GRC Virsa

Governance, Risk, and Compliance Trends and Techniques in Higher Education

Sherry AmosDirector, Industry Strategy, SAP

Craig KennedyExecutive Solution Engineer, SAP

Craig WeisigerSAP Security Analyst, Baylor College of Medicine

Governance, Risk, and Compliance Trends

Sherry Amos Director, Industry Strategy, SAP

GRC in Detail

Craig Kennedy Solution Engineer, SAP

SAP ERPStudent Lifecycle

FinancialsHuman Capital Management

Supply ChainFacilitiesAnalytics

Context: What does SAP do?

SAP NetWeaver provides SAP ERP with a comprehensive integration platform …

integrated out of the box

delivers the foundation to serve all ERP applications

Business Process Platform (ESOA)

built to extend mySAP ERP and to integrate non-SAP systems

SAP NetWeaver™

Com

posi

te A

pplic

atio

n Fr

amew

ork

PEOPLE INTEGRATIONMulti channel access

Portal Collaboration

INFORMATION INTEGRATIONBus. Intelligence

Master Data Mgmt

Knowledge Mgmt

PROCESS INTEGRATIONIntegration Broker

Business Process Mgmt

APPLICATION PLATFORMJ2EE

DB and OS Abstraction

ABAPLife C

ycle Mgm

t

…

http://www.microsoft.com/net/

© SAP AG 2007, EDUCAUSE 2007

SAP Solutions for GRC Providing the framework for an integrated approach to GRC

Standardize components

Automate processes

Embed in processes

SAP solutions for GRC

Enterprise Risk ManagementRisk

GRC Repository

Business Applications andIT Infrastructure

Access Control

Compliance & Controls

Governance Corporate Sustainability Management

IndustriesLife Sciences

High Tech

Chemicals Oil & Gas

Utilities

ESOA Platform SONA

Process Control

Global Trade

Environ- mental

GRC Composites

Access Control

Process Control

Repository

Global Trade Services

Applications for EH&S Compliance Management

Risk Management

SAP Solutions for GRC

Questions


SAP GRC Access Control Sustainable prevention of segregation of duties violations

Cross-enterprise library of best practice segregation of duties rules

Compliant User Provisioning

Prevent SoD violations at

run time

Superuser Privilege Management

Close #1 audit issue with temporary

emergency access

Periodic Access Review and Audit

Focus on remaining challenges during recurring audits

(Stay in Control)(Stay Clean)

Risk analysis, remediation and prevention services

Enterprise Role Management

Enforce SoD compliance at design time

Risk Identification and Remediation

Rapid, cost-effective and comprehensive

initial clean-up

(Get Clean)

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight

and Audit


MIGO

SU01

Real-time Compliance 24 x 7…

Object T - Code Single Role Derived Role Composite Role User

FB05

MB1A

F-29

MB21

MB01

F_BKPF_GSB

F_BKPF_BUP

M_MSEG_BWA

M_MSEG_LGO

S_TCODE

M_MSEG_BWE

F_BKPF_BUK

M_MRES_BWA

F_BKPF_KOA

S1

S2

S3

S4

S5

C1

C2

C3

Access Control

FK01

FK02


Risk Analysis and Remediation (aka Compliance Calibrator) Getting clean

Reporting

Risk Elimination

RiskIdentification

Prevention

End-to-End Automation

Initial Risk Analysis and Remediation• Facilitates collaboration

between Business and IT to clean up access risks

“The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.”Synopsys Inc.


Enterprise Role Definition (aka Role Expert) Enables enterprise role definition and maintenance in a single location

Centralized Role Management

Across applications

Enterprise Rules Audit logSAP GRC

Access Control

Role

• Reduce cost of role maintenance

• Ease compliance and avoid authorization risk

• Eliminate errors and enforce best practices

• Assure audit-ready traceability and security checks

28% time savings in role management Customer Survey, 3/2006

…

RoleRole

Role

Role Role Role Role Role Role

Compliant enterprise roles


Compliant User Provisioning (aka Access Enforcer) Enables compliant end-to-end provisioning “hire to retire”

Compliant provisioning with dynamic workflow

Request generated

Automated provisioning

Mgr approval

Risk analysis

Path workflow—based on request type and

user attributes

Escalation workflow

Exception workflow

100% automatedHR event

Employeehired/retired

Via e-mail

One-click preventive simulation

100% automated

• Embed cross-enterprise preventive compliance in business process

• Reduce cost of user administration

• Improve productivity of end users

• Provide auditable tracking for auditors

“We reduced provisioning from 2 weeks to 2 days”Rockwell Collins

…


Superuser Privilege Management (aka Firefighter) Enables compliance-focused emergency access for SAP

Compliant super user access

New session New session New session New session

Log Log Log Log

SAP_ALL

• Preassigned firefighter IDs• Access restrictions• Validity dates• Field-level changes tracked in audit log

Firecall ID

SD

Firecall ID

MM

Firecall ID

FICO

Firecall ID …

Super user

• Close #1 open audit issue

• Avoid business obstructions with faster emergency response

• Reduce audit time

• Reduce time to perform critical tasks

“Super users and auditors love it”Lincoln Electric


Management Oversight Periodic Access Reviews

Review User Provisioning

Review Potential Risks

Review Actual Risks

Review Policy

Review Emergency Access

Management

• Management by exception

• Automated, pre-built access controls reporting

• Review of roles, users and mitigation controls

“The SAP applications not only help ensure good governance and compliance, they also reduce the effort involved so that our people can focus more on the business.”Xerox Europe


Audit Comprehensive and efficient auditing

1) Validate via sampling that

changes to access were appropriately

authorized

2) Validate that segregation of duties

risks are appropriately mitigated on a sample

basis

Internal Audit

“[Our audit firm] agreed to use the SAP GRC Access Control reports in the audit as evidence for control effectiveness. We saved very significantly on time and money spent on external audit fees.”Synopsys, Inc.

• Equips internal and external auditors to complete comprehensive and efficient testing

• Saves audit and audit-related fees

GRC at Baylor College of Medicine

Craig Weisiger SAP Security Analyst Baylor College of Medicine


Background and General Info

Baylor College of MedicineSAP Implementation - 1999Major upgrade / role rebuild in 2003Implemented Virsa VRAT, VFAT and VRMT in 2003VFAT to Firefighter in 2004VRAT to Compliance Calibrator in 2006

Presently on ERP - ECC5, SRM, ESS and Portal


Current Environment

Users – 14000

R/3 Roles – 5200 Main Roles - 417Composite Roles - 45 Derived roles - 2897 Fund Center Controlling Roles – 1841

SRM Roles – 34End user assigned roles – 14Communication or support roles – 30

Portal Roles – 10Assigned to users – 4Communications or Support Roles - 6

Virology

Biology Medicine


Support and Admin

Decentralized Admin – 60+ (SAM - Security Admin Module)

By Department

Central Support and Role Maintenance – 2All Role Maintenance Central Users AdminSecond Level Help DeskAdmin Support GRC ManagementIDM Project Lead


The Access Control Suite

FireFighterWidely used with SME and AuditUse a one to one Firefighter account to UserSpecial Roles for Viewing Reports

Compliance CalibratorIn place during 3 external audits Audit has found no issues with rolesAssignment issues with users– Mitigation controls moved responsibility to Business Units

Role ExpertHave elected not to use at this time due to our role designWould recommend Role Expert for new installations

Access Enforcer – Not installed


Key Benefits

Reduce False Positives and focus on analyzing real issues

Catch “low hanging fruit” (e.g. Role analysis)

Focus on SOD issues by functional areas (HR, FI) and/or risk levelsReduce analysis time (BPOs, WPOs, IT)

Assist with mitigation controls (i.e. documentation and risk acceptance process)

Aid in monitoring actual execution of conflicting critical transactions

Proactively maintain compliance via simulation

Reduce cost related to Audits

Additionally, provides monitoring capabilities for firefighter access to Production (i.e. monitor every transaction used during firefighter session)


Key Drivers

Reduce auditing costAudit effort (Internal Audit)Response effort (BPOs,WPOs, IT)

Proactively mitigate and reduce audit issues

Evaluate the business impact (role changes) prior to implementing requested change

Reducing rework effortEnabling pre-check of SOD issues

Reporting capabilitiesReal Time Distributed to appropriate Managers


Access ControlProcess Control

Repository




Questions


Perform Assessments

Test Automated Controls

Test Manual

Controls

Doc

umen

tTe

stM

onito

rC

ertif

y

Certify and Sign-off (302, Designs,…)

Process-Control-Objective-Risk

IT Infrastructure

Business Processes

…

Review Exceptions Remediate Issues

Has production been improved with

the installation and implementation

of SAP?

S U R V E Y

YesNo

11

34 5

6

9 1011 12

1516 17

18 197

8

1314

22 2324

2526

2021

2930

2728

2

SAP GRC Process Control Controls process management and continuous controls monitoring

Increase confidence in the effectiveness of controls• Supports end-to-end enterprise control management with single solution

Reduce cost without compromising compliance• Provides centralized control management for automated and manual controls

Effectively manage business risk• Enables management by exception

• Prioritizes remediation activities• Provides management insight into the control environment

Access Control

Process Control

Repository




Questions


SAP Global Trade Services (SAP GTS)

Integrate Systems, Data andBusiness Partners

AdaptableBusiness ProcessesBased on FlexibleTechnology Platform

IncreasedProductivity andBusiness Insight

Logistics/ Trade Team

Legal/ SOXCompliance Team

Trade Preference

Management

RestitutionManagement

ExportManagement

ImportManagement

SAP Global Trade Services

ITTeam

SAP NetWeaver

ERP SCM/SRM CRM Legacy

HTS ECCN,

etc

Duty Rates

SPL Data

Rules Of

OriginCustomer & Supplier Banks Freight

ForwarderCustomsAgencies

Applications Data Business Partners

Import/ Export Officer

Key Compliance Issues for Higher Education

“Deemed” Exports

Public Domain Exemption

Fundamental Research Exemption

Full-time employee exemption

Educational Instruction Exemption

Government-sponsored research covered by national security contract controls

ITAR -- “defense articles” and “defense services”, especially in space research and, increasingly, in life sciences and nanotechnology research

Other applications of U.S. export controls to faculty or university research

What agencies are involved?

State Department - International Traffic in Arms Regulation (ITAR) 22 CFR 120-130

The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and information inherently military in design, purpose, or use. Referred to as "defense articles," such items

are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for military use, are on the Munitions List, along with their associated systems and related equipment.

Information related to Defense Articles is referred to as "technical data."

Commerce Department - Export Administration Regulation (EAR)15 CFR 700-799

The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over every thing in the United States, although BIS does not require a license for every export. BIS controls

goods and information having both civilian and military uses by including them on the Commerce Control List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term

"technology" when referring to information about the goods on the Commerce Control List.

Treasury Department - Office of Financial Assets Control (OFAC) CFR 500-599

The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency

Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs. Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with

broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned countries.

http://pmdtc.org/reference.htm

http://www.access.gpo.gov/bis/ear/ear_data.html

http://www.treas.gov/offices/enforcement/ofac/

How GTS manages Deemed Exports

Universities screen…

StudentsFaculty

Full-Time EmployeesPart-Time Employees

ResearchersContractors/Consultants

VisitorsPartners

…in the US and globally

1) US Sanctioned Party Lists

2) US Export Administration Regulations

3) UN Sanctioned Party Lists

4) Other regulations based on industry and corporate policy

SAP GTS – Global Compliance Across the Organization

Students Human Resources

HRHR VisitVisit DownloadDownload TravelTravel AdHocAd

HocSales Reps

Sales Reps

SAP Global Trade ServicesSAP Global Trade Services

Back-end systems

Rules engine

Alerts andBusiness Intelligence

Integration Management,Workflow

Security ComplianceTeam

Visitor Entrance to Facilities –Screens visitors in real-time through a badging or visitor management system; no extra steps needed. Centralizes a global audit trail of all visitor screening and results of sanctioned party matching, with alerts triggered if a match is found.

Foreign National Students and Researchers – Screens all students and researchers against sanctioned parties lists as well as EAR/ITAR controls. Manages the licensing and exception/exemption requirements

Human Resources Systems – Reviews all business partners, including current employees, external consultants and applicants against the name, address, country of citizenship and project classification to ensure compliance with US EAR deemed export regulations.

Web Download Transactions –Reviews web download transactions in real-time against sanctioned parties, US EAR, US ITAR and OGA regulations.

Travel Itineraries – Screen all travel requests, itineraries and existing trips

SAP NetWeaver

Access Control

Process Control

Repository




Questions


Environment, Health & SafetyEnables Environmental Execution and Legal Compliance

Product Stewardship/Hazardous TrackingSpecification ManagementRule Based automated classifications (EH&S Expert)Automatic Report Generation and automated Distribution and RedistributionLabel ManagementSubstance Tracking

Workers Health and SafetyRisk Assessment Site Inspections / Safety Measures Measurement Management / personal related exposure profilesIncident/Accident ManagementMedical Services

Dangerous Goods / Waste ManagementRegulation Data ManagementDangerous Goods ClassificationTremcard ManagementIntegration into logistic execution / Automated Dangerous Goods checksInternal and External Disposal Processing

SAP EH&S Components

Product Safety *Hazardous Substance Management **Dangerous Goods ManagementGlobal Label ManagementIndustrial Hygiene and SafetyOccupational HealthWaste Management Basic Data & ToolsEH&S Analytics & Reporting

SAP EH&S offers comprehensive and complete business solution for environment, health and safety management

Substances

Employee Work areas

One solution for all industries* for producers of hazardous substances (regulatory)** for users of hazardous substances (regulatory)

Dangerous Goods Management

Waste Management

Business processintegration

The World of SAP EH&S

Human Capital

Management

Enterprise Asset

ManagementResearch Procurement AR Financials/

Accounting

Basic Data and Tools (Specifications Database)

SAP ERP

OccupationalHealth

Industrial Hygiene

and Safety

Hazardous Substance

Management

Product Safety&

Global LabelManagement

SAP Environment, Health and Safety (SAP EH&S) Summary

Ensure regulatory complianceTransparency by use of a consistent and comprehensive reporting

Reduce Risk of Non-Compliance

Seamless integration with SAP ERPFlexible and easy reuse of master data from SAP ERP

Increase Efficiency

$£ ¥€Designed for deployment around the worldAdaptive solution based on generic and proven process models, that can be configured to the individual company needs

Reduce TCO

§§§

The business value derived from the most comprehensive, fully integrated EHS solution includes:

“We are now going to integrate EHS business processes such as product safety, dangerous goods and waste management and industrial health and safety into the existing SAP R/3 environment. This integration is the real power of EH&S and will reduce EHS and other costs significantly.”Aventis

SAP Environmental Compliance

Create regulatory compliance and control your impact on air, water, soil

• Compliance Management• Permit Management• Emissions Management• Greenhouse Gas Management "As soon as we had SAP Environmental

Compliance in place, people were using that system almost entirely and stopped using Excel spreadsheets to conduct calculations," Nova Chemicals

Industry-SpecificCross-Industry

SAP EH&SSAP EH&S

OH IHS WMHSM PS DG

REA

CH

Com

plia

nce

For

Prod

uct

SAP

REA

CH

C

ompl

ianc

e

SAP

Envi

ronm

enta

lC

ompl

ianc

eEn

viro

n

CfP

• Monitor and report environment compliance issues on plant, corporate level

• Control compliance activities, management of exception, limit tracking

• Support legally and corporate defined environmental processes - air and water emissions and wastes - compliance reporting and permit management

• Integration in SAP processes and production control systems

Questions?

Craig KennedyExecutive Solution Engineer

SAP Public Services, Inc.Newtown Square, PA

E [email protected]

Craig WeisigerSAP Security Analyst

Baylor College of MedicineHouston, TX

E [email protected]

Sherry AmosDirector, Industry Strategy

SAP Public Services, Inc.Washington, DC

E [email protected]

http://www.sap.com/index.epx

http://www.sap.com/index.epx

Date post:	29-Nov-2014
Category:	Documents
Upload:	claudiomirors
View:	260 times
Download:	0 times

GRC Virsa

Documents