Access Risk Analysis (ARA)

Report
SAP GRC AC ARA
Access Risk Analysis
Requirements Gathering Workshop
Fahri Batur
October 2013
About This Session
Introduction
Today is all about exploring how you will
use Access Control by leveraging your
business knowledge and our product
knowledge to arrive at design decisions
that will enable us to write the Blueprint
and configure the system
It is important we have people in this
session that can provide (with our help)
direction in terms of how you will use
Access Control
So lets start by doing introductions
around the room to include what your
area of interest is in relation to Access
Control
Agenda
Running Order
Requirements gathering for Segregation of Duties
management via the Access Risk Analysis (ARA)
module
How We’re Going to Do This
A little insight into what’s in store
Integrc’s role today
Ask you lots of questions about
how you will use Access Control
Your role today
Answer lots of questions!
Provide business context
Provide context to what we’re
discussing and how our
questions relate to your future
use of Access Control
To help you understand how
Access Control will need to be
set-up in order to meet your
business requirements
Tease out all the detail we will
need to write the Blueprint and
configure your solution
Between us, we will establish all the facts we need to proceed
How We’re Going to Do This
Method
We have various techniques and aids to help us identify how Access
Control will need to be configured
Good old fashioned talking
where your business
knowledge and our product
knowledge comes together
Structured questionnaire
that will ensure we
capture all information
we need
Access to the Integrc GRC
lab where we can demo
scenarios through the day
for context if necessary
Lets Start at the Very Beginning
Overview of SAP GRC Access Control
Marathon Phase
(Stay Clean)
Sprint Phase (Get Clean)
Risk Identification
& Remediation
Privileged User
Access
Role
Management
Emergency Access
Business Role
Management Gavin Campbell
Management
- Director
Prevention
Access Request
Management
[email protected]
Role definition and
Privileged user access
+44
7828
658812
management
control solution
Compliant provisioning
solution
Access Risk Analysis
Risk analysis, detection, and remediation solution for access and authorisation controls
Access Risk Analysis (ARA)
Segregation of Duties Management
The rules engine that enables your
Segregation of Duties reporting
Interfaces with other Access Control
modules to enable compliant
processes for provisioning and role
management
Holds your definition of Segregation of
Duties risks
Analyses roles and users in real time
against defined SoD risks to provide
visibility of where risks are
Just Before We Start
An Insight Into the Variables We Need to Capture
For each Access Control
module, we will need to
capture the following
variables:-
Cross
Application
Configuration
and Settings
System settings and
parameters
Will dictate how your system
behaves and what default
settings it uses
Configuration settings
Dictate how you will use the
solution and how your GRC
processes will work
Master data
Target Systems
Identify Systems to be Connected to Access Control
A target system is a backend system that will be connected to Access
Control for the purposes of risk analysis, provisioning, super user
management or role management
Click icon for Target
Systems data capture sheet
Complete
Incomplete
Connectors
Communication Channels Between GRC and Target Systems
A connector is created in GRC for each target system that Access
Control will connect to. Your consultant will capture the connector
details for each in scope system
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Connector Definition
Technical Connector Settings
A connector definition is required for each defined connector/target
system. Your consultant will capture these technical settings for the
purpose of documenting them in the Blueprint
Implement
Click icon for Generic
System Settings data
capture sheet
Maintain
Complete
Incomplete
Connector Groups
Logical Groupings of Physical Connections
Your consultant will discuss with you the different types of connector
groups, what the advantages are of each type and establish which
are best for you
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Connector Integration Scenarios
Integration scenarios are used to define the flow of information
between different application components. Your consultant will help
work out which scenarios are relevant to you
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Cross Application
Generic System Settings
These parameters influence how the system operates but are not
related as such to any one module. They are central to the system,
much like the Basis layer of any SAP system.
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Access Control Owners
Important Users Who Are Assigned Specific Responsibilities
Users that will be involved in your Access Control processes need to
be assigned their responsibilities in the Access Control owners table
in addition to their ABAP roles
Implement
Click icon for Generic
System Settings data
capture sheet
Maintain
Complete
Incomplete
Organisational Structure
Shared Structure for Assigning Mitigating Controls
The organisational structure is shared between Access Control and
Process Control and used to assign controls in a structured way
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
ARA Configuration Parameters
System Settings for ARA
These parameters influence how ARA operates. System default
values are defined here
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
SoD and Critical Risk Ruleset
Defining the Risk Library
The ruleset defines the risks that matter to your organisation and
ultimately shows the transactions that should not be allocated to
users in combination
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Mitigating Controls
Define Controls and Map Them to Risks
Mitigating controls are documented in Access Control as a way of
mitigating the risk of assigning conflicting access to users. Whilst
Access Control does not manage the control execution, it provides
reporting for visibility of mitigated and unmitigated risks
Implement
Click icon for Generic
System Settings data
capture sheet
Maintain
Complete
Incomplete
Mitigating Control Assignment
Mapping Users to Controls
This step defines the mitigating controls that need to be mapped to
users based on the SoD risks that they will have at go-live
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Business Processes and Sub Processes
Part of mitigating control master data used to categorise controls
Implement
Click icon for Generic
System Settings data
capture sheet
Complete
Incomplete
Next Steps
What Happens Next
Feed design
decisions into
Blueprint
document
Collate
outstanding
items asap
and feed into
Blueprint
Approve
Blueprint
Integrc
prepare for
configuration
Configuration
and master
data loaded to
GRC
development
Test
Thank You
On behalf of Integrc, thank you for your invaluable contribution.
Your input during requirements gathering will influence the
success of the Access Control implementation

similar documents