IT Security and Compliance
> SAP GRC Implementation
Deploying BusinessObjects Access Control (BOAC) 5.3-- a GRC product-- in enterprise IT, to achieve regulatory compliance, improve access controls, reduce segregation of duty (SoD) conflicts, and lower IT operational costs is a core offering of JPN's Security Practice.
Risk frameworks for meeting regulatory compliance requirements-such as those in SOX, HIPAA, OMB A-123-include positioning strong SoD controls to avoid the possibility of fraud as a result of granting users adequate privileges to do so in procure-to-pay, order-to-cash, finance, and HR benefit business processes. In SAP landscapes, SAP Basis administration is a function requiring SoD controls to limit excessive access privileges to applications. SoD conflicts need to be analyzed, evaluated, and acted upon whenever users of ERP applications request access to these applications to fulfill their job responsibilities. BOAC provides both detective and preventative SoD controls.
The key to the success of a GRC implementation lies in getting the SoD matrix and the rules that comprise the matrix correct. A poorly designed matrix will result in ineffective controls, which manifest in internal and external audit reports as weaknesses. A poorly optimized matrix will result in rebuilding the matrix, at a point in the roadmap, where the costs of rework are expensive-these, too, manifest as weaknesses during control testing and evaluation. Further, the risk analysis serves as the foundation to other building blocks of the BOAC-compliant user provisioning, enterprise role management and superuser privilege management. An incorrectly designed matrix will cause errors in user provisioning and role management, and often becomes evident when the costs of rework become prohibitively expensive.
When implemented effectively, GRC will serve as a business enabler by implementing strong controls that provide an assurance of risk mitigation, lower cost to operate SoD controls and an overall improved security posture for the enterprise, which will gain the confidence of suppliers, customers, and enterprise shareholders.
A successful implementation will use inputs from multiple stakeholders when developing the matrix, which is unique to each enterprise. These stakeholders include external and internal auditors, business owners and business application users. The rule set that comprises the SoD matrix is developed based on correlating risks, their assigned levels of threat, relevant SAP transactions and authorization objects. Rules that are residual from the installation need to be evaluated in the context of the control requirements for each enterprise, and removed if they are either not applicable or contravene the requirements. The implementation team will iteratively develop the matrix as new business applications, geographies, and SAP instances are added to the GRC framework.
The JPN methodology comprises of conducting workshops with enterprise stakeholders to develop the SoD matrix. Our practitioners are experts with the product and apply leading practices to both solution architecture and building the SoD matrix. Our practitioners have designed and implemented workflows for both manual and automated user provisioning that invoke the risk analysis and remediation module of BOAC at the grant or deny access decision point. For manual workflows, justification is recorded for audit purposes when an SoD conflict is overruled. Our methodology incorporates leading practices for the testing of these controls to provide continuous assurance of these controls. Our practitioners have experience in extending the product to serve the role management needs of an enterprise.
Call a JPN consultant today for a free one-hour discussion on how your enterprise can effectively roadmap and implement BOAC 5.3.