roles and User Access

Page 25


Sap solution manager for sap blueprints l.jpg
SAP Solution Manager for SAP Blueprints Functional Level

Optimized user authorizations from project start-up

SAP Blueprint with Masterdata, Org.-Unit Data, Scenarios, Processes, Process-Steps, Transactions and Documentation

Assign End-User-Roles to Process-Steps, Master-Data or Organizational-Unit Data

Process-Steps with Assigned Transactions

Page 26


Sap solution manager for sap blueprints27 l.jpg
SAP Solution Manager for SAP Blueprints Functional Level

Export the Blueprint structure for analytic reporting

Cross-Reference between Objects

(T-Code, Forms, Reports etc) and End-User-Roles

SAP Blueprint Structure (SAP Project)

Assigned User, Jobs, Org.-Units

Page 27


Benefits28 l.jpg
Benefits Functional Level

  • Support of SAP Solution Manager improves the SAP Blueprint business process definition in terms of Compliance and Risk Management

  • Synchronize organizational structures, functional access requirements, business processes and access control for slimline, fine tuned and fully SoD compliant SAP authorizations

  • Leverage SAP tools, methodologies and best practice by a tight SAP integration with a BI based solution that reduces SAP® project planning and implementation efforts

  • Reduce SAP maintenance efforts by a consistent business process and security control documentation

  • Ensure compliance through SAP improvements like ERP Enhancement Packages and organizational changes

  • Define authorizations on functional level and support setup of technical roles and profiles.

Page 28


Profiling for sap application l.jpg

Standard application with tight SAP Functional Level® integration, high automation and flexible configuration

Profiling for SAP application

Page 29


Sod analysis and the process for compliance l.jpg
SoD Analysis and the Process for Compliance Functional Level

1. Extract

2. Define

3. Analyze

Reports

Dashboards

BI DB

Profiler

Analyzer

Predefined set of Risk Rules

  • Auditors, IT Security

  • Analytic reports and dashboards

  • Conflicts and potential conflicts of Accounts and/or Roles, Profiles

  • Authorizations

  • Usage (Transactions, Reports, RFC Calls)

  • Define Risk Rules

  • Critical activity groups

  • Activities conflict matrix

Page 30


Profiling for sap product components l.jpg
Profiling for SAP Product Components Functional Level

  • Profiling for SAP application customizing for SoD (configuration)

  • Definition of Task groups, specifies a set of tasks with identifiers

  • Assignments of critical transactions to task groups

  • Risk rules combining Task Groups with Financial Risk Values

  • Includes best practice for configuration settings

  • Analytic Reports (examples)

  • Charts plotting risks and SoD issues per e.g. SAP module

  • Role Compliance Check: Identifies roles that have SoD conflicts based upon the underlying transactions

  • User Compliance Check: Identifies SoD conflicts in user’s profile

  • SAP Solution Manager integration (optional)

Page 31


Solutions by transware l.jpg
Solutions by TransWare Functional Level

TransWare Software Solutions AG

Fritz-Wunderlich-Str. 49

66869 Kusel

Germany

Phone: +49-(0)6381-916-0

Email: [email protected]

Web: www.transware.de

All product, service and company names mentioned herein are for identification purposes only and may be trademarks or registered trademarks of their respective owners

Page 32


ad