Scribd Logo
Upload

Welcome to Scribd!

  • SoD Analysis and Access Governance

    Uploaded by

    vansh143
    278 views8 pages
    SOD Analysis and Access Governance

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SOD Analysis and Access Governance

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    278 views8 pages

    SoD Analysis and Access Governance

    Uploaded by

    vansh143
    SOD Analysis and Access Governance

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    SAP Access Governance &

    SoD Analysis as a Service

    Our understanding

    Your Current
    Challenges

    Non-Cohesive
    Non-Cohesive view
    view of
    of
    implemented
    implemented as
    as well
    well as
    as applicable
    applicable
    GRC
    GRC controls
    controls
    Access
    Access Risk
    Risk Assessment
    Assessment to
    to be
    be
    made
    made available
    available as
    as per
    per business
    business
    requirement
    requirement
    Monitoring
    Monitoring of
    of Access
    Access Risk
    Risk
    Management
    Management as
    as per
    per compliance
    compliance
    requirement
    requirement

    SAP Auth
    Management

    Access Management
    Authorization

    Happiest Minds Confidential

    Current
    Environme
    nt

    How to mitigate role, user, process


    level risks in SAP without large
    GRC investment?
    Users Do users have the authorizations limited to their current role
    or is it a combination of their earlier roles and adhoc
    permissions?
    How do we document, certify & regularly review
    authorizations at the level of User Tcode Object
    Authorization level
    Roles
    Have Organizational roles been mapped to SAP roles and
    applied uniformly?
    Do equivalent roles in the Org have exactly same
    authorizations (example: all Branch Sales Managers have
    exactly same SAP role definition & authorizations
    Process
    Is control on critical steps in a sensitive End to End process
    concentrated in a single role?
    Have customizations & access to custom objects / T-codes
    3

    Happiest Minds Confidential

    Segregation of Duties Overview


    For Internal Controls to be effective, a proper division of responsibilities
    necessary
    Proper SoD is achieved through proper
    assignment of roles and responsibilities that
    should be documented (Policies, Guidelines,
    etc.)
    Roles &
    The functions of performing accounting
    Respon
    sibility
    procedures and
    Assign
    handling assets should be separated
    ments
    The organizational responsibilities
    should be reflected in system
    access rights 1-to-1
    Authorizations, access
    SoD is made possible via
    Rights and Restrictions
    appropriate system access rights &
    restrictions
    IT General Controls need to be in
    place to ensure appropriate
    Information technology General
    system security, authorization
    Controls
    management and to support
    access rights & restrictions

    Happiest Minds Confidential

    Visualizing SoD analysis


    SOD Analysis based on SAP Standards Business Processes such as:
    Order to Cash
    Procure to Pay
    Finance
    HR and Payroll etc..
    Risk

    Identificati
    on

    Identify hidden issues and conduct workshops with Risk owners


    o Remediate Access
    Risk

    ypes of Reporting
    isk Analysis at a User and Role Level based on
    Segregation of Duties
    Critical Actions
    Critical Permissions

    Happiest Minds Confidential

    Remediati
    on

    Reporting

    SoD Analysis and Access


    Governance as a Service

    Business Challenge
    Complex SAP authorization
    model

    What we do
    REVIEW

    SoD violations
    Too many Roles created
    Time consuming
    Maintenance

    DIAGNOSE

    REMEDIAT
    E
    DELIVER
    SUSTAIN

    Analyze Role and Risk Levels


    Review SAP Authorization Model
    Highlight areas of SoD risks at a
    role/user level
    Mitigate Access Risks, Remediate
    Users/Roles based on SAP Best Practice
    and Cleanup
    A Compliant and Simplified SAP
    Authorization Model
    Update Design document and
    Operational Procedures

    Happiest Minds Confidential

    Benefits
    Simplified
    Authorization
    Model
    Lower
    maintenance
    A SoD
    Compliant
    Environment
    Raise Overall
    Level of
    Application
    Security

    Engagement Process, Assumptions


    & Dependencies

    Engagement Process
    Extract SAP user and role information and integrate into SAP
    GRC
    Offline SOD Analysis using the SAP GRC Access Risk Analysis
    tool
    Workshops with Risk owners to remediate or mitigate the
    identified Access risks
    Run Offline risk analysis after the remediation process
    Generate Risk Analysis Reports at a SAP user and roles Level
    Schedule 5 weeks duration
    Week 1 Load Offline data into the SAP GRC and SOD
    analysis
    Week 2 Authorization review and Risk
    remediation/mitigation workshops with Risk owners
    Week 3 and 4 Remediate Authorizations within the
    PFCG role and Remediate access for users within the
    application
    Week 5 Generate SOD Analysis reports after the
    remediation process
    Assumptions and Dependencies
    Extract PFCG Customer specific
    Roles
    in SAPGUI format. Roles
    Happiest Minds
    Confidential

    st vs Application Complexity

    Cost vs Complexity

    <1000

    1000 - 2000

    >2000

    Happiest Minds Confidential

    You might also like