Professional Documents
Culture Documents
Executives today struggle to address compliance initiatives for an everincreasing number of regulatory requirements. At the same time, business partners and customers expect a more efficient exchange of information from businesses, which must establish an open IT infrastructure in response. Ensuring proper segregation-of-duties policies to manage access adds a burden for IT stakeholders in these organizations. The SAP BusinessObjects Access Control application helps business managers, IT security, and auditors collaborate in controlling access and preventing fraud across the enterprise while minimizing audit time and audit-related costs.
cOntent
4 4 4 4 6 6 6 8 8 9 10 11 11 12 12 13 13 13 13 13 13
Challenges to Efficient Compliance Management fragmented Approach Increases risk Inefficient Compliance Processes lack of real-Time Oversight Reduced Access Risk Across the Enterprise Enterprise-Wide risk Analysis risk Mitigation Streamlined Compliance Processes Enterprise role Management Compliant user Provisioning Superuser Privilege Management Real-Time Oversight Management Oversight for Business Owner Accountability Minimized Audit Time and Auditrelated Costs Integrated Solutions to Build Business Effectiveness SAP BusinessObjects Governance, Risk, and Compliance Solutions Obtain Complete Insight, Greater Efficiency, and Improved flexibility Complete Insight Greater Efficiency Improved flexibility Find Out More
The regulatory environment for public and nonprofit organizations has become increasingly complex. Companies must address not only horizontal mandates in such areas as financial reporting, security, privacy, records retention, import-export regulations, environmental standards, occupational safety, and credit risk exposure but also vertical mandates for their industry-specific areas. The growing number of regulatory requirements often results in a fragmented approach across the enterprise, in which each department or business unit is independently tasked with implementing policies, identifying and measuring risks, and supporting regulatory mandates.
While the visibility continues to improve, the access to sensitive data by current and former employees continues to be a key risk element.
2010 Global State of Information Security Survey by CIO, CSO, and PriceWaterhouseCoopers
Global fraud report, Issue 8, March 2009). Challenging economic conditions tend to lead to increased fraud as companies are pressured to achieve financial results. Increases in fraud can also occur in public or private organizations through theft of company information as employees are forced to work harder with reduced resources and experience salary reductions and layoffs. What is needed is an automated, enterprise-wide system for access control that enables IT executives to address regulatory requirements, maintain an open infrastructure to support business needs, and put controls in place to reduce risk and prevent fraud.
The SAP BusinessObjects Access Control application helps organizations overcome these challenges so that they can confidently control access and prevent fraud. The application enables business managers, IT security, and auditors to: reduce Sod violations and critical access risk across the enterprise Streamline compliance processes deliver real-time oversight of the current risk situation.
By supporting the creation of compliant business processes, SAP BusinessObjects Access Control enables business-owner accountability and minimizes audit time and auditrelated costs.
The Security Executive Council Survey reported more than 40% increases in theft, fraud, and requests for support to hr relative to layoffs in fiscal year 200809.
2009 Security Budget research report: Impact of the Economic downturn, April 2009, Security Executive Council
for companies struggling to manage multiple compliance initiatives, Sod can be one of the most difficult controls to deploy. Keeping pace with constantly changing business requirements and role definitions, layering new access on to old access, and testing access authorizations for thousands of employees across various systems presents an overwhelming challenge to preventing critical access risk. To take control of user access in their organization, compliance groups should start by conducting an initial cleanup, which involves three steps. first, an enterprise-wide risk analysis must be conducted to uncover existing access violations. next, the violations or risks uncovered must be reviewed. The final step is to mitigate the risk associated with the access in question or remove the access. To perform a comprehensive cleanup rapidly and cost-effectively, best-run companies require software engineered with this purpose in mind.
It includes rules for the most common business functions and associated risks, which is requisite for identifying Sod violations and critical access risks. The rules database is compatible with SAP and non-SAP software including Oracle, PeopleSoft, and Jd Edwards products as well as legacy software and applications not classified as enterprise resource planning (ErP) software. This comprehensive integration enables the mapping of functions and associated risk across all these software solutions to establish a consistent policy and prevent duplication of effort.
Risk Mitigation
upon identifying Sod violations and critical access risks, business managers can then review issues found during the initial risk analysis. robust reporting functionality in SAP BusinessObjects Access Control allows business managers to sort the Sod violations by role, by business process, and by user and to review the root cause of the violation. The software also indicates the severity level of any violation. With this level of detailed reporting, stakeholders are able to resolve issues found during the analysis and prevent risk. An example of preventing an Sod violation is when it is discovered that employees are authorized both to create new vendors and to make payments to those vendors. That opens up the possibility of fraud, because the
Votorantim Celulose e Papel S.A., one of Brazils largest pulp and paper producers, reduced access conflicts by 91% with SAP BusinessObjects Access Control.
Celso yao, risk Manager, votorantim Celulose e Papel S.A.
employees can pay money into accounts they themselves have configured. Authorization for this combination of business functions represents an Sod violation. To prevent the risk, the manager must decide how to mitigate the violation. One way is to rescind employees authorization to perform one of the business functions. If both functions are required, the manager can choose an appropriate mitigating control and assign a monitor to oversee that the mitigating control is carried out. After the initial cleanup, managers can conduct regular risk analyses of user access requests and role definitions to sustain Sod control and prevent critical access risks on an ongoing basis.
SAP BusinessObjects Access Control reduces Sod violations and critical access risks across the enterprise, thereby streamlining compliance with regulatory requirements. In addition to helping eliminate existing access risks, the application helps prevent the addition of new risks by supporting compliant business processes during, for example, role creation and role provisioning. The software leverages rule sets that are packaged with it and that were developed by SAP over a period of 12 years based on best practices.
The cost in money and resources to enforce access control, Sod, and compliant user provisioning on a continual basis can be overwhelming for many companies. Even after conducting an initial cleanup, new access control risks may arise on a daily basis as user roles and business needs change and new regulations are introduced. SAP BusinessObjects Access Control helps organizations introduce continuous access management. The solution automates all aspects of access management, including enterprise role management, compliant user provisioning, and emergency privilege management to increase efficiency and reduce the resources and time required for compliance.
violations. new roles are often tested for whether the user can perform the tasks required by their role but not tested for compliance. When Sod violations are revealed during user acceptance testing, IT is required to return to the development phase and recreate the role. This process is not only inefficient, but it also creates risk for the company for the time during which the improper privileges are assigned to a role. SAP BusinessObjects Access Control translates technical access risks into common business language, facilitating improved collaboration between IT and business owners. By incorporating Sod rules into the role design and role creation process, the application allows you to define compliant roles proactively. The flexible role-building methodology in the application guides
you through a step-by-step process of building new roles. The application also offers you functionality to perform preventive simulations, with which you can see what impact access changes will have before they are introduced into a production environment. Simulations can be performed at the user level, role level, or position level to test for any Sod violations. you can also perform automated risk assessment, track changes, and perform role maintenance, which increases the consistency of user access and lowers IT costs. As a single authoritative source for enterprise role definition, SAP BusinessObjects Access Control enforces best-practice methodologies while eliminating offline, manual processes such as updating Microsoft Excel sheets actions that can escape automated, software-supported Sod
Figure 1: Reduce Cost with Automated Enterprise Role Management
Enterprise rules
Audit log
SAP
role
role
role
role
role
role
role
rules. Its approval workflow can serve as a record for documentation and audit purposes. With this centralized tool, technical and business owners are able to use the same, consistent terms to document role definitions. Business users are empowered with automated change management, single-click automatic role creation, and role comparison features. By automating enterprise role management, SAP BusinessObjects Access Control enables businesses to reduce the cost of role maintenance, eliminate manual errors, and enforce best practices.
employee lifecycle to prevent Sod violations. Employees can request access using a structured dialog of self-service workflows that specify business processes and roles, reducing the IT resources required. Managers receive an e-mail notification of an employees request. The application automatically tests for Sod issues, removes SOd or critical access risks, and implements mitigating controls prior to approval. With this functionality, the application prevents Sod violations from being introduced into the production environment. Additionally, its dynamic workflow provides end-to-end automation for user provisioning in multiple applications. The application also offers expanded automated provisioning through integration with standardsbased identity management software. requests can be automatically integrated with user identity information from a lightweight directory Access Protocol (ldAP) directory or other human resources databases so that managers can approve requests via e-mail. With compliance embedded in business processes, organizations can take a preventive approach, helping restrict management from granting access to an employee in a manner that might create an Sod violation. however, if a unique situation requires high-risk access privileges to be granted such as when a small branch office manager must be able to both create and pay vendors the application enables the creation of mitigating controls, which can be assigned as required. Integrated, real-time risk analysis can be conducted before access is granted.
Finally we have just one place to look for all our compliance rule sets, violations, mitigation controls, checks and balances, and so forth. That winds up saving us quite a bit of money.
dina dayal, director of Security and quality Assurance, newell rubbermaid
In addition, SAP BusinessObjects Access Control creates a more efficient internal audit process with business-friendly reporting and features such as audit logs for detailed tracking, customizable reporting, and process-efficiency statistics. Instead of trying to find forms, e-mail messages, and relevant files, change logs are readily available electronically, thereby minimizing audit time and audit-related costs. By automating compliant user provisioning, your organization can increase productivity and reduce the overall cost of compliance.
Compliant Provisioning with Dynamic Workflow hr event Employee hired or retired request generation 100% automated
...... Escalation workflow risk analysis One-click preventive simulation ...... Escalation workflow Automated provisioning 100% automated SAP Oracle PeopleSoft legacy
Excessive access rights was the top internal/external audit finding over the past 12 months.
Protecting What Matters, The 6th Annual Global Security Survey, february 16, 2009, deloitte
In situations such as these, SAP BusinessObjects Access Control enables rapid response with functionality that authorizes users to perform activities outside their role using firefighter login Ids with superuser privileges in a controlled, auditable environment. no longer will you have to wait or wake up supervisors in the middle of the night to get approvals for privileged access. The application efficiently creates emergency access for any user and allows companies to quickly resolve this common audit issue, significantly reducing the time required to perform critical tasks. With this functionality, the application also delivers the necessary audit reporting to prevent regulatory violations. It tracks, monitors, and logs every activity a user performs while logged in with the privileged user Id.
Standard reports, including notifications of usage and detailed activity logs, are sent automatically to supervisors for increased visibility. Activity logs track input down to the field value level and allow you to filter, sort, and download input information. Audit time is minimal, because detailed logs are available for auditors immediately and can be reviewed and signed off in advance of the official audit report. SAP BusinessObjects Access Control automates Sod and access management controls and facilitates improved collaboration between IT and business users. Automated reporting embedded in business processes reduces the time and cost for audits. The solution streamlines compliance processes for enterprise role management, compliant user provisioning, and emergency privilege management, so you can maintain continuous compliance during role design, in daily operations, and even during urgent situations.
10
reAl-time OverSight
Once organizations have completed the initial analysis and implemented controls to mitigate Sod violations and prevent critical access risk, it is imperative to have real-time visibility into the daily events that could impact ongoing compliance. As the needs of a business evolve, role definitions change, employees are promoted, and access privileges are modified constantly. Management cannot obtain a clear view across the enterprise to assess current risk exposure from reports based on periodic data downloads. What is needed is software that analyzes and compares rules and detects potential risks based on realtime data. Without this support, it is difficult for business owners to be truly accountable for preventing risk. If business managers cannot accurately review and track access control changes and associated problems, and if they cannot provide complete records to auditors, audit costs increase. Internal auditors who are faced with spreadsheets listing the access and authorizations of all employees can perform only a very limited audit. Even if they do capture the status quo at one point in time during an annual audit, changes to roles or business processes can render those roles or processes noncompliant at any time thereafter. SAP BusinessObjects Access Control offers management real-time accessrisk analysis, reporting, and dashboards for increased accuracy. Managers can perform what-if simulations to prevent access violations. The solution provides functionality allowing manage-
ment to take responsibility for effective oversight of Sod and critical access risk. The application includes real-time detection controls and transactionusage monitoring to give auditors the tools they need to stay in control of access compliance.
Policy reporting reviews the Sod rules library and allows management to make updates and changes to business processes as required by changes in the regulatory environment, with management also able to review mitigation controls and assess their effectiveness Emergency access reports show which employees have used superuser privileges and what tasks were performed using that access
11
With SAP BusinessObjects Access Control, GRUMA is able to achieve 90% faster resolution of auditor observations.
Juan Carlos vola, CIO, GruMA S.A.B. de C.v.
SAP BusinessObjects Access Control automates user access reviews, enabling you to review the potential risks in your organization and work toward rapid resolution. for example, you can perform a risk analysis by user and discover any unmitigated risk that requires attention. you can also review mitigating controls and the employees assigned to monitor them. The application alerts the appropriate manager when the monitor assigned to run a mitigation report does not perform the duties assigned within the specified time period. Actual usage and role usage reports reveal when a violation occurs, for example, when an employee performs conflicting functions, such as creating a new vendor and paying a vendor. The alert system allows managers to focus on high-priority items and exceptions. reports provide comprehensive evidence for auditors that mitigation measures are effective. This robust reporting gives you the transparency that is required by regulators and auditors, and it gives the confidence essential for successful business management. It offers the flexibility to innovate business processes and improves the productivity of managers, thereby significantly lowering the overall cost of compliance.
Improved flexibility Working together, SAP BusinessObjects GrC solutions provide a preventative, real-time approach for your heterogeneous environment. Performance indicators across fragmented control environments are aggregated to deliver a common, system-wide view and unify management of strategic, financial, operational, and compliance-related risks across the organization. having a single strategy for internal policy and external regulation enables faster response to changing business conditions.
13
14
Quick fActS
www.sap.com /contactsap
Summary The SAP BusinessObjects Access Control application enables business managers, IT security, and auditors to collaborate in controlling access and preventing fraud across the enterprise. The software helps streamline processes and establish controls to maintain segregation of duties (Sod), minimize critical access risk, and assign compliant user access, while minimizing audit time and audit-related costs. Business Challenges Manage diverse, applicable regulatory requirements reduce audit and compliance costs caused by manual processes Maintain an open IT infrastructure while mitigating Sod risks Improve collaboration between IT and business managers Key Features SoD rules library leverage best practices and SAP expertise of business processes Automated workflows Increase efficiency and collaboration between IT and business owners What-if simulations define compliant roles proactively using preventive simulations Reporting Improve visibility of user provisioning, potential and actual risk, policy reporting, and superuser access Business Benefits Reduced risk of fraud by supporting the creation of compliant business processes Reduced SoD violations and critical access risk across SAP and non-SAP software through visibility of the current risk situation based on real-time data Minimized time to comply with regulatory requirements by automating the detection of access risk Minimized audit time and audit-related costs through automated audit trails, real-time detection controls, and transaction monitoring Improved visibility of current risk situation through real-time reporting For More Information To find out more about how SAP BusinessObjects Access Control and other SAP BusinessObjects governance, risk, and compliance solutions can benefit your business, please contact your SAP representative or visit us at www.sap.com/sapbusinessobjects/grc.
50 098 921 (10/04) 2010 SAP AG. All rights reserved. SAP, r/3, SAP netWeaver, duet, PartnerEdge, Bydesign, Clear Enterprise, SAP BusinessObjects Explorer, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal reports, Crystal decisions, Web Intelligence, xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP france in the united States and in other countries. All other product and service names mentioned are the trademarks of their respective companies. data contained in this document serves informational purposes only. national product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. nothing herein should be construed as constituting an additional warranty.