Académique Documents
Professionnel Documents
Culture Documents
Roberto Bayon
Jabil
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
In This Session
• This session walks you through the formation of Jabil’s global governance organization,
which was established to orchestrate its 15,000-user security redesign project and
oversee the company’s long-term SoD conflict minimization program. Hear how Jabil
successfully approached the standardization of SAP roles and the provisioning
processes used to achieve it, and explore how the company:
Secured senior management support for its governance organization
Selected its governance team and divided roles and responsibilities, including how it
defined technical and functional SAP GRC ownership for its SAP Access Control, and
SAP Access Violation Management systems and processes
Manages user provisioning, business role management, SoD management, and
firefighter access
Managed its multi-phase rollout
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
2
Company Overview
3
Global Expertise and Intelligent Supply Chains, Engineered for
Growth
Automotive
Digital Home
Enterprise and Infrastructure
Industrial and Energy
Networking and Telecommunications
Printing
Point of Sale
Storage
4
Our SAP Environment
More Granular
GTS 152 Low
Access Needed
SOLMAN 118 Low Role Architecture
XI 45 Low --
5
Objectives
• Long-Term Objective
To proactively manage SAP application access risk by implementing governance
processes, monitoring tools, and a sound security architecture
• Short-Term Objectives
To reduce SoD conflicts
6
Challenges in the Current Environment
7
SoD Risk Management Maturity
Proactive Checks
3 • Custom ruleset and SoD access checks during provisioning
• Use of mitigating controls
Periodic Checks
1 • Manual SoD reviews (matrix-based)
• Reporting on false positives
TIME
8
Our Roadmap to Improving SAP Security
Short Term: Remediate and enable technology Long Term: Continuous monitoring and Governance
9
How Did We Go from Stage 2 to Stage 5?
Projects
SAP Access Management • Create global SAP role governance process and security strategy with standards for global
Governance and Strategy role template, role-naming conventions, change control, and role provisioning
SAP ECC Security • Create new roles free of SoD conflicts and develop restrictions for custom transitions
• Establish mitigating controls for people who require role assignments that cause an SoD
Role Redesign conflict
Access Controls • Create an SAP automated user provisioning process with an automated SoD conflict check
(SAP GRC 10.1) utilizing a newly redesigned SoD ruleset with integrated mitigating control documentation
Access Violation • Implement continuous monitoring technology to detect and determine financial impact of
Management SoD violations
10
Project Organization Structure
Project Management
Leads
11
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
12
Enabling Governance with Task-Based Role Architecture
A tier approach will help ensure users get access in a structured way to minimize potential for risk and excessive
access, and to enable consistent governance processes:
Critical Access Tier 4: Critical Access (Critical Sensitivity): Activities performed via Firefighter,
Information Services, or restricted business functions.
Functional
Tier 3: Update Activity Access (Medium–High Sensitivity): Activities which allow
Access update access are grouped by sub-process area and divided into single roles based on
the activity performed. Restrictions to Organizational Elements (Company Codes,
Plants, etc.) can be performed here.
Company Restricted
Display Display Tier 2: Display Access (Low Sensitivity): Activities which allow display and reporting
only access. These activities may be grouped at the process or sub-process level. One
or more display roles can be given to a user and provide a display common to all.
User General
Tier 1: User General Access (No Sensitivity): Activities common to all users, such as
printing and inbox, are grouped together into a single role.
13
Project Timeline
FY 2015 FY 2016
Jan Feb March April May June July Aug Sept - Aug
Transactional Analysis
Requires Significant
Workshops Participation from Pilot
Sites
SoD Remediation
GRC 10.1 Access Current GRC 5.3 environment Pilot User Provisioning Workflow
Control Implementation upgraded Go-Live GRC Global Rollout
14
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
15
Key Governance Changes
• No formal process to manage SoD ruleset • Governance Committee will approve all SoD ruleset changes
• Monthly FF log review • Investigating more frequent FF log review through GRC
• Manual process to provision FF accounts • Auto-provisioning of FF accounts through GRC
• Manual process to remove users from SAP • Integrate termination process through GRC to remove users from SAP
• No process to monitor role changes • Monitor role changes and transaction additions through GRC
INFORMAL CONTROLLED
TODAY TOMORROW
Lack of defined controls to mitigate key SAP security Defined governance controls to keep SAP security risks
risks within the Jabil environment from recurring
16
Governance Structure
Governance Lead (New)
• Cross-functional team consisting of Ops, IT, Finance, RAS,
and HR
Governance Committee (New)
• Governance Committee
• Provides guidance for the standards and IT Finance Operations HR Audit
requirements for key domains
• Gives authority to the governance team to administer
the program Governance Team
(*New*)
• Approves ruleset changes
• The Governance Team reports directly to the Governance Communication
Committee and provides updates about day-to-day
Governance activities
Regional / Divisional Controllers
• Information from the Governance Team is communicated
Site SMEs
to the user community and supported through the SMEs,
BPOs, Site Leads, and Security Team IT Security / GRC team
17
Introduction to Key Components of Governance
There are few key pillars when designing a governance model for
SAP access management. These pillars focus on key areas such as:
Strategic Vision/Alignment
• M&A/Compliance Alignment
Policies/Procedures/Training
• Approval Requirements
• User and Role Provisioning Requests
• Temporary Access
Risk Management
• SoD Ruleset Updates/Remediation/ITGCs
At this point, the majority of the processes have been initially designed
but these need to be agreed upon, communicated, and embedded into
the GRC tools, SAP security architecture, and overall organization
supporting this process long-term.
18
Governance Committee Responsibilities
Governance Committee provides guidance for the standards and requirements for processes to support:
SoD Management
Ongoing management and maintenance of the Jabil SoD ruleset
Change Management
Enforcing strong control of SAP GRC changes based on future business needs
19
Governance Responsibilities Across the Organization
Core Access Management (R) – Responsible (A) – Accountable
Governance Elements (C) – Consulted (I) – Informed
EM GC GL GT STS RQ AS
Governance: Policies and Procedures I C A R C C C/I
Governance: Training and Communication I C A R I/C I/C C/I
Role Management C A R R I R
in GRC No No
Functional Area SME, Site SME)
Yes
Yes
SoD Check Performed
in GRC
Remediate
Yes and Adjust
Roles?
Governance Team
No
21
Governance Around Firefighter
2
Move T-codes out of FF to restricted/Sensitive roles and Firefighter
limit who gets those roles Reduction
3
Regular review of FF logs with escalation if not reviewed
within a specific time
22
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
23
Communication of Project Plan
Governance Tasks
Define Security Governance Program
Ensuring all tasks are
Complete preparation work for program understood
Form Governance Committee
Develop Governance team and vision
Develop SAP provisioning processes Setting realistic dates
Develop New Employee, Contractor, Temporary Employee SAP Access Provisioning Process for each task
Develop Current Employee (new or change access) SAP Provisioning Process
Develop SAP User Removal Provisioning Process
Develop User Access Review Process
SoD Management
Ruleset Maintenance
Violation Remediation
Role Management – Ownership
Temporary Access Process
Temporary Firefighter access
Firefighter log reviews
Develop GRC Change Management process
Governance Pilot Rollout
24
Communicating Goals and KPIs (Example)
A significant component of governance includes the ability to communicate progress or potential delays. It is important
to define KPI to measure and communicate with your key audiences:
Area of Success Measures/KPIs Qualitative Factors
SoD Conflict-Free Roles • End of Project: 100% SoD conflict-free roles for all plants that are on SAP as of February
2015
• Pilot: 100% SoD conflict-free roles for Penang, Guadalajara, JGP Wuxi, and Corporate IT
Total SoD Conflicts • Total number of SoD conflicts are reduced by >90% • Mitigating controls will be utilized as it
• Total number of unique SoD risks are reduced by >80% makes sense and tracked by site
Ease of Maintenance • 98% of T-Codes are only in one role, making it easy to select roles • Master roles that are easy to maintain
and are based on tasks, not positions
Business Disruptions and • Go-Lives: There are minimal business disruptions and all critical items are resolved within • Testing: All critical issues remediated
Testing 1 hour before go-live
• Testing: The number of issues that arise is <15% • Ongoing: Firefighter roles used
appropriately as a mitigating process
Governance Processes • Automated SoD checks administered by GRC tool utilizing improved ruleset • Maintain SoD conflict-free roles
(“Stay Clean”) • Defined and implemented processes with policies and procedures that include an through governance strategy
escalation path • Centralized role maintenance
• Documented and tested mitigating controls when applicable for agreed upon SoD Conflicts
• Access is granted within 5 to 7 days
25
Communicating Changes to Governance Policies (Example)
The table below shows the total risks monitored per business cycle across multiple rulesets, companies need to define
what is important to measure and communicate:
Business Cycle Jabil’s Previous Ruleset Leading Practice Ruleset Jabil’s Customized Ruleset
Finance 4 9 19
Materials Management 0 7 4
Order to Cash 46 29 44
Procure to Pay 63 28 51
HR/Payroll 0 14 7
IT (Basis) 6 5 6
Users with
3,486 420 88%
SoD Risks
6 Users 1 User
27
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
28
Timeline
SAP Redesign
User Mapping
Complete Security Assessment Role Design for Pilot Sites Role Migration
Project Kick-off Meeting Role Build for Pilot Sites Pilot Sites Go-Live
Participate in Workshops Functional Testing (Unit and UAT) Hyper-care Support
Apply Lessons Learned to Global Rollout
JANUARY – APRIL ’15 MAY – JULY ’15 AUGUST ’15 AND BEYOND
29
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
30
SoD Quantification to Manage Residual Risk
AVM was implemented to assist in the ongoing monitoring and governance of our SAP Environment:
31
Access Violation Management (AVM) Implementation
• Current methods quantify 42 • Achieve additional automated • Replace current test with AVM
of the 90 Segregation of SoD risk coverage and tests.
Duties (SoD) risks that are efficiency in conjunction with
• Analyze what SoD risks will
quantifiable. current quantification
remain after the role redesign
methods.
• Methods rely on both and configure additional
automated and manual • As well as continuing current automated quantification
methods. quantification tests. tests.
32
SoD Quantification Approach
1)
1 Identify number of users with authorization access to high SoD risk (Jabil defined ruleset)
2)
2 Determine if users have executed transactions from both sides of the SoD (each function)
3)
3 Quantify identified high-risk SoD violations (e.g., users who have edited the vendor master record and created or changed a purchase order to that same vendor)
a. Use third-party tool to extract transactional tables and analyze SoD occurrences (impact)
b. Manually analyze remaining SoDs with transactional occurrence identified in Step 2 should no compensating controls exist
4
4) Determine if violations that have been quantified are material
5
5) If yes, determine if compensating controls exist and they are operating effectively
6)
6 If no compensating control exists, investigate and evaluate further with applicable business owners
4 5 6
1 2 3
Mitigating Control CD01: All changes to the vendor master records are reviewed including creating vendors
33
Benefits of Access Violation Management
• Put monitoring in place while planning • Extend risk monitoring for additional user • Automate mitigating controls with 100%
and executing on: risks identified during the implementation transaction monitoring and exception-
Access Control Implementation that cannot be removed based reporting
Role Redesign • Identifying areas of focus for role • Enable business ownership of access
redesign – across all relevant business risks with clear, relevant reporting
Risk Identification, including definition applications
of the technical ruleset • Increase transparency into real risk to the
• Prioritize activities by financial risk business
• Prioritize activities by financial risk exposure
exposure • Drive process change when financial
exposure is too high
34
Access Violation Management (Example)
Potential SoD Exposure by Country Potential SoD Exposure by User/Company Code
XXX
San Jose
US SAMPLE
$9,066,289
9,470
5
35
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
36
Involving External Auditors
• Communication is key. External auditors need to know the plan, understand the
remediation methodologies, and be given constant updates.
• Changing policies and procedures, requires documented business reasons
• Received buy-in on the new tools like AVM so auditors could place reliance on them
Demonstrated completeness and accuracy for all tools
• Provided regular progress reports both formal and informal so the auditors were
comfortable that the overall project was on track
This not only eased the minds of the auditors that we were resolving our deficiencies
but also allowed the auditors to better plan their annual audit around key areas of risk
37
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
38
Lessons Learned: Governance
When creating an SoD Ruleset it is good to be conservative to start but be open to removing
risks throughout the project
39
Lessons Learned: Communication Is Key
40
What We’ll Cover
• Background
• Overview of the SAP security redesign project
• Our governance structure
• Communication as part of a robust governance plan
• Governance as part of a multi-phase rollout
• Segregation of duties quantification
• Involving external auditors
• Revisiting the lessons learned by project work streams
• Wrap-up
41
Where to Find More Information
• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/SAP-Access-Mgmt-
Governance-Getting-It-Right-Protiviti.pdf
SAP Access Management Governance: Getting It Right, Making It Sustainable” (Protiviti, 2013).
This white paper outlines a strategy to improve SAP access management efficiently and
establish a structure for governance that standardizes the management process and helps
minimize access control risks for the long term
• www.protiviti.com/en-US/Documents/White-Papers/Risk-Solutions/Designing-SAP-Application-
Security-Protiviti.pdf
Designing SAP Application Security – Leveraging SAP Access Monitoring Solutions During
SAP Implementations, Upgrades or Security Redesign Projects” (Protiviti, 2014).
This white paper provides six steps organizations should take when implementing SAP
• Without governance, any redesign will eventually revert back to unmanaged roles and
user provisioning
• Tools such as Access Control and Access Violation Management help achieve
governance Objectives
• Representation from executive leadership to ensure the right messaging is heard and
communicated to the broader organization
• Governance is the responsibility of a cross-function team (e.g., Finance, IT, Ops, HR …)
• Establish KPIs and use to drive changes or standards
• Ensure you get buy-in from external auditors by keeping them up to date of your progress
and intentions
• Identifying the right consulting partner to help bring leading practice and implement
changes
43
Your Turn!
45
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.