GOVERNANCE, RISK AND COMPLIANCE FOR SAP,REDUCE COSTS AND RISKS WITH GOVERNANCE ACROSS YOUR INFORMATION SYSTEM
WEBINAR
2016
2
Mathieu Roseau Job Positions
Mathieu Roseau is a director of business development for In Fidem, a Canadian company based in Montreal, Quebec. He's been working in the IT sector for more than 8 years, as a security solution
specialist. As a security consultant, M.Roseau has been working on numerous projects for several types of industries.
514 699-6834
[email protected] www.infidem.biz
https://www.linkedin.com/in/mathieuroseau/en
In Fidem in an nutshell
3
GOVERNANCE, RISKS & COMPLIANCE (GRC)Experts to help you manage your security governance, risks & compliance framework (GRC) around the globe – PCI-DSS – SOX - ISO 27001 – NIST compliance – NERC CIP - and many others.
CYBER-MONITORINGTo implement the right detection mechanisms of security issues before it’s too late. Experts to help you to implement right incident management processes.
ERP & WEB APPLICATIONS SECURITYTo implement the right security measures into your business applications services & software development life cycle (SDLC) – Training – Code Review – application security software's.
IDENTITY ANALYTICS & INTELLIGENCETo ensure that people having access to your critical IT systems are the right persons & have the right access level - Automation of regular accesses review for application & IT systems review.
FRAUD MANAGEMENT & FORENSIC INVESTIGATIONFraud management systems & investigation methods designed to detect computer fraud and preserve the integrity of the evidence collected.
Security is a business problem
FINANCIAL RISKSREPUTATION RISKSCOMPLIANCE RISKS
Failure to adequately manage Access Rights is at the root ofmost security incidents and compliance issues
55% of companies have been victims of a security incident over the last 24 months56% of fraudsters are internal workers and cause the most impact
Types of Security Incidents
PwC, Global Economic Crime Survey PwC, Global Information Security Survey
Top 3 Audit Findings
Deloitte, DTTL Global Financial Services Industry Security Study
Excessive access rightsRemoval of access rights
Segregation of Duties
InternalEmployee Excecutive Man Age between
31 and 40
Employed formore
than 3 years
Typical Fraudster
Security issues behind incidents
Definition - wording Risk definition : An opportunity for a physical loss, fraud, process disruption, or
productivity loss that occurs when individuals exploit a weakness. A risk is a combination of two functions.
Inside a domain, it is not authorized : To handle the 2 following responsibility levels :
Operational level, « the one who executes », Supervision level, « the one who controls ».
To cumulate 2 risky functions in the same process
It’s not authorized for the manager to cumulate the functions of his team Display functions and reports are not risky
Risks Management concerns
Address risks in a comprehensive and consolidated approach
Increase the visibility of the impact of risks on performance
Having the ability to automatically monitor key risks
Meet the requirements of your regulation
Key Customers risk issues
• Risks events become loss events
• Risk management activities are too costly
• Limited ability to prioritize and manage the most critical risks
Establishing SoD rules is specific to each company
• Segregation of duties is obviously based on the establishment of a repository of best practices and common audit rules
• Indeed, in practice, the implementation of the segregation of duties repository does not solve all incompatibilities:
• The segregation of duties repository reflects the risks arising from conflicts of activities against which the company wants to protect itself
What most SoD issues in SAP customers are facing ?
Top 3 conflict types in SOD risksCore Model
misconception User Rights
assignments generates incompatibility
Rights assignment process weaknesses
Risk mitigation and remediationProcess Principles in 5 Steps
• Appreciate if SOD discrepancies generate real risk in business context, and adapt accordingly Risk matrix
Risk matrix life cycle
• Check conformity between SOD rules• Add / delete transactions and
authorization objects in roles• Cut existing roles in multiple roles
Role model update life cycle
• Set up complementary controls to mitigate the risk
Compensatory controls
Periodic User Access
Review
iMDM for Data Quality &
Identity Correlation
Continuous Monitoring, Alerting
& Remediation
Behavioral and
Data Analytics
Risk Scoring and Evaluation
Audit, ComplianceForensic
Our proposition, Brainwave IGRC
Gartner Terminology
• Audit, Controls, Analyses and DashboardsIAI
Identity Analytics and Intelligence
• Roles and RecertificationIAGIdentity and Access Governance
• Account and password managementIAMIdentity and Access Management
Business
IT
Main Features
• Entitlements and granular permission analysis• Audit controls (including SoD)• Tracking of changes over time• KPI and reporting Dashboards
IAIIdentity Analytics and
Intelligence
• Access Rights Recertification Workflows• Access Request Workflows• Role Modelling• Role provisioning
IAGIdentity and Access Governance
• Joiner/Leaver workflows• Account provisioning• Directory synchronization• Password reset
IAMIdentity and Access Management
Business
IT
• A unified approach to GRC, integrated to your landscape
• Automated monitoring for risks and controls in very different and heterogeneous technologies
• An interface thought to deliver best user centred experience
• A soft to meet all the necessary features for the establishment of a global risk management system
Added value on your project by Brainwave
Fine grained SoD implementation – Users <=> Roles <=> Activities <=> Authorization
Objects…Core model analysis & cleanupUser Role analysis & cleanup360° Dynamic browsing of users, roles,
permissions, discrepancies…SoD across SAP modules and with SAP and
other business critical applications
What benefits iGRC can Provide to Stakeholders?
Classic Timeline for a project PilotM2.M1.M0. M5.
Phase ASod Matrix review and
upload
Phase BCore Model
Clean-up
Phase CEntity clean-up
M3. M4. M6
Hypothesis :- SoD Matrix based on standard
matrix, or existing business customer matrix
- Core model cleaned, and not fully redesigned
- Entity pilot deployed having less than 100 Users
Testings
Support Post-Golive
Remediation plan for the entity Users
Technical SET UP
Remediation plan for CORE MODEL
Technical load of the Matix in Brainwave
Project Management
Sod Risks matrix definition, design and challenge
Support Post-
Golive
18
Fully Web-based; nothing to install
One unique place for:
Browsing data within your organization
Generating reports
Analyzing SoD
Getting dashboards
Web portal: the home page
19
Organization
Risk families% of users with risks in the organization
Showing the risks by organizational unit
20
Key figures
for SAP
Core Model
Accounts
& SoD
anomalies
Risk
insights
Supplying the global risk dashboard with the latest trends
21
All users in Sales Division
Transaction
Usagecounter
Get the global risk dashboard with the last trends
Critical transaction monitoring (4/4)
Build a 360°cartography about Who-Does-What:
Use standard controls to improve the quality of the SAP security model:
Identify Segregation of Duties (SoD) issues:
Make cross analysis with other applications and data repository like HR, Active Directory and Shared Files
Investigate on suspicious activities by following-up:- Business transaction activities- Right administration activities
Follow-up on issues and improve your situation
What can I do with it?
Security policies- SOD Matrix- …
- People- Job title- Organization- …
- Accounts- Groups- …
SAP® ECCSAP® SRM …- Authorization
model- Acts of
administration- Logs
Analyse and report Review & Remediate
Collect and Consolidate
- User authorization cartography- Risk analysis and trends- Control reporting- Dashboards
Automated data discovery, data mapping and loading into Brainwave data model
Risk mitigation and remediation
…
Why Brainwave for SAP ?
How does it work?
What does it need to work ?
What kind of data do Brainwave need ?
Cloud
Business applicationsERP, HR, etc.
Security systemsIAM, SIEM, etc.
User access controls(SoD, policies, rules,
etc.)
Brainwave uses BI analytics to correlate data
Report + Analysis :• Who can access what?• User privileges
• User access risks• Which control is deficient?• Am I compliant ?
?QUESTIONS
THANK YOU
514 699-6834
[email protected] www.infidem.biz
https://www.linkedin.com/in/mathieuroseau/en