SlideShare una empresa de Scribd logo

081712 isaca-atl-auditing sap-grc

H
hkodali
TecnologíaEmpresariales
1 de 45
Descargar para leer sin conexión
Auditing SAP GRCAuditing SAP GRC ISACA-August 17, 2012 11
IntroductionsIntroductions Sean Campbell Sean Campbell is an IT Auditor at The Coca-Cola Company. His experience has focused primarily around IT compliance and SAP security. Prior to joining Coca-Cola, Sean was an IT Auditor with KPMG and Fiserv where he led SAP audits and gained experience in financial services. Sean holds a Bachelor’s Degree in Management Information Systems and a MBA, both from the University of Georgia. Sean also holds a CISA certification. Jay Gohil Jay Gohil is an IT Auditor at The Coca-Cola Company. His experience has focused primarily around IT compliance and SAP security. Prior to joining Coca-Cola, Jay was a consultant with Protiviti where he led several projects integrating the SAP GRC Access Controls Suite and assisted with segregation of duties analysis, user access design, and remediation of SAP security issues. Jay holds a Bachelor’s Degree in Computer Engineering and a Master’s Degree in Decision and Information Sciences, both from the University of Florida. Jay also holds a CISA certification. 22
The Coca-Cola Company - IntroductionThe Coca-Cola Company - Introduction ● ~46+ billion in sales ● 200+ countries where our beverages are sold ● 500+ brands of the Coca-Cola Company - 15 billion dollar brands ● 3,300+ - different beverages ● 1.7+ billion servings per day ● With bottling partners, Coke ranks top 10 in private employers worldwide with more than 700,000 system employees (About 145,000 work for The Coca-Cola Company) 33
The Coca-Cola Company - WorldwideThe Coca-Cola Company - Worldwide 44
SAP @ The Coca-Cola CompanySAP @ The Coca-Cola Company ● Coke has three large instances based on business need and mergers (Global, CCR, BIG) - Many smaller instances run at bottler locations ● Multiple landscapes established for different business processes (i.e. Primary-FiLo, HR, BW, etc.) ● Largest landscapes have ~20,000 users 55
OverviewOverview ● SAP Security Overview - SAP Authorization Concept - Common Issues ● SAP GRC Overview - Modules - Risk and Function Overview - SAP Security Issues Addressed ● Auditing SAP GRC - Governance - Security - Configuration - Change Management 66
SAP Security Overview 77
SAP Security – Authorization Concept: OverviewSAP Security – Authorization Concept: Overview 88
SAP Security – Authorization Concept: ContinuedSAP Security – Authorization Concept: Continued ● When a user logs onto SAP all the authorization objects and fields that have been assigned to them through roles and profiles are loaded into their “user master” record ● When a user attempts to execute an action in SAP the authorization objects and fields from the user master are checked programmatically ● Within the fields of the authorization objects a user can be restricted to: - Display vs. Maintain - Specific items classified by company codes (or many other groupings) - Many other restrictions based on individual objects 99
SAP Security – Authorization Concept: Common IssuesSAP Security – Authorization Concept: Common Issues ● Inheritance - Unintended access given to users due to unknown combinations of authorization objects through various roles ● Broad Access Designed in Roles - Ranges or wildcards assigned in authorization objects allows users access to functions for which they were not authorized ● Assignment of Roles with Broad Access - To grant a user access to a specific T-Code a SAP Security employee may assign a role that grants the user excessive access 1010
SAP Security – Authorization Concept: Common IssuesSAP Security – Authorization Concept: Common Issues ● Segregation of Duties and Sensitive Access - Users could be given access that would result in segregation of duties risks or have access to powerful business or IT functions without authorization ● No Visibility into Potential Issues - No visibility into who has SoD conflicts or even sensitive access without a considerable manual data pull and analysis ● No Prevention of New Problems - No way to truly prevent assignment of roles that create inheritance issues or create SOD risks 1111
1212 SAP GRC Overview
SAP GRC - HistorySAP GRC - History Virsa Systems SAP GRC Access Control 5.3 SAP GRC Access Control 10.0 Firefighter Compliance Calibrator Access Enforcer Role Architect Superuser Privilege Management Risk Analysis & Remediation Compliant User Provisioning Enterprise Role Management Emergency Access Management Access Risk Analysis Access Request Management Business Role Management Version 10: •Customizing moved into SAP Reference IMG (SPRO) •Centralized firefighter usage and workflow • Provides auditable process for tracking log review approvals •All components are now ABAP based •Improved risk analysis interface, allows filtering and sorting 1313
SAP GRC - ModulesSAP GRC - Modules Access Risk Analysis (ARA)* •Real-time & centralized SOD/sensitive access reporting and monitoring •Ruleset management •User Access Simulation •Mitigating Controls Emergency Access Management (EAM)* •“Firefighter” •Temporary elevated access •Track transaction code usage and changes •Audit logs, email alerts Access Request Management •Workflow •User Provisioning Business Role Management •Role documentation repository *Addressed in Auditing SAP GRC Section 1414
SAP GRC - Functionality & TerminologySAP GRC - Functionality & Terminology ● Risks - SOD Risks – Critical combination of 2 or more specific activities - Sensitive Access Risk – A risk that a user has access to a specific functional area ● Ruleset Concept - Rulesets are a grouping of risks - Risks are made up of function groups - Function groups are made up of multiple t-codes and/or objects ● Firefighter - Addresses segregation of duties concerns by providing temporary elevated access that is controlled and monitored 1515
SAP GRC – SOD vs. Sensitive Access RiskSAP GRC – SOD vs. Sensitive Access Risk Segregation of Duties Certain separate business processes and functions in The Coca-Cola Company, if executed by a single user, would present an unacceptable risk to the integrity of the Company’s processes, and could expose the Company to fraud risk. Therefore, incompatible duties of this type must be segregated and monitored. 1616 Manage Goods Receipt Process Payments Sensitive Access Certain transactions or activities in The Coca- Cola Company are regarded as “sensitive” due to the following: 1)The transaction allows access to confidential information 2)The transaction should only be executed by select user(s) who are highly experienced and knowledgeable around the use of the transaction 3) The transaction, if executed inappropriately, would cause a significant (negative) impact to operations. Maintain Customer Master Data Risk? May result in fictitious and fraudulent invoices Risk? Inappropriate access to sensitive master data transactions
SAP GRC - How a Ruleset Breaks DownSAP GRC - How a Ruleset Breaks Down 1717 The Coca-Cola Company Rule Set Maintain Purchase Orders Vs. Manage Goods Receipt MIGO – Goods Movement ME21N – Create Purchase Order Manage Goods ReceiptMaintain Purchase Orders ME22N – Change Purchase Order MB01 – Post Goods Receipt on PO Create PO for company codes Create PO for purchasing area Create GR for company code Create GR for purchasing area Rule Set Risk Functions Actions Permissions
SAP GRC - User InterfaceSAP GRC - User Interface 1818
SAP GRC - User InterfaceSAP GRC - User Interface 1919
SAP GRC - Risk Areas of SAP Security AddressedSAP GRC - Risk Areas of SAP Security Addressed Use of SAP GRC gives visibility into SOD issues, inheritance issues, and can prevent the assignment of roles that create issues ●Ability to validate that no violations of an SOD ruleset exist within single roles ●Identify and review sensitive access assigned to users ●Workflow can be implemented to require risk analysis to be completed prior to new role assignments (preventative control!) 2020
SAP GRC – Common IssuesSAP GRC – Common Issues ● Governance - Identifying and incorporating new functionality - Establishing ownership of risks, roles and controls ● Security - Limiting access to configure and make changes ● Configuration - Key parameters are configured appropriately - Changes are documented and monitored ● Change Management - Ruleset changes (risks and functions) are authorized & approved 2121
2222 Auditing SAP GRC Governance
Auditing SAP GRC - Governance of SAP GRCAuditing SAP GRC - Governance of SAP GRC ● Governance is important to the long term relevance of GRC - Incorporates changes in the environment - Establishes ownership and responsibility - Drives remediation decisions ● Key areas to consider for a governance team - Ownership (GRC Risks, SAP Roles, Mitigating Controls) - Risk Level of GRC Risks and Expectations - New Functionality 2323
Auditing SAP GRC – Governance: OwnershipAuditing SAP GRC – Governance: Ownership ● Who approves access? - Based on roles - Manager - GRC Risk - Who approves assigning a mitigating control ● Who defines the risk/function and approves changes? - What is included in a GRC risk/function (how is this determined) - What is the defined risk level 2424
Auditing SAP GRC – Governance: Risk LevelsAuditing SAP GRC – Governance: Risk Levels ● What does each risk level mean? - Are users allowed to access certain transactions at all? - What are the expectations for each risk level • # of violations • Remediation timeframe 2525
Auditing SAP GRC - Governance: New FunctionalityAuditing SAP GRC - Governance: New Functionality ● What is the process to identify new functionality added to the system? - T-Codes - New Modules - Custom & New Authorization Objects ● How are these analyzed and included (if needed) into a ruleset? 2626
Auditing SAP GRC – Governance: On Going ProcessesAuditing SAP GRC – Governance: On Going Processes ● Access Provisioning - Preventative SOD/sensitive access analysis - Appropriate approvals (role owner, manager) ● Periodic Access Reviews - Detective SOD/sensitive access analysis ● Mitigating Control Reviews - Review of users with sensitive access based on business need 2727
2828 Auditing SAP GRC Standard SAP Functionality
Auditing SAP GRC – ABAP SecurityAuditing SAP GRC – ABAP Security SAP GRC Version 10 runs on an ABAP landscape ●Reviewing Sensitive Access - User Management (SU01, PFCG, etc.) - Change Management (STMS, SCC4, etc.) - Configuration Management (SPRO, etc.) ●Other relevant high risk areas should also be reviewed during an audit of the SAP systems 2929
Auditing SAP GRC - Application Change ManagementAuditing SAP GRC - Application Change Management Similar to previous “ABAP Security” slide, typical change management testing procedures for a SAP audit would apply as changes are moved in via transports ●Utilize T-Code STMS (Import Overview > Import History) to identify the population of transports released into production during the period under review within each in-scope landscape ●As long as the client is locked, all configuration and risk/function changes must be transported ●Verify client lock status and history with T000 table 3030
3131 Auditing SAP GRC Audit Risk Analysis (ARA)
Auditing SAP GRC - Audit Risk Analysis (ARA) SecurityAuditing SAP GRC - Audit Risk Analysis (ARA) Security ARA is the web front end interface into SAP GRC ●Delivered Roles - SAP_GRAC_ALL (application administrator role) - SAP_GRAC_SETUP (access to setup and customize GRC AC) - SAP_GRAC_RULE_SETUP (define and update rules) ●Restrict access to the GRC Administrator 3232
Auditing SAP GRC – ARA ConfigurationAuditing SAP GRC – ARA Configuration Key Configuration Parameter Group Parameter ID Description Default Value Recommended Risk Analysis 1026 Default user type for risk analysis A 1028 Include Expired Users NO YES 1029 Include Locked Users NO YES 1030 Include Mitigated Users NO YES 1031 Ignore Critical Roles and Profiles YES 1032 Include Reference user when doing User Analysis YES 1033 Include Role/Profile Mitigating Controls YES • All configuration is done via transaction SPRO • Default values can be overridden! 3333
Auditing SAP GRC – ARA ConfigurationAuditing SAP GRC – ARA Configuration Other Key Configurations Parameter Group Parameter ID Description Default Value Change Log 1001 Enable Function Change Log YES 1002 Enable Risk Change Log YES 1003 Enable Organization Rule Log YES 1004 Enable Supplementary Rule Log YES 1005 Enable Critical Role Log YES 1006 Enable Critical Profile Log YES 1007 Enable Rule Set Change Log YES 3434
Auditing SAP GRC - ARA Configuration OverrideAuditing SAP GRC - ARA Configuration Override When was the last sync? 3535
Auditing SAP GRC - ARA Ruleset ChangesAuditing SAP GRC - ARA Ruleset Changes ● Ruleset Changes - Report: Reports and Analytics > Audit Reports > Change Log Report • Filter: By Function, Risk, Rule Set, Organization Rule • Filter: Changed On field based on testing period ● Changes should follow existing governance processes for authorization 3636
3737 Auditing SAP GRC Emergency Access Management (EAM)
Auditing SAP GRC - EAM SecurityAuditing SAP GRC - EAM Security EAM is Emergency Access Management module within SAP GRC. This is commonly referred to as firefighter. ●Delivered Roles - SAP_GRAC_SUPER_USER_MGMT_ADMIN (Administrator role) 3838
Auditing SAP GRC - EAM ConfigurationAuditing SAP GRC - EAM Configuration Key Configuration Parameter Group Parameter ID Description Default Value Reco mmen ded Emergency Access Management 4001 Default Firefighter Validity Period (Days) <blank> 365 4002 Send E-mail Immediately YES 4003 Retrieve Change Log YES 4004 Retrieve System Log YES 4005 Retrieve Audit Log YES 4006 Retrieve O/S Command Log YES 4007 Send Log Report Execution Notification Immediately YES 3939
Auditing SAP GRC - EAM Audit AreasAuditing SAP GRC - EAM Audit Areas Additional Review Items ●Analysis of Number of IDs, ID Owners, ID Controllers - Key Reports • Report: Setup > Superuser Assignment > Owners • Report: Setup > Superuser Assignment > Controllers • Report: Reports and Analytics > EAM Reports - Analytics: • Number of Unique Owners, Controllers • Superuser IDs With Same Owner and Controller • Number of Unique Superuser IDs Across All Systems/Clients • Top 5 Owners and Number of IDs Owned • Number of Logins Per Superuser ID • Time to Review Audit Logs • Number of Logs Per Controller 4040
4141 Common Audit Issues SAP GRC
Common Audit IssuesCommon Audit Issues ● Ruleset and Risk Changes - Ruleset changes need valid documentation (i.e. authorization trace) • KEY POINT: Removing an item (like an authorization object) will generally make the rule more broad increasing false positives - Risk changes need consent from governance committees • Impact reporting and mitigating controls ● Mitigating Controls (Do not address the SOD risk) - Release PO vs. Edit PO Mitigating Control • Bad Example: Disbursements are approved before being paid. This would not address the risk because the PO was approved/released! • Good Example: Disbursements are reviewed to ensure users that modified PO were not the only user to approve/release the PO. 4242
Common Audit Issues - ContinuedCommon Audit Issues - Continued ● Business Process Changes - Addressing functional SOD in business areas - Provisioning Access (single process, do not by-pass) - Remediation of conflicts • Periodic process or reliance on preventative controls? ● Configurations - Not configured to log all changes - Not reviewing locked users by default ● Firefighter - Excessive use - Excessive access - Broadly assigned 4343
4444 Questions?
Contact InformationContact Information Sean Campbell secampbell@coca-cola.com Jay Gohil jgohil@coca-cola.com 4545

Recomendados

Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 

Recomendados

Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solutionAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk ManagementAuditBot SAP Security Audit
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
How to analyzing sap critical authorizations
How to analyzing sap critical authorizationsHow to analyzing sap critical authorizations
How to analyzing sap critical authorizationsAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
SAP License Audit Process
SAP License Audit ProcessSAP License Audit Process
SAP License Audit ProcessAuditBot SAP Security Audit
 

Más contenido relacionado

La actualidad más candente

Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and InstructionMart Leepin
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 

La actualidad más candente (20)

Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solution
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
SU01 - Background and Instruction
SU01 - Background and InstructionSU01 - Background and Instruction
SU01 - Background and Instruction
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
How to analyzing sap critical authorizations
How to analyzing sap critical authorizationsHow to analyzing sap critical authorizations
How to analyzing sap critical authorizations
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 

Destacado

Sap Solman Bpm Sales Presentation V2
Sap Solman Bpm Sales Presentation V2Sap Solman Bpm Sales Presentation V2
Sap Solman Bpm Sales Presentation V2caldnambi
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Enabling Accounts Payable departments to add value and reduce cost using Orac...
Enabling Accounts Payable departments to add value and reduce cost using Orac...Enabling Accounts Payable departments to add value and reduce cost using Orac...
Enabling Accounts Payable departments to add value and reduce cost using Orac...bradleywstorts
 
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOptimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOracle
 
SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Latinoamérica
 

Destacado (9)

SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
SAP License Audit Process
SAP License Audit ProcessSAP License Audit Process
SAP License Audit Process
 
Sap Solman Bpm Sales Presentation V2
Sap Solman Bpm Sales Presentation V2Sap Solman Bpm Sales Presentation V2
Sap Solman Bpm Sales Presentation V2
 
SAP License Audit Tips
SAP License Audit TipsSAP License Audit Tips
SAP License Audit Tips
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
Enabling Accounts Payable departments to add value and reduce cost using Orac...
Enabling Accounts Payable departments to add value and reduce cost using Orac...Enabling Accounts Payable departments to add value and reduce cost using Orac...
Enabling Accounts Payable departments to add value and reduce cost using Orac...
 
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOptimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
 
SAP License Audit Report
SAP License Audit ReportSAP License Audit Report
SAP License Audit Report
 
SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)SAP Governance, Risk and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC)
 

Similar a 081712 isaca-atl-auditing sap-grc

Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementSBWebinars
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1Anup Lakra
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Anup Lakra
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Insurance application modernisation
Insurance application modernisationInsurance application modernisation
Insurance application modernisationBrian Maguire
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Oracle
 
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...Oracle
 
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceThe Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceIBM Security
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070retheauditors
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Symmetry™
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager OracleIDM
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013Nidhi Gupta
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013Nidhi Gupta
 

Similar a 081712 isaca-atl-auditing sap-grc (20)

Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
 
Insurance application modernisation
Insurance application modernisationInsurance application modernisation
Insurance application modernisation
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824
 
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
 
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceThe Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 
It risk advisory brochure 2013
It risk advisory brochure 2013It risk advisory brochure 2013
It risk advisory brochure 2013
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

081712 isaca-atl-auditing sap-grc

  • 1. Auditing SAP GRCAuditing SAP GRC ISACA-August 17, 2012 11
  • 2. IntroductionsIntroductions Sean Campbell Sean Campbell is an IT Auditor at The Coca-Cola Company. His experience has focused primarily around IT compliance and SAP security. Prior to joining Coca-Cola, Sean was an IT Auditor with KPMG and Fiserv where he led SAP audits and gained experience in financial services. Sean holds a Bachelor’s Degree in Management Information Systems and a MBA, both from the University of Georgia. Sean also holds a CISA certification. Jay Gohil Jay Gohil is an IT Auditor at The Coca-Cola Company. His experience has focused primarily around IT compliance and SAP security. Prior to joining Coca-Cola, Jay was a consultant with Protiviti where he led several projects integrating the SAP GRC Access Controls Suite and assisted with segregation of duties analysis, user access design, and remediation of SAP security issues. Jay holds a Bachelor’s Degree in Computer Engineering and a Master’s Degree in Decision and Information Sciences, both from the University of Florida. Jay also holds a CISA certification. 22
  • 3. The Coca-Cola Company - IntroductionThe Coca-Cola Company - Introduction ● ~46+ billion in sales ● 200+ countries where our beverages are sold ● 500+ brands of the Coca-Cola Company - 15 billion dollar brands ● 3,300+ - different beverages ● 1.7+ billion servings per day ● With bottling partners, Coke ranks top 10 in private employers worldwide with more than 700,000 system employees (About 145,000 work for The Coca-Cola Company) 33
  • 4. The Coca-Cola Company - WorldwideThe Coca-Cola Company - Worldwide 44
  • 5. SAP @ The Coca-Cola CompanySAP @ The Coca-Cola Company ● Coke has three large instances based on business need and mergers (Global, CCR, BIG) - Many smaller instances run at bottler locations ● Multiple landscapes established for different business processes (i.e. Primary-FiLo, HR, BW, etc.) ● Largest landscapes have ~20,000 users 55
  • 6. OverviewOverview ● SAP Security Overview - SAP Authorization Concept - Common Issues ● SAP GRC Overview - Modules - Risk and Function Overview - SAP Security Issues Addressed ● Auditing SAP GRC - Governance - Security - Configuration - Change Management 66
  • 8. SAP Security – Authorization Concept: OverviewSAP Security – Authorization Concept: Overview 88
  • 9. SAP Security – Authorization Concept: ContinuedSAP Security – Authorization Concept: Continued ● When a user logs onto SAP all the authorization objects and fields that have been assigned to them through roles and profiles are loaded into their “user master” record ● When a user attempts to execute an action in SAP the authorization objects and fields from the user master are checked programmatically ● Within the fields of the authorization objects a user can be restricted to: - Display vs. Maintain - Specific items classified by company codes (or many other groupings) - Many other restrictions based on individual objects 99
  • 10. SAP Security – Authorization Concept: Common IssuesSAP Security – Authorization Concept: Common Issues ● Inheritance - Unintended access given to users due to unknown combinations of authorization objects through various roles ● Broad Access Designed in Roles - Ranges or wildcards assigned in authorization objects allows users access to functions for which they were not authorized ● Assignment of Roles with Broad Access - To grant a user access to a specific T-Code a SAP Security employee may assign a role that grants the user excessive access 1010
  • 11. SAP Security – Authorization Concept: Common IssuesSAP Security – Authorization Concept: Common Issues ● Segregation of Duties and Sensitive Access - Users could be given access that would result in segregation of duties risks or have access to powerful business or IT functions without authorization ● No Visibility into Potential Issues - No visibility into who has SoD conflicts or even sensitive access without a considerable manual data pull and analysis ● No Prevention of New Problems - No way to truly prevent assignment of roles that create inheritance issues or create SOD risks 1111
  • 13. SAP GRC - HistorySAP GRC - History Virsa Systems SAP GRC Access Control 5.3 SAP GRC Access Control 10.0 Firefighter Compliance Calibrator Access Enforcer Role Architect Superuser Privilege Management Risk Analysis & Remediation Compliant User Provisioning Enterprise Role Management Emergency Access Management Access Risk Analysis Access Request Management Business Role Management Version 10: •Customizing moved into SAP Reference IMG (SPRO) •Centralized firefighter usage and workflow • Provides auditable process for tracking log review approvals •All components are now ABAP based •Improved risk analysis interface, allows filtering and sorting 1313
  • 14. SAP GRC - ModulesSAP GRC - Modules Access Risk Analysis (ARA)* •Real-time & centralized SOD/sensitive access reporting and monitoring •Ruleset management •User Access Simulation •Mitigating Controls Emergency Access Management (EAM)* •“Firefighter” •Temporary elevated access •Track transaction code usage and changes •Audit logs, email alerts Access Request Management •Workflow •User Provisioning Business Role Management •Role documentation repository *Addressed in Auditing SAP GRC Section 1414
  • 15. SAP GRC - Functionality & TerminologySAP GRC - Functionality & Terminology ● Risks - SOD Risks – Critical combination of 2 or more specific activities - Sensitive Access Risk – A risk that a user has access to a specific functional area ● Ruleset Concept - Rulesets are a grouping of risks - Risks are made up of function groups - Function groups are made up of multiple t-codes and/or objects ● Firefighter - Addresses segregation of duties concerns by providing temporary elevated access that is controlled and monitored 1515
  • 16. SAP GRC – SOD vs. Sensitive Access RiskSAP GRC – SOD vs. Sensitive Access Risk Segregation of Duties Certain separate business processes and functions in The Coca-Cola Company, if executed by a single user, would present an unacceptable risk to the integrity of the Company’s processes, and could expose the Company to fraud risk. Therefore, incompatible duties of this type must be segregated and monitored. 1616 Manage Goods Receipt Process Payments Sensitive Access Certain transactions or activities in The Coca- Cola Company are regarded as “sensitive” due to the following: 1)The transaction allows access to confidential information 2)The transaction should only be executed by select user(s) who are highly experienced and knowledgeable around the use of the transaction 3) The transaction, if executed inappropriately, would cause a significant (negative) impact to operations. Maintain Customer Master Data Risk? May result in fictitious and fraudulent invoices Risk? Inappropriate access to sensitive master data transactions
  • 17. SAP GRC - How a Ruleset Breaks DownSAP GRC - How a Ruleset Breaks Down 1717 The Coca-Cola Company Rule Set Maintain Purchase Orders Vs. Manage Goods Receipt MIGO – Goods Movement ME21N – Create Purchase Order Manage Goods ReceiptMaintain Purchase Orders ME22N – Change Purchase Order MB01 – Post Goods Receipt on PO Create PO for company codes Create PO for purchasing area Create GR for company code Create GR for purchasing area Rule Set Risk Functions Actions Permissions
  • 18. SAP GRC - User InterfaceSAP GRC - User Interface 1818
  • 19. SAP GRC - User InterfaceSAP GRC - User Interface 1919
  • 20. SAP GRC - Risk Areas of SAP Security AddressedSAP GRC - Risk Areas of SAP Security Addressed Use of SAP GRC gives visibility into SOD issues, inheritance issues, and can prevent the assignment of roles that create issues ●Ability to validate that no violations of an SOD ruleset exist within single roles ●Identify and review sensitive access assigned to users ●Workflow can be implemented to require risk analysis to be completed prior to new role assignments (preventative control!) 2020
  • 21. SAP GRC – Common IssuesSAP GRC – Common Issues ● Governance - Identifying and incorporating new functionality - Establishing ownership of risks, roles and controls ● Security - Limiting access to configure and make changes ● Configuration - Key parameters are configured appropriately - Changes are documented and monitored ● Change Management - Ruleset changes (risks and functions) are authorized & approved 2121
  • 23. Auditing SAP GRC - Governance of SAP GRCAuditing SAP GRC - Governance of SAP GRC ● Governance is important to the long term relevance of GRC - Incorporates changes in the environment - Establishes ownership and responsibility - Drives remediation decisions ● Key areas to consider for a governance team - Ownership (GRC Risks, SAP Roles, Mitigating Controls) - Risk Level of GRC Risks and Expectations - New Functionality 2323
  • 24. Auditing SAP GRC – Governance: OwnershipAuditing SAP GRC – Governance: Ownership ● Who approves access? - Based on roles - Manager - GRC Risk - Who approves assigning a mitigating control ● Who defines the risk/function and approves changes? - What is included in a GRC risk/function (how is this determined) - What is the defined risk level 2424
  • 25. Auditing SAP GRC – Governance: Risk LevelsAuditing SAP GRC – Governance: Risk Levels ● What does each risk level mean? - Are users allowed to access certain transactions at all? - What are the expectations for each risk level • # of violations • Remediation timeframe 2525
  • 26. Auditing SAP GRC - Governance: New FunctionalityAuditing SAP GRC - Governance: New Functionality ● What is the process to identify new functionality added to the system? - T-Codes - New Modules - Custom & New Authorization Objects ● How are these analyzed and included (if needed) into a ruleset? 2626
  • 27. Auditing SAP GRC – Governance: On Going ProcessesAuditing SAP GRC – Governance: On Going Processes ● Access Provisioning - Preventative SOD/sensitive access analysis - Appropriate approvals (role owner, manager) ● Periodic Access Reviews - Detective SOD/sensitive access analysis ● Mitigating Control Reviews - Review of users with sensitive access based on business need 2727
  • 28. 2828 Auditing SAP GRC Standard SAP Functionality
  • 29. Auditing SAP GRC – ABAP SecurityAuditing SAP GRC – ABAP Security SAP GRC Version 10 runs on an ABAP landscape ●Reviewing Sensitive Access - User Management (SU01, PFCG, etc.) - Change Management (STMS, SCC4, etc.) - Configuration Management (SPRO, etc.) ●Other relevant high risk areas should also be reviewed during an audit of the SAP systems 2929
  • 30. Auditing SAP GRC - Application Change ManagementAuditing SAP GRC - Application Change Management Similar to previous “ABAP Security” slide, typical change management testing procedures for a SAP audit would apply as changes are moved in via transports ●Utilize T-Code STMS (Import Overview > Import History) to identify the population of transports released into production during the period under review within each in-scope landscape ●As long as the client is locked, all configuration and risk/function changes must be transported ●Verify client lock status and history with T000 table 3030
  • 31. 3131 Auditing SAP GRC Audit Risk Analysis (ARA)
  • 32. Auditing SAP GRC - Audit Risk Analysis (ARA) SecurityAuditing SAP GRC - Audit Risk Analysis (ARA) Security ARA is the web front end interface into SAP GRC ●Delivered Roles - SAP_GRAC_ALL (application administrator role) - SAP_GRAC_SETUP (access to setup and customize GRC AC) - SAP_GRAC_RULE_SETUP (define and update rules) ●Restrict access to the GRC Administrator 3232
  • 33. Auditing SAP GRC – ARA ConfigurationAuditing SAP GRC – ARA Configuration Key Configuration Parameter Group Parameter ID Description Default Value Recommended Risk Analysis 1026 Default user type for risk analysis A 1028 Include Expired Users NO YES 1029 Include Locked Users NO YES 1030 Include Mitigated Users NO YES 1031 Ignore Critical Roles and Profiles YES 1032 Include Reference user when doing User Analysis YES 1033 Include Role/Profile Mitigating Controls YES • All configuration is done via transaction SPRO • Default values can be overridden! 3333
  • 34. Auditing SAP GRC – ARA ConfigurationAuditing SAP GRC – ARA Configuration Other Key Configurations Parameter Group Parameter ID Description Default Value Change Log 1001 Enable Function Change Log YES 1002 Enable Risk Change Log YES 1003 Enable Organization Rule Log YES 1004 Enable Supplementary Rule Log YES 1005 Enable Critical Role Log YES 1006 Enable Critical Profile Log YES 1007 Enable Rule Set Change Log YES 3434
  • 35. Auditing SAP GRC - ARA Configuration OverrideAuditing SAP GRC - ARA Configuration Override When was the last sync? 3535
  • 36. Auditing SAP GRC - ARA Ruleset ChangesAuditing SAP GRC - ARA Ruleset Changes ● Ruleset Changes - Report: Reports and Analytics > Audit Reports > Change Log Report • Filter: By Function, Risk, Rule Set, Organization Rule • Filter: Changed On field based on testing period ● Changes should follow existing governance processes for authorization 3636
  • 37. 3737 Auditing SAP GRC Emergency Access Management (EAM)
  • 38. Auditing SAP GRC - EAM SecurityAuditing SAP GRC - EAM Security EAM is Emergency Access Management module within SAP GRC. This is commonly referred to as firefighter. ●Delivered Roles - SAP_GRAC_SUPER_USER_MGMT_ADMIN (Administrator role) 3838
  • 39. Auditing SAP GRC - EAM ConfigurationAuditing SAP GRC - EAM Configuration Key Configuration Parameter Group Parameter ID Description Default Value Reco mmen ded Emergency Access Management 4001 Default Firefighter Validity Period (Days) <blank> 365 4002 Send E-mail Immediately YES 4003 Retrieve Change Log YES 4004 Retrieve System Log YES 4005 Retrieve Audit Log YES 4006 Retrieve O/S Command Log YES 4007 Send Log Report Execution Notification Immediately YES 3939
  • 40. Auditing SAP GRC - EAM Audit AreasAuditing SAP GRC - EAM Audit Areas Additional Review Items ●Analysis of Number of IDs, ID Owners, ID Controllers - Key Reports • Report: Setup > Superuser Assignment > Owners • Report: Setup > Superuser Assignment > Controllers • Report: Reports and Analytics > EAM Reports - Analytics: • Number of Unique Owners, Controllers • Superuser IDs With Same Owner and Controller • Number of Unique Superuser IDs Across All Systems/Clients • Top 5 Owners and Number of IDs Owned • Number of Logins Per Superuser ID • Time to Review Audit Logs • Number of Logs Per Controller 4040
  • 42. Common Audit IssuesCommon Audit Issues ● Ruleset and Risk Changes - Ruleset changes need valid documentation (i.e. authorization trace) • KEY POINT: Removing an item (like an authorization object) will generally make the rule more broad increasing false positives - Risk changes need consent from governance committees • Impact reporting and mitigating controls ● Mitigating Controls (Do not address the SOD risk) - Release PO vs. Edit PO Mitigating Control • Bad Example: Disbursements are approved before being paid. This would not address the risk because the PO was approved/released! • Good Example: Disbursements are reviewed to ensure users that modified PO were not the only user to approve/release the PO. 4242
  • 43. Common Audit Issues - ContinuedCommon Audit Issues - Continued ● Business Process Changes - Addressing functional SOD in business areas - Provisioning Access (single process, do not by-pass) - Remediation of conflicts • Periodic process or reliance on preventative controls? ● Configurations - Not configured to log all changes - Not reviewing locked users by default ● Firefighter - Excessive use - Excessive access - Broadly assigned 4343
  • 45. Contact InformationContact Information Sean Campbell secampbell@coca-cola.com Jay Gohil jgohil@coca-cola.com 4545