Académique Documents
Professionnel Documents
Culture Documents
Ivanka Gajecky
Beam Suntory
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
In This Session
1
About Beam Suntory
2
About Beam Suntory (cont.)
Presence in Japan, North America, EMEA, Asia Pacific, and South America
3
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
4
Current State
• In the case of Beam Suntory, the current SAP security structure is creating challenges for the business and
may become unsustainable
• The next few slides show some of the key challenges the current state presents:
KEY CHALLENGES
The volume of existing SoD conflicts increases fraud risk and inefficiency
5
Current State (cont.)
KEY CHALLENGES
Processes to request, approve, and provision user access are difficult and time consuming
6
Current State (cont.)
KEY CHALLENGES
7
How We Got Here
Above are some of the key factors that contributed to the current state
8
SAP Security Remediation Approaches
9
Framework Approach
10
Framework Approach (cont.)
3. Secure Leadership Support for
1. Assess Current State 2. Determine Options
Desired Options
PEOPLE
• Average employee’s level of understanding of roles design
• Maturity of data or process owner’s risk ownership
PROCESS
• Roles-based provisioning
• SAP Roles Governance Process
Relationship to Business Process Governance
• User provisioning process
TECHNOLOGY
• Complexity of role structure
11
Framework Approach (cont.)
3. Secure Leadership Support for
1. Assess Current State 2. Determine Options
Desired Options
PEOPLE
• User Education
• Roles and responsibilities
• Reorganization
PROCESS
• Streamline user provisioning process
For example, approvals
Workflow tools
TECHNOLOGY
• Revise role design
• Enhance SoD/Access Control tools or technology
12
Framework Approach (cont.)
3. Secure Leadership Support for
1. Assess Current State 2. Determine Options
Desired Options
PEOPLE
• Make decisions on proposed actions
PROCESS
TECHNOLOGY
• Revise role design
• Automation
13
Decision Points — To Determine If SAP Roles Redesign
Is Right for You
SECURITY CHALLENGE
Symptoms
Options to resolve are
b. Users can’t determine their continue
discussed (low level)
roles needed unresolved
c. Top-Down Complaints to
people doing user
provisioning (low level)
14
Decision Points — To Determine If SAP Roles Redesign
Is Right for You (cont.)
The cycle continues until frustration with SAP end-user satisfaction and lack of
mitigating controls efficiency reaches executive awareness
Symptoms Experienced Results
• No Role-Based Permissions • SAP end-users satisfaction
• Users can’t determine their roles needed • Controls efficiency
and help desk or Business Process
Owners are overwhelmed
• Top-down/executive complaints to people
doing user provisioning
15
Decision Points — When High Frustration Level/Executive
Awareness Is Reached
NO
Return to Symptoms
Experienced Cycle
16
Why Change Now?
Below is an overview of the objectives and expected outcomes of a role redesign project:
EXPECTED OUTCOME
Reduce fraud risk by eliminating role level SoD conflicts and reducing
user level SoD conflicts
KEY OBJECTIVE Increase productivity by reducing the time spent reviewing SoD
Align security roles with tasks conflicts
users perform in the system to
complete their job responsibilities
Increase productivity by reducing reliance on mitigating controls
(“Get Clean”)
17
Why Change Now? (cont.)
Below is an overview of the objectives and expected outcomes of a role redesign project: (cont.)
EXPECTED OUTCOME
KEY OBJECTIVE Improve control and decision making related to SAP access and
security with enhanced governance processes
Strengthen governance
processes
Increase productivity by reducing execution time for governance
(“Stay Clean”)
processes via automation (GRC)
18
Why Change Now? (cont.)
Below is an overview of the objectives and expected outcomes of a role redesign project: (cont.)
EXPECTED OUTCOME
KEY OBJECTIVE
Improve time-to-market with changes to the SAP platform
19
Analysis of Options
20
Analysis of Options (cont.)
21
Analysis of Options (cont.)
22
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
23
Project Activities — Key Project Considerations
• FACTORS REQUIRED FOR PROJECT EXECUTION (SHORT-TERM) AND ONGOING COMPLIANCE (LONG-TERM) SUCCESS
Examples:
Obtain senior leadership support to secure resources and funding, align with corporate strategy to ensure long-term compliance
Involvement of all stakeholders inside and outside IT
• TIMING
Find times during the year when a critical number of stakeholders and participants have bandwidth
• CULTURAL CHALLENGES
Slow implementation
Break the project into pieces
24
Project Involvement — Key Business Activities
25
Project Involvement — Key Business Activities (cont.)
26
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
27
Project Activities — Key Project Variables
28
Stakeholder Participation Requirements — Example
The table below summarizes typical resource commitments by phase for each primary stakeholder. Input
from the right stakeholders and the right time is critical to the success of the project.
IMPACT ON KEY STAKEHOLDERS
Phase Redesign Team SAP Security and Basis Team Bus. Process Owners/ Role Owners * Internal Audit PMO
Preparation High High Low Low Medium
Blueprinting High High High Medium Medium
Realization Medium High High Low Medium
Go-Live High High Medium Low Medium
* Participation from Business Process Owners and Role Owners would be in the form of input within role design review workshops, user acceptance testing, confirmation of user mappings, and any
necessary SoD resolution and mitigation decisions
29
Access Control Reporting — Requirements
Below are some of the key factors that contributed to the success of the role redesign project
REDESIGN PROJECT
30
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
31
Decision Points Around Access Control Design
SAP Access Control implementation methodology can be interpreted as recommending first to assess and fix issues to “Get Clean”
32
Decision Points Around Access Control Design (cont.)
Minimal Time Continuous Access Effective
to Compliance Management Oversight and Audit
(Get Clean) (Stay Clean) (Stay in Control)
Risk Identification Enterprise Role Compliant User Super User Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit
Rapid, cost-effective, Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean up design time runtime emergency access recurring audits
33
Decision Points Around Access Control Design (cont.)
SHOULD ACCESS CONTROL DESIGN OR ROLE RE- SHOULD ACCESS CONTROL DESIGN AND ROLE RE-
DESIGN BE DONE FIRST? DESIGN BE DONE TOGETHER OR SEPARATELY?
34
A Word About Compliance
Fraud incidents
Internal mandate
• Each audit firm has their own methodology and toolkit for
SoD compliance
• The more your internal controls and compliance practices
are developed, usually the better the SoD result
35
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
36
Key Success Factors
Below are some of the key factors that contributed to the success of a role redesign project:
Aligning ownership for SoD risk and security roles with business process owners
Business-driven project with resources dedicated to participate in designing, testing, and deploying new roles
37
What Questions to Ask Next?
What is the ideal timeline that meets business, compliance, and IT requirements?
How can we phase this project into smaller parts to match a pace that we can realistically achieve?
Are there other organizational activities that affect this project by competing for the same resources?
Do we have the right resources available for the success of this project?
Should there be any additional projects (e.g., Business Process Improvements) that should occur in addition to this
project?
38
What We’ll Cover
• Using a framework to help you determine if role redesign is appropriate for your
organization
• Identifying the key project considerations, establishing timelines, and securing executive
support
• Understanding the key project variables
• Establishing decision points for performing Access Control design and role design in a
phased approach (separately vs. together)
• Understanding success factors and next steps
• Wrap-up
39
Where to Find More Information
40
Where to Find More Information (cont.)
www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7021d9cc-1169-2a10-
da89-cdbb735bd5e7?QuickLink=index&overridelayout=true&19829864211026
“Guide to the Sarbanes-Oxley Act: Managing Application Risks and Controls –
Frequently Asked Questions” (Protiviti, 2006).
www.protiviti.com/en-US/Documents/Resource-Guides/ACE_FAQ_Guide.pdf
41
7 Key Points to Take Home
• If you are experiencing symptoms of frustration with SAP roles user provisioning,
consider that SAP Roles Redesign may be an option to resolve
• Business Risk Ownership and Support is critical for a successful SAP Roles Redesign
• Consider SoD tools such as SAP GRC Access Control for short-term compliance wins
when SAP Roles Redesign will be too labor intensive or time consuming
• Consider the key project variables to ensure a successful SAP Roles Redesign project
• Culture and appetite for change vs. status quo are important factors to overcome or use
to your advantage (depending on the case) – remember to consider
• Consider needs for performing Access Control and SAP Roles Design together or
separately
• Governance model of SAP Roles is a must for a successful SAP Roles Redesign project
42
Your Turn!
44
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.