230 likes | 455 Views
SAP GRC AC ARA Access Risk Analysis. Requirements Gathering Workshop. Fahri Batur. October 2013. About This Session . Introduction.
E N D
SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop Fahri Batur October 2013
About This Session Introduction • Today is all about exploring how you will use Access Control by leveraging your business knowledge and our product knowledge to arrive at design decisions that will enable us to write the Blueprint and configure the system • It is important we have people in this session that can provide (with our help) direction in terms of how you will use Access Control • So lets start by doing introductions around the room to include what your area of interest is in relation to Access Control
Agenda Running Order • Requirements gathering for Segregation of Duties management via the Access Risk Analysis (ARA) module
How We’re Going to Do This A little insight into what’s in store • Integrc’s role today • Ask you lots of questions about how you will use Access Control • Provide context to what we’re discussing and how our questions relate to your future use of Access Control • To help you understand how Access Control will need to be set-up in order to meet your business requirements • Tease out all the detail we will need to write the Blueprint and configure your solution • Your role today • Answer lots of questions! • Provide business context Between us, we will establish all the facts we need to proceed
How We’re Going to Do This Method • Good old fashioned talking where your business knowledge and our product knowledge comes together We have various techniques and aids to help us identify how Access Control will need to be configured • Structured questionnaire that will ensure we capture all information we need • Access to the Integrc GRC lab where we can demo scenarios through the day for context if necessary
Marathon Phase (Stay Clean) Sprint Phase (Get Clean) Risk Identification & Remediation Privileged User Access Role Management Prevention Emergency Access Management Privileged user access control solution Business Role Management Role definition and management Access Request Management Compliant provisioning solution Access Risk Analysis Risk analysis, detection, and remediation solution for access and authorisation controls Lets Start at the Very Beginning Overview of SAP GRC Access Control Gavin Campbell - Director gavin.campbell@integrc.com +44 7828 658812
Access Risk Analysis (ARA) Segregation of Duties Management • The rules engine that enables your Segregation of Duties reporting • Interfaces with other Access Control modules to enable compliant processes for provisioning and role management • Holds your definition of Segregation of Duties risks • Analyses roles and users in real time against defined SoD risks to provide visibility of where risks are
Just Before We Start An Insight Into the Variables We Need to Capture For each Access Control module, we will need to capture the following variables:- • System settings and parameters • Will dictate how your system behaves and what default settings it uses • Configuration settings • Dictate how you will use the solution and how your GRC processes will work • Master data Cross Application Configuration and Settings
Target Systems Identify Systems to be Connected to Access Control • A target system is a backend system that will be connected to Access Control for the purposes of risk analysis, provisioning, super user management or role management Click icon for Target Systems data capture sheet
Connectors Communication Channels Between GRC and Target Systems • A connector is created in GRC for each target system that Access Control will connect to. Your consultant will capture the connector details for each in scope system Implement Implement Click icon for Generic System Settings data capture sheet
Connector Definition Technical Connector Settings • A connector definition is required for each defined connector/target system. Your consultant will capture these technical settings for the purpose of documenting them in the Blueprint Implement Implement Implement Click icon for Generic System Settings data capture sheet Maintain
Connector Groups Logical Groupings of Physical Connections • Your consultant will discuss with you the different types of connector groups, what the advantages are of each type and establish which are best for you Implement Implement Click icon for Generic System Settings data capture sheet
Connector Integration Scenarios • Integration scenarios are used to define the flow of information between different application components. Your consultant will help work out which scenarios are relevant to you Implement Implement Click icon for Generic System Settings data capture sheet
Cross Application Generic System Settings • These parameters influence how the system operates but are not related as such to any one module. They are central to the system, much like the Basis layer of any SAP system. Click icon for Generic System Settings data capture sheet
Access Control Owners Important Users Who Are Assigned Specific Responsibilities • Users that will be involved in your Access Control processes need to be assigned their responsibilities in the Access Control owners table in addition to their ABAP roles Implement Click icon for Generic System Settings data capture sheet Maintain
Organisational Structure Shared Structure for Assigning Mitigating Controls • The organisational structure is shared between Access Control and Process Control and used to assign controls in a structured way Implement Click icon for Generic System Settings data capture sheet
ARA Configuration Parameters System Settings for ARA • These parameters influence how ARA operates. System default values are defined here Implement Click icon for Generic System Settings data capture sheet
SoD and Critical Risk Ruleset Defining the Risk Library • The ruleset defines the risks that matter to your organisation and ultimately shows the transactions that should not be allocated to users in combination Implement Click icon for Generic System Settings data capture sheet
Mitigating Controls Define Controls and Map Them to Risks • Mitigating controls are documented in Access Control as a way of mitigating the risk of assigning conflicting access to users. Whilst Access Control does not manage the control execution, it provides reporting for visibility of mitigated and unmitigated risks Implement Implement Click icon for Generic System Settings data capture sheet Maintain
Mitigating Control Assignment Mapping Users to Controls • This step defines the mitigating controls that need to be mapped to users based on the SoD risks that they will have at go-live Implement Implement Click icon for Generic System Settings data capture sheet
Business Processes and Sub Processes • Part of mitigating control master data used to categorise controls Implement Implement Click icon for Generic System Settings data capture sheet
Next Steps What Happens Next
Thank You On behalf of Integrc, thank you for your invaluable contribution. Your input during requirements gathering will influence the success of the Access Control implementation