SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop Fahri Batur October 2013 About This Session Introduction Today is all about exploring how you will use Access Control by leveraging your business knowledge and our product knowledge to arrive at design decisions that will enable us to write the Blueprint and configure the system It is important we have people in this session that can provide (with our help) direction in terms of how you will use Access Control So lets start by doing introductions around the room to include what your area of interest is in relation to Access Control Agenda Running Order Requirements gathering for Segregation of Duties management via the Access Risk Analysis (ARA) module How We’re Going to Do This A little insight into what’s in store Integrc’s role today Ask you lots of questions about how you will use Access Control Your role today Answer lots of questions! Provide business context Provide context to what we’re discussing and how our questions relate to your future use of Access Control To help you understand how Access Control will need to be set-up in order to meet your business requirements Tease out all the detail we will need to write the Blueprint and configure your solution Between us, we will establish all the facts we need to proceed How We’re Going to Do This Method We have various techniques and aids to help us identify how Access Control will need to be configured Good old fashioned talking where your business knowledge and our product knowledge comes together Structured questionnaire that will ensure we capture all information we need Access to the Integrc GRC lab where we can demo scenarios through the day for context if necessary Lets Start at the Very Beginning Overview of SAP GRC Access Control Marathon Phase (Stay Clean) Sprint Phase (Get Clean) Risk Identification & Remediation Privileged User Access Role Management Emergency Access Business Role Management Gavin Campbell Management - Director Prevention Access Request Management gavin.campbell@integrc.com Role definition and Privileged user access +44 7828 658812 management control solution Compliant provisioning solution Access Risk Analysis Risk analysis, detection, and remediation solution for access and authorisation controls Access Risk Analysis (ARA) Segregation of Duties Management The rules engine that enables your Segregation of Duties reporting Interfaces with other Access Control modules to enable compliant processes for provisioning and role management Holds your definition of Segregation of Duties risks Analyses roles and users in real time against defined SoD risks to provide visibility of where risks are Just Before We Start An Insight Into the Variables We Need to Capture For each Access Control module, we will need to capture the following variables:- Cross Application Configuration and Settings System settings and parameters Will dictate how your system behaves and what default settings it uses Configuration settings Dictate how you will use the solution and how your GRC processes will work Master data Target Systems Identify Systems to be Connected to Access Control A target system is a backend system that will be connected to Access Control for the purposes of risk analysis, provisioning, super user management or role management Click icon for Target Systems data capture sheet Complete Incomplete Connectors Communication Channels Between GRC and Target Systems A connector is created in GRC for each target system that Access Control will connect to. Your consultant will capture the connector details for each in scope system Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Connector Definition Technical Connector Settings A connector definition is required for each defined connector/target system. Your consultant will capture these technical settings for the purpose of documenting them in the Blueprint Implement Click icon for Generic System Settings data capture sheet Maintain Complete Incomplete Connector Groups Logical Groupings of Physical Connections Your consultant will discuss with you the different types of connector groups, what the advantages are of each type and establish which are best for you Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Connector Integration Scenarios Integration scenarios are used to define the flow of information between different application components. Your consultant will help work out which scenarios are relevant to you Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Cross Application Generic System Settings These parameters influence how the system operates but are not related as such to any one module. They are central to the system, much like the Basis layer of any SAP system. Click icon for Generic System Settings data capture sheet Complete Incomplete Access Control Owners Important Users Who Are Assigned Specific Responsibilities Users that will be involved in your Access Control processes need to be assigned their responsibilities in the Access Control owners table in addition to their ABAP roles Implement Click icon for Generic System Settings data capture sheet Maintain Complete Incomplete Organisational Structure Shared Structure for Assigning Mitigating Controls The organisational structure is shared between Access Control and Process Control and used to assign controls in a structured way Implement Click icon for Generic System Settings data capture sheet Complete Incomplete ARA Configuration Parameters System Settings for ARA These parameters influence how ARA operates. System default values are defined here Implement Click icon for Generic System Settings data capture sheet Complete Incomplete SoD and Critical Risk Ruleset Defining the Risk Library The ruleset defines the risks that matter to your organisation and ultimately shows the transactions that should not be allocated to users in combination Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Mitigating Controls Define Controls and Map Them to Risks Mitigating controls are documented in Access Control as a way of mitigating the risk of assigning conflicting access to users. Whilst Access Control does not manage the control execution, it provides reporting for visibility of mitigated and unmitigated risks Implement Click icon for Generic System Settings data capture sheet Maintain Complete Incomplete Mitigating Control Assignment Mapping Users to Controls This step defines the mitigating controls that need to be mapped to users based on the SoD risks that they will have at go-live Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Business Processes and Sub Processes Part of mitigating control master data used to categorise controls Implement Click icon for Generic System Settings data capture sheet Complete Incomplete Next Steps What Happens Next Feed design decisions into Blueprint document Collate outstanding items asap and feed into Blueprint Approve Blueprint Integrc prepare for configuration Configuration and master data loaded to GRC development Test Thank You On behalf of Integrc, thank you for your invaluable contribution. Your input during requirements gathering will influence the success of the Access Control implementation