IT Security and Compliance  
SAP GRC Implementation  
PCI-DSS Compliance  
HIPAA Compliance  
> Representative Engagements  
White Papers  



Implemented segregation of duties (SoD) controls in an SAP Landscape

Delivered real-time SoD enforcement, using BusinessObjects Access Control 5.3 (BOAC) proof-of-concept with an optimized SoD ruleset, in an SAP landscape, correlating risks, assigned levels for risks, SAP transactions and Authorization Objects. The objectives achieved are:

  • Installation and configuration of BOAC 5.3 with the latest patchset.
  • Preparing the SoD matrix correlating inputs from business owners, IT auditors, and application users.
  • Configuring manual access requests and automated user provisioning workflows to perform real-time SoD conflict checks prior to provisioning user accounts.
  • Extending the ruleset to other SAP instances and additional business functions.

Implementing IT General Controls at a Fortune 500 retailer to meet SOX and PCI-DSS compliance

Delivered a unified user provisioning platform, as part of IT general controls, to meet Sarbanes-Oxley (SOX) and payment card industry- data security standards (PCI-DSS) requirements. The objectives achieved are:

  • Delivering a user provisioning platform that supported all identity lifecycle events—new hire, transfers, terminations—for both full time and contingent workers, across the enterprise.
  • Implementing controls rationalization by extending existing SOX controls to meet PCI-DSS compliance needs.
  • Implementing real-time reporting of user entitlements with provisions for immediate access remediations.
  • Achieving a complex cutover from Microsoft to Sun’s provisioning platform, as part of platform rationalization, with no service interruption.
  • Extending the user provisioning platform to support new business applications, such as the global SAP rollout.

Building a Software Security Assurance Program at a Top-Tier Investment Bank

Delivered application security measures to meet regulatory compliance needs. The achieved objectives are:

  • Delivering three application security assessments for internet-facing platforms, applications and toolkits, including risk analysis, code review and static code analysis.
  • Producing risk mitigation strategies and measures for the vulnerabilities uncovered in the security assessments.
  • Delivering of key application security training programs for software developers at major software development centers worldwide to meet training targets for the client.
  • Providing configuration management.

Delivering an Access Certification Platform for a Large International Bank

Delivered mainframe entitlement review and certifications platform for a large international bank to meet its SOX regulatory compliance requirements. The achieved objectives are:

  • Implementing Sun’s Role Manager to store and retrieve deeply hierarchical mainframe (RACF and TSS) entitlements.
  • Integrating with the existing front-end tool for entitlement review and certification.
  • Designing provisions to extend the platform to support enterprise roles.
  • Delivering the platform on a compressed, fast track schedule.

Delivering Business Value to Clients with Identity and Access Management.

Delivered several proof-of-concepts and product suite integrations as part of delivering business value to clients in the manufacturing and financial services industry. The achieved objectives are:

  • Delivering re-usable identity management business process templates for common business use cases, including identity lifecycle events, access management and identity audit functions.
  • Adapting these templates to suit the needs of companies industries ranging from manufacturing, education, and financial services.
  • Delivering integration points between Sun’s Identity and Access Management suite (Directory Server, Access Manager and Identity Manager) and SAP. Including SAP R/3, HR and NetWeaver.
  • Working proof-of-concepts for CA SiteMinder, IdentityManager, and TransactionMinder installations.

Copyright © JPN Associates, Inc