SAP Security and GRC
SAP® considered as one of the most powerful and sophisticated tool can run your business processes, business transactions and provide all the necessary information that you need to manage. It can also provide the necessary information from your suppliers to your customers, from your assets and stock to your people, from your balance sheet to your expenses. All in one integrated enterprise solution. And that is dangerously powerful if not properly controlled.
The truth is most of us are not sure how protected and safe we are. The complexities of having such a powerful and integrated enterprise system bring great advantages - but potentially great exposure.
Inlink also provides GRC and security relating to SAP® systems. We with our skilled resources are also efficient SAP technical specialists. Through experience gained across many national and global, private and public organizations, we come up with the highest levels of security to help you and your business.
What is SAP Business Objects GRC?
SAP® BusinessObjects GRC is an integrated set of applications that works across the enterprise. These applications help to document and manage risks and controls in real time. They can help automate controls and also minimise the likelihood and impact of risks. This real time overview can give organisation better information and allow it to make better decisions.
Why would you want SAP® BusinessObjects GRC?
It is the stakeholders and auditing bodies that scrutinize the operative effectiveness and profitability of an organization. The corporate is accountable to show the reliable, compliant and sustainable picture of the company. To achieve this level of operational reporting a GRC adoption strategy is required. This can guide people, standardize processes, and integrate technology at every organizational level.
What are the SAP® BusinessObjects GRC applications?
SAP says:
SAP solutions for governance, risk, and compliance promote corporate accountability by unifying corporate strategy, control initiatives, opportunity discovery, and loss mitigation across the extended enterprise. Managing GRC across the extended enterprise allows processes and strategies to be evaluated within the company and extended to partners, suppliers, and customers truly representing the reach of the enterprise.
The SAP® BusinessObjects GRC applications:
Risk Management
Through its 200+ Key Risk Indicators SAP risk management will identify risk and conduct risk analysis, response, monitoring, and reporting within a best-practice framework. It can balance business opportunities with financial, legal, and operational exposure to minimise the market penalties from high-impact events.
Access Control
Access Control is perhaps the best well known of the SAP® BusinessObjects GRC suite. This group of applications (based on the Virsa tools) is dedicated to risk associated with logical system access. It can identify and prevent access and authorization risks in cross-enterprise IT systems to prevent fraud and reduce the cost of continuous compliance and control.
Process Control
The SAP solution provides 70 out-of-the-box process controls which have been used successfully by many global organizations to optimize business operations and ensure compliance by centrally monitoring key controls for business processes and cross-enterprise IT systems.
Global Trade Services
GTS is a SAP offering which will manage all foreign trade processes within a comprehensive platform to ensure trade compliance, expedited cross-border transactions, and optimum utilization of trade agreements.
EH&S
EH&S is a mature solution from SAP which aligns business processes with environmental, occupational, and product safety regulations. It contains corporate policies to ensure proactive compliance.
The Data Privacy composite application
SAP and Cisco have partnered to release a Data Privacy composite application. By monitoring network traffic it extends controls and proactively addresses risk event issues across the extended enterprise network.
What is SAP® BusinessObjects GRC Access Control?
SAP® BusinessObjects GRC Access Control contains the following tools which are becoming increasingly integrated for optimum usage:
Compliance Calibrator (Risk Analysis and Remediation RAR)
This supports real-time compliance by stopping security and controls violations before they occur. This tool contains the most inclusive library of Segregation of Duty (SoD) rules available for enterprise applications from SAP, Oracle, and PeopleSoft. Business-process owners can easily deploy rules applicable to their organisation and to exclude risks from enterprise applications.
Firefighter (Super Privilege Management SPM)
It enables super-users to execute emergency activities outside the parameters of their normal role. The application assigns a temporary ID that grants the super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.
Role Expert (Enterprise Role Management - ERM)
ERM centralises and standardises enterprise wide role management and help to eliminate manual errors, provides an audit trail for changes, and enforces best practices. With the help of the application business managers can define functional roles, and IT managers can define the associated technical permissions.
Access Enforcer (Compliant User Provisioning - CUP)
CUP supports fully compliant user provisioning across applications throughout the employee life cycle. Multi-step guided procedures automate approval processes and enforce mandatory, real-time risk assessments prior to provisioning users to enterprise applications.
What is the version roadmap?
The current version of SAP®BusinessObjects GRC Access Control is version 5.2. Version 5.3 is already in ramp-up and is expected to be on general release in August/September 08. Version 6.0 is planned for release in 2009.
What are the new features in version 5.3?
There are > 150 improvements between Access Control 5.2 and 5.3. Here are a few highlights:
Across all components:
- One launch pad for all components
- Configuration now transportable
- Improved export / import options
- Enhanced change history
Compliance Calibrator (Risk Analysis and Remediation RAR)
- Risk analysis works on UME and Portal role
- Integration with BI 7.0 for better reporting
- Performance improvement by multi-processing
Firefighter (Super Privilege Management SPM)
- Performance issues addressed
- Less on-going configuration
- Centralised reporting
- Automated archiving
Role Expert (Enterprise Role Management - ERM)
- Better integration with PFCG
Access Enforcer (Compliant User Provisioning - CUP)
- Periodic review of users
- Review users who have not used roles
- Re-affirm mitigations
SAP GRC Process Control
On the 17th June 2008, SAP announced their GRC Process Control solution was up for grab globally after it successfully exited its ramp up phase. This indicates that every product in the SAP GRC portfolio is generally available.
SAP GRC Process Control enables an organisation to deploy an integrated strategy to risk management and business process control rather than implementing one off fragmented and costly solutions to address specific compliance and control issues. It can help organisations simplify and re-enforce their compliance activities across business processes enterprise wide. One of the key strength is that the solution to address specific compliance and control issues.
End to end process control is achieved with this software:
- business processes and controls are documented in the tool
- automated tests are carried out to prove or disprove that the controls are working, continuously monitoring for fraud, abuse and inefficiencies
- remedial actions are defined where a control fails or is weak
- remedial actions are logged in the tool
- controls are re-tested after remediation
- control sign off is documented
- all changes made to controls, tests etc are logged, providing robust audit trail
SAP GRC Process Control is shipped with 70 out of the box pre-defined, automated controls, which span the following business processes:
Procure to Pay: Adherence to purchasing strategy can be controlled and tested whilst re-enforcing control in the Accounts Payable function
Order to Cash: Automated controls and testing can be used to identify revenue going astray and fraudulent transactions
Reconcile to Report: Processes and controls around financial ledgers and closing periods can be monitored for irregularities
System Security Management: IT controls can also be monitored across the entire SAP landscape for adherence to IT policy.
SAP® BusinessObjects GRC Enterprise Risk Management
SAP®BusinessObjects GRC Enterprise Risk Management application helps improve the effectiveness and efficiency of activities and facilitates a consistent, balanced approach towards the management of the entire spectrum of risks across all business activities, across applications and throughout all business areas.
This enterprise provides better understanding of risk profile across the organization at any given point in time. Such ability to see an aggregated view of all risks and their status provides managers with the data needed to make informed and calculated decisions; enabling them to take advantage of opportunities when they arise and mitigate negative impacts.
|
