1 / 18

SAP GRC access control @ ULg

SAP GRC access control @ ULg. Pierre Blauwart – Project Manager HERUG. Agenda. ULG in a nutshell Context Definitions Methodology & Roadmap Project status. 17,000 students 3,800 foreign students 80 nationalities 3,200 graduates a year

loan
Download Presentation

SAP GRC access control @ ULg

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAP GRC access control @ ULg Pierre Blauwart – Project Manager HERUG

  2. Agenda ULG in a nutshell Context Definitions Methodology & Roadmap Project status

  3. 17,000students 3,800 foreign students 80 nationalities 3,200 graduates a year Budget : 269 millions Euros which 50 % are allocated to research 3,400 employees, of which 2,200 are teachers and researchers 3,000 employed at the University Hospital Centre (CHU) Around 1,500 jobs at the Liège Science Park (60 businesses) 900 jobs in spin-offs resulting from scientific research ULG – an all round university

  4. SAP for Finance & Logistics : MM, SD, EP, CATS, PS, RRB, PCA, BI, PI, GRC 600 Users – 1000 Roles HR non SAP, SLCM non SAP ULG – SAP Implementation www.ulg.ac.be

  5. Trends in the ULg ecosystem: growing pressure to control the exposure to fraud and data tampering External: More & more controls from public grantors, with concerns on access procedure. This has resulted in audits driven by some of them & focused on segregation of duties Internal concern as well Context • Segregation of duties: • SoDs are a primary internal control intended to prevent, or decrease the risk of errors or irregularities, identify problems and ensure corrective action is taken. • Principle : This is achieved by assuring no single individual has control over all phases of a business process. • Example : Modify vendor bank account + Vendor payment • Remediation : incompatible duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions.

  6. GRC : Governance, Risk & Compliance Governance: Manages the strategic directives a company wants to follow Risk : Management assesses the areas of exposures and potential impacts Compliance: Tactical action to metigate risk SAP GRC Access Control monitor, test, and enforce access and authorization controls across the enterprise. Solution selection : SAP GRC Access control • Solution assessed • Set up a GRC tool • Use of detection solutions that operate on downloaded data • Solution adopted : Install SAP GRC access control

  7. Scope of the project : Access Control

  8. Firefighter Compliance Calibrator Scope of the project : Phase 1 Compliance Calibrator

  9. Project Roadmap - Step 1: Project Preparation Implémentation Cycle 3 • GRC Installation • Version 5.2 • Connected to ECC instance • Proof-of-Concept : first risk assessment • About 300.000 Violations • First action: drastically reduce SAP_ALL, SAP_NEW • Scoping of phase 1 • Risk have been grouped by BPO: • FLC (Financial & Closing) • OTC (Order to Cash) • P2P (Procure to Pay) • I2P (Idea to Project) • Basis Component : out of scope Implémentation Cycle 2 Implémentation Cycle 1 RFC ... Proof of concept 5 GoLive &Support 4 2 3 1 remediation Risk assessment

  10. Risks per Business Process • BP : Finance & PS 32 risks SoD • BP : Material Management 14 risks SoD • BP : Purchasing 67 risks SoD • BP : Customer (& grantors) invoicing 29 risks SoD • BP : Basis – technical 19 risks SoD • BP : EC-CS Consolidation 14 risks SoD • BP : HR & payroll 21 risks SoD • BP : APO 16 risks SoD • BP : CRM 20 risks SoD • BP : EBP & SRM 24 risks SoD

  11. Step 2: Risk Assessment • Workshops: Adapt the standard SOD matrix • Are the risks proposed in the standard matrix relevant ? • Do we have to add some risks ? • Do we have to consider additional transactions (transaction Z* ) ? • Adapt GRC standard risks : Critical, High, Medium & Low • Design (update) the SOD matrix in the SAP GRC system • Run the risk assessment • Perform analysis

  12. Ecrans GRC - CC Pg.: 12 | 19/11/2004

  13. Ecrans GRC - CC Pg.: 13 | 19/11/2004

  14. Ecrans GRC - CC Pg.: 14 | 19/11/2004

  15. Ecrans GRC - CC Pg.: 15 | 10/06/2009

  16. Risk assessment Results 98 % (516 out of 525) of the SAP users have SOD risks SOD violations on role “display” !!! Recommendations on naming convention The naming of the role gives an information on the underlying business process Use simple roles Aggregate simple roles in composite role Identify quickly the different roles : Roles simples : « Z:xxx », roles composites : « ZC:xxx » Roles display : « Z:xxx_V » Create one specific role dedicated per critical risk Remark on traceability : the system keeps the history of the violations related to the risk assessment  perform the first analysis in the acceptance system Pg.: 16 | 19/11/2004

  17. Step 3 : on progress • Remediation : no role can content a SOD violation • Mitigation : accept the risk for some user & enforce the control on it • Use Firefighter : to track actions performed by super users during certain period of time (closing period for example) • Integration on SAP EP

  18. Questions ? Send a mail to our CFO : Anne Girin anne.girin@ulg.ac.be Pg.: 18 | 19/11/2004

More Related