IT Security and Compliance
SAP GRC Implementation
Implemented segregation of duties (SoD) controls in an SAP Landscape
Delivered real-time SoD enforcement, using BusinessObjects Access Control 5.3 (BOAC) proof-of-concept with an optimized SoD ruleset, in an SAP landscape, correlating risks, assigned levels for risks, SAP transactions and Authorization Objects. The objectives achieved are:
- Installation and configuration of BOAC 5.3 with the latest patchset.
- Preparing the SoD matrix correlating inputs from business owners, IT auditors, and application users.
- Configuring manual access requests and automated user provisioning workflows to perform real-time SoD conflict checks prior to provisioning user accounts.
- Extending the ruleset to other SAP instances and additional business functions.
Implementing IT General Controls at a Fortune 500 retailer to meet SOX and PCI-DSS compliance
Delivered a unified user provisioning platform, as part of IT general controls, to meet Sarbanes-Oxley (SOX) and payment card industry- data security standards (PCI-DSS) requirements. The objectives achieved are:
- Delivering a user provisioning platform that supported all identity lifecycle events—new hire, transfers, terminations—for both full time and contingent workers, across the enterprise.
- Implementing controls rationalization by extending existing SOX controls to meet PCI-DSS compliance needs.
- Implementing real-time reporting of user entitlements with provisions for immediate access remediations.
- Achieving a complex cutover from Microsoft to Sun’s provisioning platform, as part of platform rationalization, with no service interruption.
- Extending the user provisioning platform to support new business applications, such as the global SAP rollout.
Building a Software Security Assurance Program at a Top-Tier Investment Bank
Delivered application security measures to meet regulatory compliance needs. The achieved objectives are:
- Delivering three application security assessments for internet-facing platforms, applications and toolkits, including risk analysis, code review and static code analysis.
- Producing risk mitigation strategies and measures for the vulnerabilities uncovered in the security assessments.
- Delivering of key application security training programs for software developers at major software development centers worldwide to meet training targets for the client.
- Providing configuration management.
Delivering an Access Certification Platform for a Large International Bank
Delivered mainframe entitlement review and certifications platform for a large international bank to meet its SOX regulatory compliance requirements. The achieved objectives are:
- Implementing Sun’s Role Manager to store and retrieve deeply hierarchical mainframe (RACF and TSS) entitlements.
- Integrating with the existing front-end tool for entitlement review and certification.
- Designing provisions to extend the platform to support enterprise roles.
- Delivering the platform on a compressed, fast track schedule.
Delivering Business Value to Clients with Identity and Access Management.
Delivered several proof-of-concepts and product suite integrations as part of delivering business value to clients in the manufacturing and financial services industry. The achieved objectives are:
- Delivering re-usable identity management business process templates for common business use cases, including identity lifecycle events, access management and identity audit functions.
- Adapting these templates to suit the needs of companies industries ranging from manufacturing, education, and financial services.
- Delivering integration points between Sun’s Identity and Access Management suite (Directory Server, Access Manager and Identity Manager) and SAP. Including SAP R/3, HR and NetWeaver.
- Working proof-of-concepts for CA SiteMinder, IdentityManager, and TransactionMinder installations.