SAP Security Solutions - Pwc

Transcription

www.pwc.comSAP security solutionsIs your business protected?

SAP securityoverviewBackgroundSAP Security is becoming more difficult to control due to a constantly evolving compliancelandscape and increasingly complex business environments.Restrictions required by legislation, upgrades to systems, centralization of functions withinbusinesses, and contiually changing role responsibilities increase the importance of havinga well-designed security management process.The increasing complexity of SAP’s software applications, adds to the risk of security threats,with evolving technology, new functionality, and web-based solutions.Ultimately how can you ensure that your users have the information they need in a timelymanner yet comply with the challenges above in an efficient and optimal manner?Opportunities and challengesIntegrateto newplatformsCentralizedprocessesHR ProcessSAPSecurityTechnicaldevelopmentSoD & GRCOutsourcedProcesses Ensuring flexibility toaccommodate organizationalchanges and underlyingprocess variations Accommodating centralizedfunctions within old securitydesigns and processes Reducing the amount of timespent on technicaladministration and end-usersecurity management by bothIT and the wider business Integrating the SAP Securitystructure and controls intothe day-to-day operations ofthe businessKey enabler for leveragingGRC technologies Opportunities for deliveringimprovements and efficienciesthrough GRC or other tools Ensuring that the securitycontrols are properly alignedwith other configurableand manual controls in theSAP environment Remediating segregationof duty (SoD) issues in themost efficient manner Managing costs andcommercial leakage fromoutsourced administrators Effectively transitionto managing sharedservice centerSAP security solutions3

Our approachhigh-level overviewPwC Transform – Security Design and Remediation III. CONSTRUCTIV. Implement OperateProject PreparationDesignBuildTestFinal PreparationGo-Live & SupportThe project is initiated and supportinginfrastructure is establishedBusiness Risksare IdentifiedSecurity requirementsare translatedSOD ComplianceDeploymentPackageDeployed SecurityProject PlanBusiness RisksRule set(s) BuiltFinalized InitialRule set(s)End User MappingCross-ApplicationSOD ReportsSystems, Business Processes,and Actions AnalysesAction GroupingsUpdated Policiesand ProceduresRule set(s) SignoffSecurity AdminProcessSOD Review andAction PlanRoles and ResponsibilitiesRisk RankingsTool ConfiguredReports MaterialProvisioningProcessMitigated ConflictsInterfacesInfrastructureERPSAP security: Redesign to alignAssessDesignAssess and reviewyour access controlsDesign an optimalsecurity model11Assess and reviewaccess controlsDuring the assessment of the Security and SOD“as is” position we focus on the following areas:Remediate issues or buildnew technical solution22Integrate your securitydesign with GRC toolsand align with otherorganizational controls34Design an optimal securityoperating modelBuilding on the assessment work, we can assist in your effort totransition to an optimized security design: Assess and compare how your individualbusiness units are adopting existing controls. Provide the strategy and approach to deliver a security model,where compliance objectives are embedded into the design. Benchmark how your security issues measureagainst industry standards. Implement PwC’s User Activity Analysis toolto analyze your actual transactional usage.Develop a design that is flexible enough to accommodatelikely changes to the organizational structure whileintegrating existing business controls. Devise a security blueprint that maximizes the sustainabilityof the future security model. Address root causes of specific control and access issues atthe design phase to ensure a consistent and efficient “cleanup” effort. Design and develop a process for using acceleratorslike SAP GRC in security build and maintenance phasesto maximize efficiency. Underpin technical aspects of the design with a robust SAPsecurity governance framework. 4Implement& OperateConstructMap activity analysis output back to existingsecurity design and pinpoint areas for designremediation.Map the Security Access controls design backto SAP Security governance design.SAP security solutions

34Remediate or rebuildWe can assist in managing the integration of the risk andcontrols elements of the security design and build throughoutthe life cycle of the engagement, from remediation of existingissues, to a complete rebuild of the technical platform.We provide this service by: Utilizing accelerators in the build phases to expeditetechnical role build activitiesThe work focuses on ensuring your strategy design and buildare aligned to the long-term organizational requirements. Following a best practice iterative design/build/re-analyze process to ensure that technical solutionis fit for purpose and SoD compliant Implementing PwC’s enabler technology forrebuild activities Ensuring that security build at the template and locallevels doesn’t deviate from the overall strategy, reducingthe risk of your security design regressing back to beinglocalized or fragmentedIntegrate your security design with GRC toolsand organizational controlsPwC can work with you to: Utilize GRC technology for structured, compliant, and accelerated role design and build. Integrate with GRC tools for SoD compliance at a technical role and user provisioning level. Integrate the SAP security model with IDM tools to provide single sign-on capabilities and controls. Provide assistance to design an operating model that fully utilizes the controls potential available in GRC tools.SAP GRC Access Control SuiteAccess riskanalysisSAP ERPsystemsAccess requestmanagementOther SAPsystemsBusiness edirectoryBenefits realized by our clients: Significantly improved governance and management of access risks Business-owned and standardized access management processes Reduced business time spent on access reviews by 60% Greater transparency into who has what access Reduced complexity of roles leads to sustainable, lower-cost SAPsecurity processes Significant increase in business user support capabilitiesSAP security solutions5

Client s client was struggling to meetservice level agreements related toSAP provisioning and user maintenance.Although the initial implementationof SAP GRC Access Controls suite wascomplete, the organization was usingonly a small subset of the suite’scapabilities.The PwC solutionThe first phase of this project focused on assessing the current state anddesigning of the future state. In our design of the future state, we included thefull deployment of the SAP GRC Access Controls suite to simplify and automatethe user provisioning processes, while remaining compliant. We worked withthe client to design and implement a new SAP security design following our tier4 methodology. The implementation of the new SAP security design helped thisclient reduce the number of roles in the SAP environment, which, combinedwith the SAP GRC Access Controls application, facilitated the overall userprovisioning processes.What has the client achieved?After the completion of the SAP security design and implementation of theSAP GRC Access Controls applications, this client was able to realize thefollowing benefits:6SAP security solutions 75% reduction of SAP security roles in the SAP production environment 99% reduction of transaction code duplication in SAP security roles 0 SAP security roles with inherent segregation of duties conflicts Reduced user provisioning time from 21 days to 2.3 days (average)

Rule set(s) Signoff Reports Material IV. Implement Operate Final Preparation Deployment Package End User Mapping Security Admin Process Provisioning Process Go-Live & Support Deployed Security Cross-Application SOD Reports SOD Review and Action Plan Mitigated Conflicts Interfaces Infrastructure ERP SAP security: Redesign to align During the assessment of the Security and SOD “as is” positi