SAP GRC Access Control – Its all about getting clean and staying clean
Why wait until there is a scam, fraud or perhaps human errors? We all trust our employees but, why should we expose them to risk in the first place? Security vulnerabilities exist when users are given broad system access and have limited visibility to their actions. These risks are often hidden until they are uncovered by an audit. Unfortunately, at that point, the security breach, which could have easily been avoided, may now pose a huge financial risk for the company.
GRC access control is a perfect solution that enables you to make better business decisions by visualizing and predicting how certain risks might impact performance. By integrating key GRC activities into your business process, you can reduce complexity and cut costs – while protecting your company’s reputation and financial well-being.
GRC access control is divided into four components:
Access Risk Analysis:
- Analyze, manage, and minimize risk by establishing and using a rule set .
- Correct and mitigate conflicts for users and roles.
- Lower cost of compliance and audit activities.
- Prevent possible fraud or errors.
- Provides detailed reports of access risks and controls to improve communication with senior management
Emergency Access Management:
- Resolve SoD conflicts.
- Firefighter can be used whenever there is a need for additional authorizations.
- A controller monitors all the activities executed by the firefighter and is also responsible to audit usage by reviewing and signing off on firefighter log report.
- Audit documentation is automated and is immediately generated after the event, saving the company time, resources and money.
Access Request Management (User Access Management):
- Provides automated user access request processing such as: create, change, lock, unlock and password self-service reset, removing another user administration burden from the IT support team.
- Automated workflow for efficiently approving requests, and also embedded access risk analysis in user provisioning.
- User Access Review:
- It is used by managers and role approvers to automate the periodic process of reviewing and reaffirming end user role assignments.
- SoD reviews:
- The system runs a periodic, automated check for any risk and violations associated with a user.
Business Role Management:
- Creates single, Derived and composite roles by pro-active avoidance of SoD risks.
- Facilitates the role design process with the pre-defined design role methodology and workflow
- Supports the definition and documentation of role information, authorization and testing results.
- Using GRC simulation functionality, it allows preventative measures to be carried out far quicker than manual alternative.
For many companies, it makes more sense to start small and achieve quick wins to build the business case for long term, broader GRC implementation and programs.
We recently implemented SAP GRC 10.1 at for a large oil and gas company in North America. This is their story:
They had uncovered numerous risks in a failed audit and asked us for help in establishing and communicating a clear strategy of risk remediation for their board and establishing firmer system controls. We recommended a phased approach.
First, implement ARA (Access Risk Analysis) to tackle the SoD’s conflict by running Risk analysis on Roles and Users. We used an SAP Pre-Defined Rule set, i.e. GLOBAL rule set, for immediate generation of reports right away and added Z transactions and programs to the existing Rule set, as well as build our own new rule set.
Simultaneously, we used EAM (Emergency Access Management) for additional access outside the parameters of end users’ standard roles, but within a controlled and fully auditable environment.
We implemented BRM to allow them to Create/Manage roles automatically by workflow. One key element and benefit of provisioning in BRM is the identification and mitigation of risks at an early stage, even before the creation of the roles.
Last but certainly not the least, ARM (Access Request Management) is an end to end compliant provisioning. It is perhaps, the most important module in GRC access control. ARM automates the access provisioning approval request by linking the request with workflows. It also ensures corporate accountability and compliance with Sarbanes-Oxley (SOX), along with other laws and regulations.
With the help of Kellton Tech and our SAP GRC solution, the company has automated their entire governance, risk, and compliance process from User Provisioning to Risk Remediation. They are also able to monitor their financial reporting environment to ensure the reporting of high quality, accurate results. The solutions fit all of their needs from a Security and Compliance perspective and were implemented on time and under-budget.