Management of Risk– and SoD-Policies &

Enforcement of Compliance

in SAP-Systems

Compliance Enforcer

Release 2016.1

The Compliance Enforcer is a component

of our software package SUIM-AIM

and is SAP certified.

Big Picture

To ensure and verify the conformity with the Sarbanes-Oxley-Guidelines (SOX) and other regulatory law specifica-

tions, an enterprise has to install, document and proof internal controlling mechanisms.

The Compliance Enforcer is the tool to ensure and proof the conformity with regulatory law specifications.

It does not only consider the potential risks caused by changes but analyses as well the information about

occurred risks from the Application Tracer data.

The Compliance Enforcer allows the verification of the entire SAP-

portfolio out of a central system. The results can be displayed and

stored centrally.

It thereby considers not only authorization-objects but as well roles,

profiles, role collections and in particular BI-profile-values. Through

the control extension on the system parameters and the integration of

an open interface to NonSAP-Systems, the Compliance Enforcer turns

into a comprehensive tool in the area of IT Controls.

In combination tith the prod-

ucts Access Manager or Identi-

ty Manager the Compliance

Enforcer works as an

"integrated permanent sys-

tem investigator".

It verifies in real time every

mapping of an authorization-

element based on the stored

rules and standards and

identifies developing risks.

Highlights

Compliance Enforcer - Rules and Risks The simple and clear structure based on the definition of rules allows a ergonomic compilation of risks.

The rule structuring is purposeful simplified by the grouping of differentiated rule types.

A risk is a logical link of any amount of rules. It forms the central point of an analysis.

Compliance Enforcer - Rule Types Extensive rule type catalog which can be improved by the customer with their own extensions.

Rules of the type authorization-object, SAP roles, SAP profiles, BI authorizations, system parameters, AM-/AMSO-

roles, AM-/AMSO-organizations and others are part of the standard catalog.

Compliance Enforcer - Rule and Risk Meta-Directory Rule– and risk-attributes can be defined and maintained with the help of a flexible tool.

The thus in the meta-directory defined values can be used for analyses.

Compliance Enforcer - Customizing Wizards Rules are arranged ergonomically in a tree-structure.

Intuitive and scalable customizing-scenarios of the desired rules and risks are integrated.

Simple possibility to define SoD-rules using a matrix.

Compliance Enforcer - Mitigation Acceptance of risks by person in charge using the CE Mitigation Sub-module..

Integration of AIM-time-variations and time rules in the mitigation process.

Compliance Enforcer - Alerts Periodical jobs are generating e-mails for the responsible person for the violation of a rule.

Compliance Enforcer - Analyses Execution of real-time- and run-time-time optimized (overnight collection of data) analyses.

Cross-System and –Rule-Type Analyses.

Analyses from different perspectives, e.g. from the point of view of SAP-users or SAP-roles.

Analyses are displayed in tree structures including the drill-down possibility.

Simulation possibilities of changes on authorization-elements.

Compliance Enforcer - History Risk results are being recorded and are available for historic comparison.

Compliance Enforcer Integration in AM, AMSO und IM Integration in the Access Manager, Access Manager for Support Organizations and Identity Manager.

Before an authorization-element is assigned to a user, it can be verified if not mitigated risks are created.

Compliance Enforcer: Functional Overview

Workplace The CE-Workplace is the central entry point to the Compliance Enforcer. Thanks to the clear design you will quick-

ly find your way around.

In the overview image it is differentiated between rules– and risk-analyses as well as between customizing and

help.

The rule– and risk-analyses are separated in different intuitive perspectives.

To customize rules and risks to fit the individual requirements, an ergonomically customizing user interface is

provided.

The documentation and a tutorial are directly integrated in the application.

Risk Mitigation For every risk, rule based risk-officers can be

defined.

The risk officers decide for the risks in their

responsibility if users are approved during a

defined period of time.

The risk officers receive a periodical overview

over risk violations in their responsibility.

Compliance Enforcer: Customizing

Rule Definition To keep the definition of rules simple and therefore to adapt to the individual customers needs, an

intuitive user interface was created. The tree structure is perfect to maintain all rule types in the same

overview.

By the input of divers selection criteria the rule overview is tailored to your needs.

The rules are according to their importance a warn level assigned. Further can via the meta-directory

any additional description attributes be stored.

Rule-Types The following authorization-elements are considered rule types:

SAP-authorization-objects, SAP-roles, SAP-profiles, system parameter (RZ10)

AM/AMSO organizations, AM/AMSO SUIM systems, AM/AMSO organization type - organization level

AM/AMSO roles, BI authorizations

Open API

Compliance Enforcer: Analyses

Rule Analysis On Entry to the rule analysis there is a choice between the following analysis paths:

Analysis in users

Analysis in SAP-roles and SAP-profiles

Analysis in Access Manager-/

Access Manager for Support

Organizations-roles

Analysis in BI-authorizations

Analysis in System parameters

Analysis in Open-API rules

With the different entry points the focus in the

result screen is optimally set on the essential.

The result view is presented in a tree structure, in

which drill-down interactions branch into the

details.

The rules can as well be analyzed by cross system

background processing. These results can be

evaluated online and via drill-down one can navi-

gate on the details

Risk Analysis On Entry to the risk analysis there is a choice between the following analysis paths:

Analysis in users

Analysis in SAP-roles und SAP-profiles

Analysis in AM-/AMSO-roles

Analysis in BI-authorizations

Risks are composed by logical connections of rules. Any number of rules of different rule types can be connected.

That results in a very flexible and comprehensive use of risks, different coherences and scenarios. With the drill-

down function in the result-view can rule violations be recreated in detail. With the detailing level “rule overview”

all by the selected risk violated rules are shown (matrix) and connected to the relevant authorization-elements.

Further more all results of the completed risk-analyses are logged. That allows the option to gain insight in complet-

ed analyses. That way one can for example compare results before and after corrections.

Our Software-Products are additional modules for SAP or frontend applications with SAP

-Integration. The focus is set on IT Service Management (ITSM) and the Internal Control

System (ICS).

We cover in the ITSM area from Service Design over Calculation, Acknowledgment and

Reporting to Accounting all customer oriented processes. As well the handling of the

Access– und Identity Management, the User Login and Network security are supported

by our Software-Product in an optimal way. Typical Users are IT-Organizational units

and Shared Services Centers.

The IKS is supported in the definition of requirements (risks) and in the compliance

check by our tools. We cover besides the manual and automatic controls on the process

level as well the general IT-Control. Typical Users are external and internal controller or

ICS- and Process officer.

«The requirements in the domain of

security are complex. Halfway solutions

do not lead to the goal».

Patrick Tambourgi

CEO SUIM

«Coming together is a beginning;

keeping together is progress;

working together is success».

Quote Henry Ford

Mirjam Stalder

Project manager CCE AG

Our Software-Products

SUIM LTD

Chemin du Marguery 15

1802 Corseaux,

Switzerland

www.suim.ch

info@suim.ch

Our collaboration

We offer a network of partners, each contributing expertise and experience in the area of

product development, client solution advice and customization and implementation. Our

networked approach means we can draw on our teams to respond to client's requests

and to work with them through the design and implementation phases. Crucially, we also

ensure that each client has a dedicated contact person for their day to day needs and for

future development.