Date post: | 29-Nov-2014 |
Category: |
Documents |
Upload: | claudiomirors |
View: | 260 times |
Download: | 0 times |
Governance, Risk, and Compliance Trends and Techniques in Higher Education
Sherry AmosDirector, Industry Strategy, SAP
Craig KennedyExecutive Solution Engineer, SAP
Craig WeisigerSAP Security Analyst, Baylor College of Medicine
Governance, Risk, and Compliance Trends
Sherry Amos Director, Industry Strategy, SAP
GRC in Detail
Craig Kennedy Solution Engineer, SAP
SAP ERPStudent Lifecycle
FinancialsHuman Capital Management
Supply ChainFacilitiesAnalytics
Context: What does SAP do?
SAP NetWeaver provides SAP ERP with a comprehensive integration platform …
integrated out of the box
delivers the foundation to serve all ERP applications
Business Process Platform (ESOA)
built to extend mySAP ERP and to integrate non-SAP systems
SAP NetWeaver™
Com
posi
te A
pplic
atio
n Fr
amew
ork
PEOPLE INTEGRATIONMulti channel access
Portal Collaboration
INFORMATION INTEGRATIONBus. Intelligence
Master Data Mgmt
Knowledge Mgmt
PROCESS INTEGRATIONIntegration Broker
Business Process Mgmt
APPLICATION PLATFORMJ2EE
DB and OS Abstraction
ABAPLife C
ycle Mgm
t
…
© SAP AG 2007, EDUCAUSE 2007
SAP Solutions for GRC Providing the framework for an integrated approach to GRC
Standardize components
Automate processes
Embed in processes
SAP solutions for GRC
Enterprise Risk ManagementRisk
GRC Repository
Business Applications andIT Infrastructure
Access Control
Compliance & Controls
Governance Corporate Sustainability Management
IndustriesLife Sciences
High Tech
Chemicals Oil & Gas
Utilities
ESOA Platform SONA
Process Control
Global Trade
Environ- mental
GRC Composites
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Risk Management
SAP Solutions for GRC
Questions
© SAP AG 2007, EDUCAUSE 2007
SAP GRC Access Control Sustainable prevention of segregation of duties violations
Cross-enterprise library of best practice segregation of duties rules
Compliant User Provisioning
Prevent SoD violations at
run time
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)(Stay Clean)
Risk analysis, remediation and prevention services
Enterprise Role Management
Enforce SoD compliance at design time
Risk Identification and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Effective Management Oversight
and Audit
© SAP AG 2007, EDUCAUSE 2007
MIGO
SU01
Real-time Compliance 24 x 7…
Object T - Code Single Role Derived Role Composite Role User
FB05
MB1A
F-29
MB21
MB01
F_BKPF_GSB
F_BKPF_BUP
M_MSEG_BWA
M_MSEG_LGO
S_TCODE
M_MSEG_BWE
F_BKPF_BUK
M_MRES_BWA
F_BKPF_KOA
S1
S2
S3
S4
S5
C1
C2
C3
Access Control
FK01
FK02
© SAP AG 2007, EDUCAUSE 2007
Risk Analysis and Remediation (aka Compliance Calibrator) Getting clean
Reporting
Risk Elimination
RiskIdentification
Prevention
End-to-End Automation
Initial Risk Analysis and Remediation• Facilitates collaboration
between Business and IT to clean up access risks
“The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.”Synopsys Inc.
© SAP AG 2007, EDUCAUSE 2007
Enterprise Role Definition (aka Role Expert) Enables enterprise role definition and maintenance in a single location
Centralized Role Management
Across applications
Enterprise Rules Audit logSAP GRC
Access Control
Role
• Reduce cost of role maintenance
• Ease compliance and avoid authorization risk
• Eliminate errors and enforce best practices
• Assure audit-ready traceability and security checks
28% time savings in role management Customer Survey, 3/2006
…
RoleRole
Role
Role Role Role Role Role Role
Compliant enterprise roles
© SAP AG 2007, EDUCAUSE 2007
Compliant User Provisioning (aka Access Enforcer) Enables compliant end-to-end provisioning “hire to retire”
Compliant provisioning with dynamic workflow
Request generated
Automated provisioning
Mgr approval
Risk analysis
Path workflow—based on request type and
user attributes
Escalation workflow
Exception workflow
100% automatedHR event
Employeehired/retired
Via e-mail
One-click preventive simulation
100% automated
• Embed cross-enterprise preventive compliance in business process
• Reduce cost of user administration
• Improve productivity of end users
• Provide auditable tracking for auditors
“We reduced provisioning from 2 weeks to 2 days”Rockwell Collins
…
© SAP AG 2007, EDUCAUSE 2007
Superuser Privilege Management (aka Firefighter) Enables compliance-focused emergency access for SAP
Compliant super user access
New session New session New session New session
Log Log Log Log
SAP_ALL
• Preassigned firefighter IDs• Access restrictions• Validity dates• Field-level changes tracked in audit log
Firecall ID
SD
Firecall ID
MM
Firecall ID
FICO
Firecall ID …
Super user
• Close #1 open audit issue
• Avoid business obstructions with faster emergency response
• Reduce audit time
• Reduce time to perform critical tasks
“Super users and auditors love it”Lincoln Electric
© SAP AG 2007, EDUCAUSE 2007
Management Oversight Periodic Access Reviews
Review User Provisioning
Review Potential Risks
Review Actual Risks
Review Policy
Review Emergency Access
Management
• Management by exception
• Automated, pre-built access controls reporting
• Review of roles, users and mitigation controls
“The SAP applications not only help ensure good governance and compliance, they also reduce the effort involved so that our people can focus more on the business.”Xerox Europe
© SAP AG 2007, EDUCAUSE 2007
Audit Comprehensive and efficient auditing
1) Validate via sampling that
changes to access were appropriately
authorized
2) Validate that segregation of duties
risks are appropriately mitigated on a sample
basis
Internal Audit
“[Our audit firm] agreed to use the SAP GRC Access Control reports in the audit as evidence for control effectiveness. We saved very significantly on time and money spent on external audit fees.”Synopsys, Inc.
• Equips internal and external auditors to complete comprehensive and efficient testing
• Saves audit and audit-related fees
GRC at Baylor College of Medicine
Craig Weisiger SAP Security Analyst Baylor College of Medicine
© SAP AG 2007, EDUCAUSE 2007
Background and General Info
Baylor College of MedicineSAP Implementation - 1999Major upgrade / role rebuild in 2003Implemented Virsa VRAT, VFAT and VRMT in 2003VFAT to Firefighter in 2004VRAT to Compliance Calibrator in 2006
Presently on ERP - ECC5, SRM, ESS and Portal
© SAP AG 2007, EDUCAUSE 2007
Current Environment
Users – 14000
R/3 Roles – 5200 Main Roles - 417Composite Roles - 45 Derived roles - 2897 Fund Center Controlling Roles – 1841
SRM Roles – 34End user assigned roles – 14Communication or support roles – 30
Portal Roles – 10Assigned to users – 4Communications or Support Roles - 6
Virology
Biology Medicine
© SAP AG 2007, EDUCAUSE 2007
Support and Admin
Decentralized Admin – 60+ (SAM - Security Admin Module)
By Department
Central Support and Role Maintenance – 2All Role Maintenance Central Users AdminSecond Level Help DeskAdmin Support GRC ManagementIDM Project Lead
© SAP AG 2007, EDUCAUSE 2007
The Access Control Suite
FireFighterWidely used with SME and AuditUse a one to one Firefighter account to UserSpecial Roles for Viewing Reports
Compliance CalibratorIn place during 3 external audits Audit has found no issues with rolesAssignment issues with users– Mitigation controls moved responsibility to Business Units
Role ExpertHave elected not to use at this time due to our role designWould recommend Role Expert for new installations
Access Enforcer – Not installed
© SAP AG 2007, EDUCAUSE 2007
Key Benefits
Reduce False Positives and focus on analyzing real issues
Catch “low hanging fruit” (e.g. Role analysis)
Focus on SOD issues by functional areas (HR, FI) and/or risk levelsReduce analysis time (BPOs, WPOs, IT)
Assist with mitigation controls (i.e. documentation and risk acceptance process)
Aid in monitoring actual execution of conflicting critical transactions
Proactively maintain compliance via simulation
Reduce cost related to Audits
Additionally, provides monitoring capabilities for firefighter access to Production (i.e. monitor every transaction used during firefighter session)
© SAP AG 2007, EDUCAUSE 2007
Key Drivers
Reduce auditing costAudit effort (Internal Audit)Response effort (BPOs,WPOs, IT)
Proactively mitigate and reduce audit issues
Evaluate the business impact (role changes) prior to implementing requested change
Reducing rework effortEnabling pre-check of SOD issues
Reporting capabilitiesReal Time Distributed to appropriate Managers
© SAP AG 2007, EDUCAUSE 2007
Access ControlProcess Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
SAP Solutions for GRC
Questions
© SAP AG 2007, EDUCAUSE 2007
Perform Assessments
Test Automated Controls
Test Manual
Controls
Doc
umen
tTe
stM
onito
rC
ertif
y
Certify and Sign-off (302, Designs,…)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
…
Review Exceptions Remediate Issues
Has production been improved with
the installation and implementation
of SAP?
S U R V E Y
YesNo
11
34 5
6
9 1011 12
1516 17
18 197
8
1314
22 2324
2526
2021
2930
2728
2
SAP GRC Process Control Controls process management and continuous controls monitoring
Increase confidence in the effectiveness of controls• Supports end-to-end enterprise control management with single solution
Reduce cost without compromising compliance• Provides centralized control management for automated and manual controls
Effectively manage business risk• Enables management by exception
• Prioritizes remediation activities• Provides management insight into the control environment
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
SAP Solutions for GRC
Questions
SAP Solutions for GRC
SAP Global Trade Services (SAP GTS)
Integrate Systems, Data andBusiness Partners
AdaptableBusiness ProcessesBased on FlexibleTechnology Platform
IncreasedProductivity andBusiness Insight
Logistics/ Trade Team
Legal/ SOXCompliance Team
Trade Preference
Management
RestitutionManagement
ExportManagement
ImportManagement
SAP Global Trade Services
ITTeam
SAP NetWeaver
ERP SCM/SRM CRM Legacy
HTS ECCN,
etc
Duty Rates
SPL Data
Rules Of
OriginCustomer & Supplier Banks Freight
ForwarderCustomsAgencies
Applications Data Business Partners
Import/ Export Officer
Key Compliance Issues for Higher Education
“Deemed” Exports
Public Domain Exemption
Fundamental Research Exemption
Full-time employee exemption
Educational Instruction Exemption
Government-sponsored research covered by national security contract controls
ITAR -- “defense articles” and “defense services”, especially in space research and, increasingly, in life sciences and nanotechnology research
Other applications of U.S. export controls to faculty or university research
What agencies are involved?
State Department - International Traffic in Arms Regulation (ITAR) 22 CFR 120-130
The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and information inherently military in design, purpose, or use. Referred to as "defense articles," such items
are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for military use, are on the Munitions List, along with their associated systems and related equipment.
Information related to Defense Articles is referred to as "technical data."
Commerce Department - Export Administration Regulation (EAR)15 CFR 700-799
The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over every thing in the United States, although BIS does not require a license for every export. BIS controls
goods and information having both civilian and military uses by including them on the Commerce Control List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term
"technology" when referring to information about the goods on the Commerce Control List.
Treasury Department - Office of Financial Assets Control (OFAC) CFR 500-599
The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency
Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs. Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with
broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned countries.
How GTS manages Deemed Exports
Universities screen…
StudentsFaculty
Full-Time EmployeesPart-Time Employees
ResearchersContractors/Consultants
VisitorsPartners
…in the US and globally
1) US Sanctioned Party Lists
2) US Export Administration Regulations
3) UN Sanctioned Party Lists
4) Other regulations based on industry and corporate policy
SAP GTS – Global Compliance Across the Organization
Students Human Resources
HRHR VisitVisit DownloadDownload TravelTravel AdHocAd
HocSales Reps
Sales Reps
SAP Global Trade ServicesSAP Global Trade Services
Back-end systems
Rules engine
Alerts andBusiness Intelligence
Integration Management,Workflow
Security ComplianceTeam
Visitor Entrance to Facilities –Screens visitors in real-time through a badging or visitor management system; no extra steps needed. Centralizes a global audit trail of all visitor screening and results of sanctioned party matching, with alerts triggered if a match is found.
Foreign National Students and Researchers – Screens all students and researchers against sanctioned parties lists as well as EAR/ITAR controls. Manages the licensing and exception/exemption requirements
Human Resources Systems – Reviews all business partners, including current employees, external consultants and applicants against the name, address, country of citizenship and project classification to ensure compliance with US EAR deemed export regulations.
Web Download Transactions –Reviews web download transactions in real-time against sanctioned parties, US EAR, US ITAR and OGA regulations.
Travel Itineraries – Screen all travel requests, itineraries and existing trips
SAP NetWeaver
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
SAP Solutions for GRC
Questions
SAP Solutions for GRC
Environment, Health & SafetyEnables Environmental Execution and Legal Compliance
Product Stewardship/Hazardous TrackingSpecification ManagementRule Based automated classifications (EH&S Expert)Automatic Report Generation and automated Distribution and RedistributionLabel ManagementSubstance Tracking
Workers Health and SafetyRisk Assessment Site Inspections / Safety Measures Measurement Management / personal related exposure profilesIncident/Accident ManagementMedical Services
Dangerous Goods / Waste ManagementRegulation Data ManagementDangerous Goods ClassificationTremcard ManagementIntegration into logistic execution / Automated Dangerous Goods checksInternal and External Disposal Processing
SAP EH&S Components
Product Safety *Hazardous Substance Management **Dangerous Goods ManagementGlobal Label ManagementIndustrial Hygiene and SafetyOccupational HealthWaste Management Basic Data & ToolsEH&S Analytics & Reporting
SAP EH&S offers comprehensive and complete business solution for environment, health and safety management
Substances
Employee Work areas
One solution for all industries* for producers of hazardous substances (regulatory)** for users of hazardous substances (regulatory)
Dangerous Goods Management
Waste Management
Business processintegration
The World of SAP EH&S
Human Capital
Management
Enterprise Asset
ManagementResearch Procurement AR Financials/
Accounting
Basic Data and Tools (Specifications Database)
SAP ERP
OccupationalHealth
Industrial Hygiene
and Safety
Hazardous Substance
Management
Product Safety&
Global LabelManagement
SAP Environment, Health and Safety (SAP EH&S) Summary
Ensure regulatory complianceTransparency by use of a consistent and comprehensive reporting
Reduce Risk of Non-Compliance
Seamless integration with SAP ERPFlexible and easy reuse of master data from SAP ERP
Increase Efficiency
$£ ¥€Designed for deployment around the worldAdaptive solution based on generic and proven process models, that can be configured to the individual company needs
Reduce TCO
§§§
The business value derived from the most comprehensive, fully integrated EHS solution includes:
“We are now going to integrate EHS business processes such as product safety, dangerous goods and waste management and industrial health and safety into the existing SAP R/3 environment. This integration is the real power of EH&S and will reduce EHS and other costs significantly.”Aventis
SAP Environmental Compliance
Create regulatory compliance and control your impact on air, water, soil
• Compliance Management• Permit Management• Emissions Management• Greenhouse Gas Management "As soon as we had SAP Environmental
Compliance in place, people were using that system almost entirely and stopped using Excel spreadsheets to conduct calculations," Nova Chemicals
Industry-SpecificCross-Industry
SAP EH&SSAP EH&S
OH IHS WMHSM PS DG
REA
CH
Com
plia
nce
For
Prod
uct
SAP
REA
CH
C
ompl
ianc
e
SAP
Envi
ronm
enta
lC
ompl
ianc
eEn
viro
n
CfP
• Monitor and report environment compliance issues on plant, corporate level
• Control compliance activities, management of exception, limit tracking
• Support legally and corporate defined environmental processes - air and water emissions and wastes - compliance reporting and permit management
• Integration in SAP processes and production control systems
Questions?
Craig KennedyExecutive Solution Engineer
SAP Public Services, Inc.Newtown Square, PA
Craig WeisigerSAP Security Analyst
Baylor College of MedicineHouston, TX
Sherry AmosDirector, Industry Strategy
SAP Public Services, Inc.Washington, DC