IA SAP Security Meeting Agenda VF 20151104 - Presentation

7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation

1/29

SAP logical separation risks andcontrols working sessionDiscussion Document

November 4, 2015


2/29

Page 2

Discussion agenda

Introductions, confirm problem statement and objectives 15 minutes

Level set on progress to-date 15 minutes

Discuss enterprise risk framework 10 minutes

Level set on SAP security arcitecture 10 minutes

Lessons learned from oter spins and carve-outs 30 minutes

!o-develop solution framework and options 30 minutes

!o-develop roadmap 10 minutes


3/29

Page 3

"ackground and objectives

Develop framework for analying solutions

Develop options, bot! tec!nical an" non#tec!nical

Develop roa"map to solving t!e issues

Develop a solution, in a cost effective manner an" commensurate wit! t!e risk, to"emonstrate t!at only people w!o are aut!orie" to write "i" write, for bot! t!e $%an" &' businesses

Problem Statement

#orking Session $bjectives

(fter careful consi"eration of timeline, risks, resources an" ot!er factors, t!e (ir

Pro"ucts team !as "eci"e" to "eploy )logical separation* t!roug! security tosegregate t!e +(P -- system an" ancillary systems to ac!ieve Day .ne of t!e $%spin

%!e &% team !as encountere" certain tec!nical constraints to fully secure t!eenvironment t!at, if not a""resse", may result in material weaknesses in t!e controlsenvironment

"ackground


4/29

Page 4

%ole &esting Progress to Date

%ole &ested %esults

(ccounting /0 3 pass43 fail or warning

$%ec!nician

105 5 pass4 fail or warning

uyer+ourcing

55 pass24 fail or warning

-ustomer

+ervice 6ep

52 34 pass

1/ fail or warning

AP &esting Approac &est %esults

-reate $% +ecurity roles wit! N7c!anges 8Plant-o-o"e, etc9:

6ole -ategory .wner 8or "esignee:performs testing

&"entify"ocument 'aps "iscovere""uring testing

6eview "ocumente" gaps # approveas is or recommen" reme"iationpat!

6eme"iate i"entifie" &ssues

6epeat starting at +tep 2


5/29

Page 5

%isk area' I& logical access post-separation

(nterprise risk management' %isk areas

%isk e)amples*+ig Level

Potential mitigating actions Impact if notmitigated

Impactedorgani.ation

; compliant on+ep201

$aterials

%ec!nology

0ote' $ter separation risk areas could be identified troug a targeted risk assessment e)ercise1

%isk area' Internal !ontrols over /inancial %eporting +I!/%


6/29

Page

Security in SAP' Standard vs !ustom

A ot! stan"ar" an" custom transaction security is base" on w!at is in t!e

source co"eA ven +(P stan"ar" is not consistent in using source co"e to secure "ata

A $ost commonly use" transactions !ave robust securityA +ome less commonly use" transactions !ave gaps

Standard transactionsB

A

.rganiational levels are use" in most transactionsA +ome stan"ar" transactions lack organiational security

!ustom transactionsB

A +ome may be copie" over from stan"ar" transactions an" may in!eritsecurity obCects

A .t!ers t!at are completely custom may not !ave any obCects

A +ecurity aut!oriations "epen"s on t!e co"ers an" w!at was use"

A +ecurity obCects may not be easy to fin", "epen"ing on layers of source co"e


7/29

Page

&ecnical security autori.ation concept

SAP Autori.ation !oncept (nvironment

ProCect(ccountant

+ingle 6oleB$aintain proCect systems

+ingle 6oleBournal entry posting

+ingle 6oleB+ettle proCects

+ingle 6oleBDisplay accounting

ProCectaccountant for

$aterials

%ec!nologies

Post Cournal entry

-reate workbreak"own structure

6everse Cournal entry

Post proCect settlement

Display accounting"ocument

Plant

-ompany co"e

-ost center

-ontrolling area

Profit center

-reate

-!ange

Display

Delete

6everse

Position !omposite role Single role &ransaction $rgani.ational value Activity


Profit center 6everse


8?03:

(ccountingDocumentB

(ut!oriation for-ompany -o"es8?EFP?E


8/29

Page /

112115

112115

112115

112115

112115

112115

112115

112115

112115112115

1121151/3

112115133

&esting results breakdown analysis

Already tested transactions

#it+(P stan"ar" aut!oriationcontrol by org level

13

#itout+(P stan"ar"aut!oriation control by org level

4

$ut of te 34 transactions

#it+(P stan"ar" aut!oriationcontrol by org level

4

#itout+(P stan"ar"aut!oriation control by org level

13

%o be -onfirme" 41

$ut of te 355 transactions


9/29

Page

$ur e)periencesDivestiture or Spin !omple)ities Sample scope

H1bn multinationalelectricity an" gas

utility companyseparation of a state#owne" utilitysubsi"iary to anot!erpublicly liste" utilitycompany

+ingle instance of +(P -- in Nort!(merica wit! 10,000 users9 Profiles

!a" open access wit!out limitations bycompany co"e

+eparation of "ata an" access was akey part of t!e carve#out

7everage" stan"ar" +(P organiationalsecurity settings w!ere possible

(ssiste" in e=tensive testing to i"entify gaps instan"ar" security an" t!roug! customtransactions

6emove" transactions t!at coul" not besecure" properly an" were not essential fort!e business

-!ange" co"ing w!en transactions were notsecure but !a" !ig! business impact

(utomotive suppliercarve"#out from a?ortune 100"iversifie" in"ustrialcompany

+ingle instance of +(P !a" openaccess wit!out limitations byorganiation structures 8companyco"es, profit centers, plants, etc9:

Gery s!ort win"ow to closing t!etransaction


10/29

Page 10

Potential solution options

112115

112115

112115

112115

+ourceB I proCect e=perience an" +(P "ata

.ver 0J of stan"ar" +(P transactionsoffer org level as aut!oriation criteria

112115

112115asis

112115

112115

112115

.ver 0J support stan"ar" +(Paut!oriation controls usingorganiation levels

Not use" by $%, covere"t!roug! &% %+(

7imite" access by $%,covere" t!roug! usiness%+(K manual process nee"e"

.ut of scope for t!is "iscussion

$ay nee" customie"tec!nical solutioning orworkaroun"s


11/29

Page 11

%isk impact of security roles vs usage fre6uency'()amples for discussion

()cludematerial

%isk Impact

Low8rating 1:

ig8rating 5:

/re6uency

7apping of roles by risk impact and fre6uency

Low8rating 1:

ig8rating 5:

Post(ntries in8eneralLedger

Profit!enter

%eporting

!ange!ustomer

Delivery

ProcessSales$rders

!ange"atcInfo1

Display7aterial

7aster

(nter&ime Seet

DisplayProc1

!ontract

DisplayP7 $rders

!ange

P7 $rders

+ample role transactions

from (Ptesting log

Stock$verview

!ange!ustomer!ontactPerson


12/29

Page 12

Potential approac to address key risks

6isk

ranking

.perationalimportance

Lig!

7ow

7ow Lig!

!ustom solutionsor &SA

7inimal effortneeded

%etire or findprocessalternative 9compensatingcontrol

7onitoring

%ec!nical solutions8


13/29

Page 13

Solution framework for discussion

Define enterprise risks an" overall securityseparation obCectives

Define type of access re@uire" by $% an"

acceptable to (P

Defineobjectives

(valuate risksand impact

Identifysolutions

Implementsolutions

&nventory an" classify all transactions by risk an"impact

(ssess output of &% testing against transaction riskclassification an" overall obCectives

(lign wit! Day .ne operating mo"el 8role c!anges,

process c!anges an" %+( nee"s:

.ptions to be evaluate" for critical transactionsB19 +tay t!e pat! an" absorb risks29 6e"esign new profiles39 7everage compensating controls49 Deploy tec!nical solutions 8e9g9, user e=it:59 (""itional %+( services or legal means 8ND(:

7everage e=isting &%, &nternal (u"it an" +pin P$.proce"ures to "evelop, test, train an" "eploy

&mplement an" test compensating controls, inclu"ingsecurity access to manage au"it an" &-?6 risk

I +ecurity (ssessmentMorkbenc!8see appen"i=:

-ustom tco"e analysis tool8see appen"i=:

+(P '6- Day .ne operating mo"el

an" "etaile" process an"

pro"uct flows

%ask#base" role mo"el8see appen"i=:

Position#role mappingaccelerator "atabase

+pin milestones I 'lobal (u"it

$et!o"ology

Procedures &ools


14/29

Page 14

Appendi) A' (: Practitioner "ios


15/29

7I!A(L P$%&(%Partner

6isk %ransformation

P!oneB 1 31 /1 223

#mailB mic!ael9porterOey9com

Professional ()perience Summary$ic!ael Porter is a Partner in t!e ("visory +ervices practice of rnst Ioung 77P9 $ic!ael !as over 23 years of e=perience w!ic! inclu"es provi"ing &% risk, controls an"tec!nology consulting services to large global ?ortune 500 companies9 Lis e=perience inclu"es lea"ing security an" control "esign proCects for global +(Pimplementations, lea"ing t!e implementation of +(P '6- v10, as well as lea"ing multiple (&-P( +.- reporting engagements, financial au"iting, &% au"iting 8inclu"ing &%'eneral -ontrols:, an" "ata analysis9 Le !as serve" as t!e $i"west 6egion %!ir" Party 6eporting Practice 7ea"er as well as &n"ianaQs &% 6isk an" (ssurance 8&%6(:7ea"er9 $ic!ael also !as e=tensive e=perience in a""ressing business process an" &% controls, +(P security role "esign, system implementation testing, risk assessmentsan" +arbanes#.=ley controls an" security9

(ngagement ()perience

; =tensive e=perience in lea"ing internal controls "esign an" implementation of +(P controls an" security for large companies inclu"ing life sciences an" global ?ortune100 companies9 Primary responsibilities inclu"e" provi"ing security an" internal control e=pertise wit! a focus on automating internal controls "uring businesstransformations9

; 7e" t!e +(P internal controls, '6- an" security team for a maCor


16/29

"%IA0 ;I(8L(%+enior $anager

6isk %ransformation R +(P +ecurity

P!oneB 1 3 2 42

#mailB brian9ieglerOey9com

Professional ()perience Summaryrian Siegler is a +enior $anager of t!e 6isk %ransformation practice of rnst Ioung 77P9 rian is consi"ere" by t!e in"ustry to be a +ubCect $atter 6esource in +(P+ecurity wit! fifteen years of +(P e=perience an" a strong knowle"ge of proCect management, as well as a firm foun"ation in operations, access controls, an" processcontrols9

Project 7anagement

; 7iaise" wit! two site accounting managers in maCor automotive manufacturing plants to resolve accounting an" mont! en" close processes

; +erve" as proCect manager for multifunctional +(P support mo"el, !elping wit! L6, +D, ?&-., %$, P+ an" $$ resources wit! responsibility for over H2 million inannualie" billings

; +erve" for t!ree years as on#site functional +ales an" Distribution liaison

SAP Security ()perience < 8%! Access !ontrols ()perience

; (ssiste" client wit! manage" service transaction spin by performing logical separation of security roles, reviewing risk an" assisting on appropriateness of transactionservice agreement, non#"isclosure agreement an" overall security "esign

; -o#le" wit! client L6 security role reme"iation "eployment

; Provi"e" t!oug!t lea"ers!ip aroun" +(P role "esign lea"ing practices

; (cte" as functional lea" of two +(P security role re"esign proCects

; Morke" on eig!t full system life cycle implementations

; Develope" functional "esign "ocuments, tec!nical "esign "ocuments, le" off#s!ore an" on#s!ore teams of initial an" full life cycle implementations

; Develope" scalable security mo"els t!at coul" be leverage" for cross functional implementations an" "esigne" for sustainability

; $anage" pro"uctions support "efects an" role "esign c!anges for large scale 820,000 users: implementation

; +trong e=perience in a variety of functions, inclu"ing ?inance, +upply -!ain, Luman 6esources, an" usiness Planning an" -onsoli"ations

; valuate" sensitive an" critical access issues aroun" critical L6 activities

; Lelpe" wit! cross#functional issues involving security an" functional issues

; valuate" +oD rule sets for )false positives* an" )false negatives*, tailoring t!e rule set to appropriately i"entify an" reme"iate or mitigate appropriate risks

; (ssiste" custom transaction review proce"ures an" a""e" custom transactions to rule sets

; Develope" training materials for a large community 81000: of en" users in '6- 1090


17/29

(D#A%D !A7P"(LL+enior $anager

6isk # &nternal (u"it

P!oneB 1 10 13 /0/1

#mailB e"9campbellOey9com

Professional ()perience Summary" -ampbell is a +enior $anager in t!e ("visory +ervices practice of I9 " !as over twelve yearsQ e=perience in !elping clients buil" success an" e=ecute against t!eirgoals, w!ile managing risks across t!eir business9 " !as "iverse skillsets in risk management across business processes an" tec!nologies, as well as, across riskcategories inclu"ing operational, financial, strategic an" compliance risk9 " !as le" tec!nology an" enterprise wi"e risk assessments, -ybersecurity programassessments, an" is well verse" in t!e use of "ata analytics to inform business an" risk intelligence9 " is responsible for overseeing large multi#national internal an"e=ternal au"it engagements an" is e=perience" on &nternal -ontrols over ?inancial 6eporting 8&-?6: re@uirements9 " !as also !as e=tensive e=perience in proCectmanagement met!o"s, +ervice .rganiation -ontrol 6eporting engagements, &% governance, an" "ata governance9

(ngagement e)perience

;?or two multi#billion "ollar -!emicals&n"ustrial Pro"ucts companies " le" &nternal (u"it transformation activities by a"vising on c!anges to &( vision, people mo"el,

"elivery mo"el an" &( enabling tec!nologies9 Le was responsible for "eveloping an" "efining s!ort term an" long term internal au"it plans, performing company#wi"e riskassessments an" special proCects9 " !as broa" &nternal (u"it e=periences in teaming wit! +ubCect $atter 6esources to e=ecute "iverse risk base" reviews inclu"ing+ustainability (ssurance, (nti#bribery(nti#-orruption, Data uality (ssessments, &% security assessments, (ttack an" Penetration, +ocial ngineering, -lou" -omputing,multi#stage system "evelopment lifecycle reviews9

;" !as le" an" performe" &nternal an" =ternal (u"it support "uring prepost transaction events for large national an" multi#national companies9 (s part of t!e e=ternalau"it team " !as le" tec!nology an" control reviews supporting retro#active financial statement carve#out au"its, as well as, "ata analytics in support of +- filings9 "!as also performe" in t!is role, reviews of ac@uisition company controls for t!e purposes of &-?6 rea"iness9 .n multiple &nternal (u"it clients " !as performe" security,"ata, an" ot!er system reviews, as well as, business process controls an" proCect governance au"its for company spin#offs an" separation 8future +- registrant:transactions9

;" is a lea"er in our ?inancial (u"it &% &ntegration 8?(&%: competency9 " !as "eep e=periences in supporting our =ternal ?inancial (u"it teamQs work aroun" tec!nologyrisk an" our &-?6 opinion9 " !as supporte" t!e "evelopment of our ?(&% transformation program an" met!o"ology9 Le is a @uality lea"er supporting our &nternal ualityprograms, inclu"ing our P-(. inspection process9 " !as also le" teams t!roug! risk an" control i"entification, process flow "ocumentation, an" un"erstan"ing t!e flowof information in business processes as an internal controls specialist 8internal proCect:9 (s part of t!e financial au"it process, " !as con"ucte" !un"re"s of reviews ofinternal controls for compliance un"er +ection 404 of t!e +arbanes#.=ley (ct9 ?e"eral 'overnment proCects also inclu"e performing au"its using t!e ?&+-($met!o"ology9

;" !as e=perience in t!e planning, e=ecution an" implementation of "ata analytics program, as well as, "ata governance an" "ata @uality assessments9 ?or a fortune 500global consumer pro"ucts company, " "evelope" a framework for t!e application of "ata analytics in t!e internal au"it process9 ?or a utilities company in t!e water an"wastewater in"ustry, manage" a "ata @uality assessment across si= key business processes as part of a company#wi"e usiness %ransformation9

;Performe" in"epen"ent verification an" t!ir"#party reporting proce"ures t!roug! +ervice .rganiation 6eporting reviews for a patient ill 6eview an" -ase $anagement+ervice -ompany, as well as state level $e"icai" processors9 6esponsibilities inclu"e evaluating t!e "esign of an" testing t!e operational effectiveness of transactionprocessing, application specific controls, access 8p!ysical an" logical: controls, an" program c!ange controls9


18/29

S$00: $%I8I&A0$+enior $anager

%ransaction ("visory +ervices R &% spins an" "ivestitures

P!oneB 1 312 / 2/52

#mailB sonny9origitanoOey9com

Professional ()perience Summary+onny is part of t!e .perational %ransaction +ervices 8.%+: practice focuse" on "ue "iligence, integration an" separation from an &% perspective9 Le !as more t!an 20years e=perience i"entifying an" "elivering business value t!roug! t!e effective use of tec!nology9 During !is career, !e !as worke" wit! a number of strategic an" privatee@uity clients to con"uct strategic information system planning, software selection, business process optimiation, program management, application "evelopment an"implementation initiatives across several in"ustries9 &mplementations inclu"e" e#business, enterprise resource planning 86P:, customer relations!ip management 8-6$:,web portal, custom "evelope" applications, an" "ata ware!ousing an" mining solutions9

+onny !as e=tensive e=perience in pre#close an" post#close integration an" separation strategy an" e=ecution inclu"ingK one#time cost i"entificationK stan"#alone financialan" operating mo"els an" synergy i"entification9 Le !as e=perience in several in"ustries inclu"ing consumer package" goo"s 8-P':, manufacturing, "istribution, retail,mining an" transportation an" logistics9 Previously, +onny serve" as a Director wit! FP$' in t!eir %ransaction 6estructuring practice focuse" on i"entifying financialan" business implications base" on t!e impact of tec!nology as well as integrating an" separating companies9 Le also previously serve" as Gice Presi"ent of ("visory

+ervices focuse" on aligning information tec!nology wit! business initiatives an" !ea"e" up t!e Program $anagement .ffice 8P$.: for %!e ra"for" =c!ange9

Le !as been a contributing e"itor for t!e Merger & Acquisition ourna! for lea"ing practices title" )DonQt .verlook &% M!en -alculating t!e Galue#-reation Potential of aDeal*, a contributor for t!e "orresterreport )( -&.Qs 'ui"e %o $erger (n" (c@uisition Planning* as well as spoken at conferences inclu"ing t!e =ecutive %ec!nology -luban" $i"west 6egional


19/29

Page 1

Appendi) "' (: project e)periences


20/29

Descriptionof SpinCo

Duration

Numberof

Countrie

s

SpinCoRevenue

SpinCo Day 1 ERPDay 1 Support

Model

NotesLogically

Separate

Clone

!" data#

Clone

(w/odata) Ne! $S%

SpinCo

o!ned

Nutritionalproducts

&' () *+,P

P

Creation of ne! entities and logicallyseparated !it-in RemainCo ERP systemfor Day 1

Provided 1. mont- $S% for SpinCo toimplement ne! ERP system

ProfessionalWound CareBusiness

/*'Mont-s

)+ (1*0, P P

Creation of ne! entities and logicallyseparated !it-in RemainCo ERP systemfor Day 1

Provided 1. mont- $S% for SpinCo toimplement ne! ERP system

PerformanceChemicals

1&Mont-s

&2 (& * /, P P

Copy of RemainCo ERP instance !it-data cleansing " conversion prior to Day1

Provided $S% support to SpinCo,uild"Con3g 'mt-4 /mt- datamigration"test

5$ application support primarilyoutsourced

Animalhealthbusiness

6 (+ * &, P P P

Multiple ERP platforms globally

Logically separated !it-in S%P ERPplatforms7 cloned ot-er 3nancialplatforms !it- data conversion prior toDay 1

Pharmaceutical business

/Mont-s

12 (0, P P P P

Mi8 of logical separation and ne! ERPimplementation

Ne! ERP !as implemented pre Day 1for some regions and ot-ers -ad 5$ $S%until t-e implementation !as 3nali9ed

$!o ERP systems !it- dedicated teams

: Selected companies -ad relatively minor to moderate systems isolation issues;

Day 1 ERP highlights from past transactions


21/29

Page 21

=34" >tility company wit tigt regulationsdivest part of te business

ackgroun"

(pproac!

6esults

( H1 multinational electricity an" gas utility company wante" to carve out a part oft!e business9 IQs intimate knowle"ge of t!e clientQs controls environment an"

compliance re@uirements, supplemente" by "eep relations!ips, le" into furt!erassisting wit! a state#owne" utility separation proCect9 (t t!e beginning of t!is proCectanot!er ven"or was selecte" to provi"e recommen"ations9 (fter two mont!s wit! little progress, t!e client opte" to c!oose I instea" an" gave

si= mont!s to complete t!e proCect9 %!e state gave t!e utility company a very s!ort separation timeline9

Lelpe" t!e utility "esign +(P security roles in ?inance, +upply -!ain, an" Luman

6esources using a logical separation (ssiste" in stan"ing up an appropriate level of security to separate financial an"

employee security "ata w!ile a"!ering to contractual terms of t!e logical separation

$et t!e +tateQs man"ate of stan"ing up a logical separation on t!e spin "ate

+ecure" separation of employee an" financial "ata, protecting confi"ence in finance,!uman resources, an" supply c!ain

Provi"e" roles an" user profiles for over 2000 users using bot! +(P an" i"entitymanagement profiles for t!e new entity until t!ey coul" be move" to a separate +(Pinstance


22/29

Page 22

/ortune 355 diversified industrial companycarve out a product line

ackgroun"

(pproac!

6esults

( ?ortune 100 "iversifie" in"ustrial company wante" to carve out one of t!eir lossmaking pro"uct line9 %!e company !a" a single instance of +(P wit! open access

wit!out limitations by organiation structures 8company co"es, profit centers, plants,etc9:9 %!e "eal !a" t!e following comple=ity9Gery s!ort win"ow for closing t!e transaction


23/29

Page 23

Leading consumer goods company carve outa single business unit

ackgroun"

(pproac!

6esults

%!e consumer goo"s company was "ivesting a business unit running on a single globalinstance of +(P9 %!e buyer was an .racle environment wit! "ifferent .racle

configurations supporting t!eir business9 %!e goal for +(P security on "ay 1, was to allow t!e consumer goo"s company tocontinue to operate t!e business as usual, w!ile allowing t!e "iveste" entity tooperate un"er t!e %+(9 (""itionally, t!e consumer goo"s company wante" tosecure "ata from access by t!e "iveste" entity

&nternal (u"it an" t!e P$. partnere" to assist in i"entifying t!e impact to e=istingcontrols as a result of t!e "ivestiture across ?inance, &nformation %ec!nology,Luman 6esources an" Purc!asing

&t was "etermine" t!at new user &DQs were not re@uire" for t!e "iveste" employeesas +(P


24/29

Page 24

Appendi) !' &ools and enablers


25/29

Page 25

Security Assessment #orkbenc

A %!e "iagnostics tool provi"es "eep role "esign analytics t!roug! interactive "as!boar"sto i"entify unnecessary +oD risks an" t!e relate" root cause base" on t!e analysis ofroles, user assignments an" tco"e e=ecution "ata9

Task basedroles


26/29

Page 2

!ustom &ransaction !ode Analy.er

%!eABAP Discover Tool analyescustom transactions for appropriate

aut!oriation obCects an" "etectsprograms wit! missing security obCects


27/29

Page 2

Task Catalog Task

Transaction

Code Transaction escriptionPurc-asing Create and C-ange Purc-ase


28/29

Page 2/

Appendi) !' "ackup pages


29/29

Page 2

$ur understanding of modules used by AP and 7&

7odule used by AP97& 7ost common org security

?inance 8?&: R mostly '7, some (P an" (6, ?i=e" assets,%reasury

-ompany co"e

-ontrolling 8-.: -ontrolling area , profit center, plant

+ales an" "istribution Rsales an" billing 8+D#+7+, +D#&7:

+ales organiation, plant

+ales an" "istributionlogistics e=ecution R s!ipping 87#+LP:

+!ipping point

-re"it an" risk management 8+D#?#-$: -re"it control area

$aterials management#Purc!asing 8$$#P

Date post:	20-Feb-2018
Category:	Documents
Upload:	spicychaitu
View:	219 times
Download:	0 times

IA SAP Security Meeting Agenda VF 20151104 - Presentation

Documents