1. WHITEPAPER
SAP GRC Access Control Solution.
-White paper on Implementation Methodology.
HCL SAP GRC Practice
January 2008
1-13
2. Table of Content
Executive Summary 3
Introduction 4
SOX, SoD and SAP 4
Functions of SAP GRC Access Control 6
Implementation Methodology 7
ANNEXURE 1:Various Aspects 10
ANNEXURE 2: Role and Responsibilities 11
ANNEXURE 3:Time Lines 12
ANNEXURE 4: Challenges 12
ANNEXURE 5: SAP GRC Business benefits 13
2-13
3. In the era of stringent corporate governance new regulatory requirements have made tighter internal control as
standard compliance across the globe.
All organization irrespective of size are struggling to comply with these regulations and managing the risk.The cost and
effort to establish,maintain and prove compliance demand both money and time which can be invested for more value
addition rather than value protection.
For many organization the technology solutions is to try automation using standard office tools such as spreadsheet
which in spite of its low cost advantage may become a part of problem rather than a compliance solution.
Fortunately newly available software platform that have become known as the GRC technology can help streamline the
automation.This white paper pertains to one of the most accountable control automation tool:SAPAccess Control and
details its implementation methodology.
Executive Summary
3-13
10. ANNEXURE 1:Various Aspects.
Steps Activities Involved Person Involved Duration/Days
Implementation •
Readiness
• Software Installation
• NetWeaver EnvironmentValidation
Deploy & Install GRC •
Access Control Tool Suite
•
•
•
•
Super User Privilege
Management l
• Assignment of Firefighter roles to
• Mapping Firefighter IDs to Owner,
Compliance User •
Provisioning
• Define process stages and approvals
• Create test initiators, stages, and paths
• Define test users and request types
• Test initial workflows
• Define escalations and detours
• Complete workflow configuration
Enterprise Role •
Management
• Creation of Role Generation
Methodology
• Creation of Naming Conventions for
Roles
• Creation of Role in Role Expert
• Reports in Role Expert
Hardware/Software requirement Basis/Security 17
analysis Consultant
GRC AC Tool Consultant
Software installation as well certain GRC AC Tool Consultant 15
one-time initial configuration activities.
Risk Analysis and • Identification of critical access and GRC AC Tool Consultant 26
Remediation segregation of duties GRC Business Process Analyst
Real-time risk assessment SOX Domain Consultant
Simulation and remediation
Documentation of mitigation controls
Summary and drill-down reports
The application tracks, monitors, and GRC AC Tool Consultant 4
ogs every activity a super user GRC Business Process Analyst
performs with a privileged user ID.
• Creation of Firefighter Ids
applicable User IDs
Firefighter, and Controller
Learn about Access Enforcer GRC AC Tool Consultant 20
workflows and their components GRC Business Process Analyst
Creation of Role Attributes required GRC AC Tool Consultant 15
for any Role GRC Business Process Analyst
10-13
11. Role Number Group Responsibility
Basis/Security
Consultant
GRC AC Tool
Consultant
• Integration of all 4 tools
• Risk Recognition, Remediation, Mitigation
• Rule Building and their Maintenance
• Configuration of workflows
• Configuration of Role Attributes
• Configuration of Role Generation Methodology
• Configuration of Naming Conventions
• Report Generation
SOX Domain 1
Consultant • Creation of Mitigation Controls
• Approve or Reject already created Risks and Mitigation
• Scenario Analysis and Identification of Format & Content of
GRC Business 1
Process Analyst
• Designing workflows for user and role provisioning
• Identification of Role Attributes
• Identification of Role Generation Methodology
• Identification of Naming Conventions
• Identification of risk & role owners and approvers
Client Technical
Team
• NetWeaver EnvironmentValidation
Client Business
Team
• Approving remediation to address user access issues
• Approve or reject risks between business areas and approve
Client Project
Manager/
Coordinator
Client Audit /
Internal Control
Team
1 HCL GRC • Hardware/Software requirement analysis
• Software Installation
• NetWeaver EnvironmentValidation
2 HCL GRC • Master Data Creation
• Configuration of all 4 tools
HCL GRC • Risk identification
Controls
Reports
HCL GRC • Risk Analysis andValidation
• Designing alternative controls to mitigate SoD issues
To be Client • Hardware/Software requirement analysis
decided • Software Installation
To be Client • Identifying risk and/or approving controls for monitoring
decided risks
mitigating controls for risks.
To be Client • Managing the implementation project
decided
To be Client • Perform risk assessments on a regular basis to identify new
decided risks, perform periodic testing of rules and mitigating
controls; act as a liaison with external auditors.
ANNEXURE 2: Role and Responsibilities
11-13
12. ANNEXURE 3:Time Lines
Implementation Activity Duration/Days
Formation of project team* 2
Software Installation andValidation* 5
RequirementValidation/System and User Landscape Study/Master Data Creation*
Implementation Readiness 17
Compliance Calibrator Configuration and Implementation 26
Firefighter Configuration and Implementation 4
Role Expert Configuration and Implementation 15
Access Enforcer Configuration and Implementation 20
Roll-Out/Deployment/Go-Live 10
10
Challenges Solution
Real-time alert generation and A
Setting up organizational rules and
running risk analysis based on
these rules
Integrating workflows in
Compliance Calibrator
for various processes
Efficient handling of false
positives
Designing user-provisioning
workflows and proper
initiators to trigger them
Cross-application
implementation
Cross-system
Cross-geo implementation
lert Generation and its notification through e-mail was configured not
notification through mail only for mitigating controls but also for risk execution and critical
transaction execution
Compliance Calibrator provides a supplemental table to address
organizational restrictions without having to change and maintain the entire
rules database.These restrictions were configured as organizational rules.
Various processes of Compliance Calibrator can be automated and
structured through workflows which are created and executed through
Access Enforcer. Path for connecting the Compliance Calibrator to the
workflows is entered in the Workflow service URL.
Rule Building is done at authorization objects level to prevent false positives
of SoD violations.
User provisioning workflows are created and configured through Access
Enforcer
The system includes rules at both the transaction and object level that
address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR /
Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals.
TheVirsa Compliance Calibrator "out-of-the-box" rule set includes
implementation transaction objects and value combinations analyzing some 120,000 possible
combinations of potential risk for access rights.These cover - SAP: 20,000,
Oracle: 20,000, PeopleSoft: 3,800, JDE 151.
A centralized monitoring system is provided by connecting various systems
across geo.
Note: *These activities are performed simultaneously.The total implementation time is 56 calendar days.
ANNEXURE 4: Challenges
12-13
13. ANNEXURE: 5
SAP GRC Business Benefits:
SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance,
risk,and compliance help you leverage your SAP and non-SAP IT investments,and deliver the following business benefits:
Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and
reputation – and it translates directly into share price premiums.
Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or
reject projects based on risk impact and probability relative to potential return.
Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time –
required to ensure and manage compliance and risk management.
Improved business performance and predictability – SAP solutions for governance,risk,and compliance deliver
enterprise wide transparency,a systematic process for anticipating risks,and the tools to proactively determine proper
actions.
Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more
effectively mitigate risks stemming from myriads of legislations.
Assumptions for the Duration/Days inAnnexure:
1. Minimum NetWeaver support Pack is already installed and validated on identified systems.
2. All the database and memory requirements for installation ofAccess ControlTools are met.
3. Hardware and memory sizing is already performed.
4. Organization already possesses the license for all requiredAccess ControlTool.
5. Person efforts and time would go on reducing in subsequent implementation in different geographies
6. The company would go for addressing compliance management issues subsequently across different locations.
13-13