Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | cloudops-summit |
View: | 361 times |
Download: | 0 times |
Processes do not have to kill you
GUIDED END-TO-END PROCESSES IN THE LIGHT OF THE USE OF CLOUD
SERVICES
Ute Riemann SAP Deutschland AG & Co. KG
© 2013 SAP AG. All rights reserved. 2 Customer
Why security is so difficult - and why value is lost
• The value of Cloud Services is
generated „between“ the business and
technology
• But: outtasking services also means:
loosing control over the data (= missing
security)
• Today‘s approach: identify technology
risks and – as a consequence – do not
use Cloud services if too risky
Too inflexible, too much value is lost
Our approach:
look at the value chain first!
Security
People
Business Technology Value of Cloud
Services
© 2013 SAP AG. All rights reserved. 3 Customer
The 5 steps from identification of cloud value add and the
business process inherent compliance risks of a company
Identify the
company-
specific
value chain
Identify the
key processes
within the
value chain
Select the
appropriate
fraud indicators
Perform IT
identification
Link the
processes with
the cloud
specifics within
the E2E
process model
1 2 3 4 5
© 2013 SAP AG. All rights reserved. 4 Customer
A comprehensive analysis of the compliance
requirements within the process environment
To answer this question it is required to
understand the various dimensions that
needs to be considered
Dimension 1: Business perspective
Dimension 2: Service perspective
Dimension 3: Compliance perspective
Service
perspective
Business
perspective
Compliance
perspective
© 2013 SAP AG. All rights reserved. 5 Customer
The following indicator categories need to be considered
within the cloud environment
What is the importance of the
process within the value chain
What is the value towards the
corporate result
Estimate what frauds can
occur due to the use of the
process (independent of the
environment)
Result
relevance Cost
relevance
Security
relevance
Check how cost intensive the
current process is and what
implications are possible due
to the cloudification
© 2013 SAP AG. All rights reserved. 6 Customer
Example: Order-to-Cash Process
End-t
o-E
nd
Pro
ce
sses
Sub
Pro
ce
sses
Ma
in
Pro
ce
sses
Order to Cash
Customer Order Delivery Debt
Order
Mgmnt
Execution
Delivery
Planning &
Mgmnt
Transpor-
Tation
Planning &
execution
Outbound
Logistics
Returns &
Refusals
Mgmnt
Credit
Mgmnt
Stock
Mgmnt
Accounts
Receivable Factoring
© 2013 SAP AG. All rights reserved. 7 Customer
Processed information within the O2C process
Analyzed process modules, interfaces and process status
Process Modules, Transactions and Information
Critical Module Relevant Transactions (SAP) Critical Information
OTC01
Sales Order Creation
Create Sales Order VA01
Change Sales Order VA02
Display Sales Order VA03
List of Sales Orders VA05
sales order data, sales conditions
OTC02 Availability Check
Create Sales Order VA01
Change Sales Order VA02
materials master data, sales order
data
OTC03
Order Confirmation
Change Sales Order VA02
Display Sales Order VA03 sales order data
OTC04
Delivery Creation Inbound/
Outbund
Create Outb. Dlv. w/ Order Ref. VL01n
Change Outbound Delivery VL02n
Display Outbound Delivery VL03n
Edit User-specific Delivery List VL10
Change Sales Order VA02
customer master data
sales order data
OTC14
Invoice Creation
Create Billing Document VF01
Change Billing Document VF02
Display Billing Document VF03
Maintain Billing Due List VF04
Cancel Billing Document VF11
Change Sales Order VA02
customer master data, sales order
data, invoice data
© 2013 SAP AG. All rights reserved. 8 Customer
Cloud Threats towards information
Process Module Potential Threat
OTC01
Sales Order Creation
Wrong prices to the customer lead to a wrong legal binding
order; Order handling due to incomplete/wrong order data (by
interfaces)
OTC02
Availability Check
OTC03
Order Confirmation
Process customer order via cloud services (transparency of
customer data to 3rd party)
OTC04
Delivery Creation Inbound/
Outbound
Delivery data transparent in the cloud
OTC14
Invoice Creation
Invoicing with the use of cloud services with bank data by the
customer in the cloud; Dunning accounts handled via cloud
services with customer internal data; Payment / Financial
information by customer transparent in the cloud
© 2013 SAP AG. All rights reserved. 9 Customer
Future work
• To monitor which kind of information is requested for processing with an
interface, a GRC monitoring receipt is suggested to further analyze the GRC
status achieved.
• Having process modules, interfaces and the used technology (cloud / non-cloud)
and GRC monitoring attributes addressed, the problem remains, how those
criteria can be effectively monitored throughout a EtE as the OtC, while providing
dedicated attention to risks and compliance issues involved by processing
information by both people and technology.
• This is subject to future work.
© 2013 SAP AG. All rights reserved. 10 Customer
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in
Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
© 2013 SAP AG. All rights reserved. 11 Customer
© 2013 SAP AG. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die
ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige
Ankündigung geändert werden.
Einige der von der SAP AG und ihren Distributoren vermarkteten Softwareprodukte enthalten proprietäre Softwarekomponenten anderer
Softwareanbieter.
Produkte können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP AG und ihren Konzernunternehmen („SAP-Konzern“) bereitgestellt und dienen ausschließlich zu
Informationszwecken. Der SAP-Konzern übernimmt keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation.
Der SAP-Konzern steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und
Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder
eingetragene Marken der SAP AG in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum
Markenrecht finden Sie unter http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark.