Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.

Similar presentations


Presentation on theme: "Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop."— Presentation transcript:

1 Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop

2 Today is all about exploring how you will use Access Control by leveraging your business knowledge and our product knowledge to arrive at design decisions that will enable us to write the Blueprint and configure the system It is important we have people in this session that can provide (with our help) direction in terms of how you will use Access Control So lets start by doing introductions around the room to include what your area of interest is in relation to Access Control About This Session Introduction

3 Requirements gathering for Segregation of Duties management via the Access Risk Analysis (ARA) module Agenda Running Order

4 Integrc’s role today Ask you lots of questions about how you will use Access Control Provide context to what we’re discussing and how our questions relate to your future use of Access Control To help you understand how Access Control will need to be set-up in order to meet your business requirements Tease out all the detail we will need to write the Blueprint and configure your solution How We’re Going to Do This A little insight into what’s in store Your role today Answer lots of questions! Provide business context Between us, we will establish all the facts we need to proceed

5 Good old fashioned talking where your business knowledge and our product knowledge comes together How We’re Going to Do This Method We have various techniques and aids to help us identify how Access Control will need to be configured Structured questionnaire that will ensure we capture all information we need Access to the Integrc GRC lab where we can demo scenarios through the day for context if necessary

6 Lets Start at the Very Beginning Overview of SAP GRC Access Control Gavin Campbell - Director Risk Identification & Remediation Prevention Business Role Management Role definition and management Business Role Management Role definition and management Access Risk Analysis Risk analysis, detection, and remediation solution for access and authorisation controls Access Risk Analysis Risk analysis, detection, and remediation solution for access and authorisation controls Emergency Access Management Privileged user access control solution Emergency Access Management Privileged user access control solution Access Request Management Compliant provisioning solution Access Request Management Compliant provisioning solution Sprint Phase (Get Clean) Marathon Phase (Stay Clean) Privileged User Access Role Management Role Management

7 Access Risk Analysis (ARA) Segregation of Duties Management The rules engine that enables your Segregation of Duties reporting Interfaces with other Access Control modules to enable compliant processes for provisioning and role management Holds your definition of Segregation of Duties risks Analyses roles and users in real time against defined SoD risks to provide visibility of where risks are

8 Just Before We Start For each Access Control module, we will need to capture the following variables:- System settings and parameters Will dictate how your system behaves and what default settings it uses Configuration settings Dictate how you will use the solution and how your GRC processes will work Master data An Insight Into the Variables We Need to Capture Cross Application Configuration and Settings

9 Target Systems A target system is a backend system that will be connected to Access Control for the purposes of risk analysis, provisioning, super user management or role management Identify Systems to be Connected to Access Control Click icon for Target Systems data capture sheet

10 Connectors Communication Channels Between GRC and Target Systems A connector is created in GRC for each target system that Access Control will connect to. Your consultant will capture the connector details for each in scope system Implement Click icon for Generic System Settings data capture sheet

11 Implement Maintain Connector Definition A connector definition is required for each defined connector/target system. Your consultant will capture these technical settings for the purpose of documenting them in the Blueprint Technical Connector Settings Implement Click icon for Generic System Settings data capture sheet

12 Connector Groups Your consultant will discuss with you the different types of connector groups, what the advantages are of each type and establish which are best for you Logical Groupings of Physical Connections Implement Click icon for Generic System Settings data capture sheet

13 Connector Integration Scenarios Integration scenarios are used to define the flow of information between different application components. Your consultant will help work out which scenarios are relevant to you Implement Click icon for Generic System Settings data capture sheet

14 Cross Application Generic System Settings These parameters influence how the system operates but are not related as such to any one module. They are central to the system, much like the Basis layer of any SAP system. Click icon for Generic System Settings data capture sheet

15 Implement Maintain Access Control Owners Users that will be involved in your Access Control processes need to be assigned their responsibilities in the Access Control owners table in addition to their ABAP roles Important Users Who Are Assigned Specific Responsibilities Click icon for Generic System Settings data capture sheet

16 Organisational Structure The organisational structure is shared between Access Control and Process Control and used to assign controls in a structured way Shared Structure for Assigning Mitigating Controls Implement Click icon for Generic System Settings data capture sheet

17 ARA Configuration Parameters These parameters influence how ARA operates. System default values are defined here System Settings for ARA Implement Click icon for Generic System Settings data capture sheet

18 SoD and Critical Risk Ruleset Defining the Risk Library The ruleset defines the risks that matter to your organisation and ultimately shows the transactions that should not be allocated to users in combination Implement Click icon for Generic System Settings data capture sheet

19 Implement Maintain Mitigating Controls Mitigating controls are documented in Access Control as a way of mitigating the risk of assigning conflicting access to users. Whilst Access Control does not manage the control execution, it provides reporting for visibility of mitigated and unmitigated risks Define Controls and Map Them to Risks Click icon for Generic System Settings data capture sheet Implement

20 Mitigating Control Assignment This step defines the mitigating controls that need to be mapped to users based on the SoD risks that they will have at go-live Mapping Users to Controls Implement Click icon for Generic System Settings data capture sheet Implement

21 Business Processes and Sub Processes Part of mitigating control master data used to categorise controls Implement Click icon for Generic System Settings data capture sheet

22 Next Steps What Happens Next Feed design decisions into Blueprint document Collate outstanding items asap and feed into Blueprint Approve Blueprint Integrc prepare for configuration Configuration and master data loaded to GRC development Test

23 Thank You On behalf of Integrc, thank you for your invaluable contribution. Your input during requirements gathering will influence the success of the Access Control implementation


Download ppt "Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop."

Similar presentations


Ads by Google