Transcription
Integration of the Three Lines of DefenseGRC and Regulatory affairs integration using SAP GRCVictor Garcia RodriguezIBM Security – Associate Partner – Europe CoC Lead for SAP Security & SAP GRCMilano, June 18th 2019
Table of ContentsIntegration of the Three Lines of Defense Introduction to the debate Regulatory Compliance vs. IT Security3 Evolution of SAP GRC in the last 15 years6 Next steps proposed by IBM in your companies13 The rabid future of GRC28 Questions & Answers30
1. Introduction to the Debate Regulatory Compliance vs. IT Security
1. Introduction to the Debate Regulatory Compliance vs. IT Security: How to reconcile both areas?Regulatory ComplianceIT Security Audit centric Business centric Risks driven (COSO) Policies and Controls based (COBIT) Driven largely by regulatory requirements Driven by business requirements Sample based Scope is Holistic Scope limited by audit domain Evaluated on a quarterly or annual basisMainly is a Big4 / Audit firms world 4IBM Security Enterprise and extended community (E.g. 3rdparties, suppliers, partners, etc.) Evaluated on a near-real time basisMainly is an IT / Technical companies world
1. Introduction to the Debate Scope of this session: GRC, Regulatory and Business CCM1. GovernanceInternal Control, Internal Audit, Enterprise Risk and Regulation Affairs: Integration and Automation of the Three Lines of Defense2. Access ManagementSegregation of Duties, Identity and Role Management: User Access complying with Regulatory Requirements (E.g. SOX)3. Data PrivacyGDPR (and others): Data Retention and Data Deletion, Data Portability, Data Field Masking, Access Logging to Personal Data4. Business-IT MonitoringContinuous Control Monitoring (CCM): Configurable and Transactional controls // Fraud Scenarios // RPA // Predictive Risk Analytics5. AuthenticationUnified Access to SAP systems: Single Sign-On // Double Factor Authentication (Two-Factor) // Secured Communication6. Application SecurityCustom Source Code: Automated analysis to Identify potential Security Breaches // Optimize Performance using SAP best-practices7. Application ServerSAP Server configuration: Security Parameters of all Clients // Secured Services // Patching Level // OSS Notes8. Database SecuritySAP HANA: Secured access to SAP HANA Views and Schemas // Integration with data lakes // Ensure no open paths to access data9. Data EncryptionData Volume Encryption (SAP HANA) // Usage of SAP Cryptographic Libraries // Secured Socket Layer // Public Key Infrastructure10. Network andCommunications11. VulnerabilityAssessment5Securization of RFCs (Remote Function Calls) // Support from SAP // Management of Web connectionsPen TestingOS users (broad privileges) // SAP log analysis and integration with SIEM solution // Integration of antivirus into SAP12. Infrastructure SecurityConfiguration of physical / logical devices: Firewall and Gateways // OS and Applications Logs13. Physical Security andHostingStandard Controls Coverage (SOC reports) // Compliance Level of each Cloud platform // Ad-hoc Security audits // Physical hackingIBM Security
2. Evolution of SAP GRC in the last 15 yearsDescriptive, Predictive and Prescriptive?
2. Evolution of SAP GRC in the last 15 yearsDescriptive, Predictive and Prescriptive scenariosDescriptivePredictivePrescriptiveData mining over historical data toreport, visualize and understandwhat happenedUsage of historical data to calculatelikelihood of an event can happen inthe future and know what’s going to happenDetermines, in real time, what actionand / or decision brings the best andmost efficient resultprescribes the best optionSAP HANAValueEvolvingMatureCurrentDifficultyBasic7IBM SecurityAdvanced
2. Evolution of SAP GRC in the last 15 yearsManual Descriptive (Until 2007)XManual Descriptive8IBM Security There is no automation No data unicity Big effort spent in perform manual andrepetitive tasks Low value-added tasks The global compliance picture is difficultto achieve Slow data capture Ineffective follow-up of process status
2. Evolution of SAP GRC in the last 15 yearsAutomatic Descriptive (2007 to 2012)XAutomatic DescriptiveSoD analysis Data model managed with a GRCsolution Compliance activities managed throughGRC solutions Starting with off-line models (data riskdownload to corporate repositories) Expansion to on-line models thatconnect to the data source and exploit thedata locally using automations Matrix reporting Slight solutions integrationCCMAutomatic calculation: Risks & KRIs9IBM Security
2. Evolution of SAP GRC in the last 15 yearsEarly Predictive (2013 to 2015)Aggregation ofDeficienciesXEarly PredictiveDeficiencies Materiality BusinessList of t evolution10IBM SecurityResidual andInherent RiskCalculation All risk data is automated in GRCsolutions The different GRC tools work in anintegrated way Advanced reporting (using BI/BO withdrill-down capabilities) Data aggregation functions in place,and data extraction for decision makingbased on basic calculations Starting to integrate with externalsources in an automated way
2. Evolution of SAP GRC in the last 15 yearsPredictive Audit (2016 to 2018) – SAP Assurance & Compliance platformXGRC PlatformPredictive Audit Identify patterns or tendencies that can beformalized as future controls Anticipate “outbreaks” of fraud Introducing the concept of “predictiveaudit” based on a “self-service” model Estimate the risk evolution that canimpact in the future business Real-time, thanks to the usage of “inmemory” technologies / capabilitiesAssurance & Compliance11IBM Security
2. Evolution of SAP GRC in the last 15 yearsPredictive (2017 to 2018)XGRC PlatformAssurance & CompliancePAL Algorithms Clustering (12) Classification (16) Regression (7) Social Networks (1) Association (4) Various (2) Time Series (15) Total: 81 Source: SAP HANA PAL Functions12IBM SecurityPre-processing (12)Statistics (12)
3. Next steps proposed by IBM in your companiesThe reality of companies is far than technology allows today
3. Next steps proposed by IBM in your companiesImportance of SAP HANA Transformation into GRC / Risk AnalyticsCacheSAP HANASingle Source of DataCubesData MartReduces or drops:AttributeViewBWData WarehouseAnalytical Data Replication, Data Aggregation, Indexing, Mapping, Caches and BWAViewODSOperational Data StoreBW ViewsDataCalculationViewOLTPTransactional Data14IBM SecurityTransactional Analytical
3. Next steps proposed by IBM in your companiesChallenges that companies must face in the GRC spaceSAP Technological change SAP ECC end of support in 2025 It will imply a journey to SAP S/4HANA that should start soonSAP GRC 10.1 end of support in 2020 It will imply migrate to SAP GRC 12.0Transactional Controls Compliance / GRC moves towards CCM (Continuous Control Monitoring)The usage of SAP HANA, makes possible tackle transactional controls that are not possible in Oracle databasesHaving an SAP S/4HANA system implies that all the enterprise transactional is running "in memory", and that impliesembedded analytics in the business daily activities, including activities related to Compliance and Corporate Governance.Easier integration with non-SAP systems SAP HANA includes advanced real-time ETLs methods: SAP Lansdscape Transformation (SLT) ReplicationNo more integration with non-SAP systems via data file upload, or managing automatic controls as manual ones using atesting plan and a set of evidences to be provided to ensure control effectivenessSLT allows non-SAP data replication in specific SAP HANA views per each application, providing access permissionto view, modify and / or execute programmed queries using data included in that SAP HANA viewsIntegration with data-lakes (E.g. Hadoop) 15SAP HANA integration, using SAP Vora, with Apache Spark (Hadoop component for managing of data clusters) allow theusage of data hierarchies or analytical modelling typical in in SAP HANA, over Hadoop dataIBM Security
3. Next steps proposed by IBM in your companiesComparison of SAP GRC 10.1 Oracle vs. SAP GRC on HANA (native or using a sidecar)SAP GRC 10.1 (on Oracle)SAP HANA Sidecar SAP HANAOracle DBSidecarSAP GRC 10.1 (on HANA)Oracle vs. SAP HANA SAP HANA 16IBM Security The company can continue using their SAPGRC System on Oracle "as-is", while using asecondary SAP HANA "database“ to speed-upthe execution of some automatic controlsIt allows us test which would be the potentialperformance improvement obtained for thosecontrols that would use the HANA technologyIn traditional SAP systems SAP (on Oracle), the data are transferred fromthe Data Base layer to the Application layer, and the calculations over dataare done in this last layer.This generates a significant latency time in the transfer process, from theHDD (Hard Disk Drive) to the RAM memory, in order to perform theneeded calculations at application level.SAP HANA is optimized to perform massive parallelized processing andperforming calculation only at the “database layer”, that in addition runs“in-memory”, in this way only the result of calculations are sent to theapplication layer.
3. Next steps proposed by IBM in your companiesAutomatic Controls over “Transactional Data” Time consuming programmed queries on SAP HANA The automation of controls using SAP Process Control with SAP HANA allows the analysis of the entire testing universe,consuming a very low time-frame, and providing a real-time reporting for transactional controls.Functional Control: Total amount of invoice cannot exceed the total of the purchase order in any caseReview of all cases of testing universeTechnical Approach: JOIN of SAP Tables: RBKP (Invoices) and EKKO (Purchase Order) 65 * 1012 reg.JOIN65 Billions!!! 24 Hours(Traditional SQ01 query on Oracle DB) 5 Millions 13 Millions3 minutes(Programmed query on SAP HANA)17IBM Security
3. Next steps proposed by IBM in your companiesAutomatic Controls over “Transactional Data” Fraud scenario analysis on SAP HANA The automation of controls using SAP Business Integrity Screening allows the combination of more than one automatic controlin the same scenario, combining all of them based on weights, and enabling the option to block the execution of the SAP tcode in live.SAP AuditManagementSAP BusinessIntegrity ScreeningDetection StrategySuspicious situationbased on variousRed FlagsSAP HANAPAL - Predictive Analytics Library150 100Work ProgramAlertThreshold 100Working PapersRisk Score 50 18SAP - Other ERPs“Legacy” SystemsFilesM2M DataFraud DataBaseIBM SecurityRed FlagRed FlagRed FlagSelf-approvalCredit NoteUnusual userbehaviorUsed languagein credit noteScriptScriptScriptSQL QueryPredictiveAlgorithmSemantic TextAnalysisTo be analyzed bythe auditorThe auditor reportsthe finding andcloses the alertSAPHANASAP Business Integrity Screening (aka Fraud Management)SAP Audit Management
3. Next steps proposed by IBM in your companies1. Continuous Control Monitoring (CCM) Transactional Controls with HANA1. IT General Controls (ITGCs)In-scope for clients with SAP “on Oracle” Basically a set of “Configurable” controls. Check of a “parameter” in a table with a maximum of hundreds of records check of “Log”to ensure that nobody changed that parameter in the audited period. No need of “in-memory” capabilities (as SAP HANA). Can be implemented using a SAP Process Control system on Oracle.2. Business Financial Controls (Configurable Controls) Same approach than ITGCs but for Financial Controls. Can be implemented using a SAP Process Control system on Oracle.3. Semi-automatic controls (SAP Reports) Identification of SAP standard reports that cover business requirements, and that can be semi-automated as SoD controls.4. SoD Automatic Controls (Linkage with SAP Access Control rule-set) A SoD risk analysis can invoked from SAP Process Control. This type of control would be a kind of semi-automatic control, due that SAP Access Control will perform the risk analysis and willpresent a report with the SoD conflicts identified. The control owner will review the report and decide about if all the users thathave potential access to the SoD are approved by the organization (by business needs, or impossibility to segregate both functions).5. Transactional controls (Requires the usage of SAP HANA) Process Control (on SAP HANA): Controls that require the join of two or more tables with hundreds of thousand, or millions ofrecords, in order to check all the audit universe. Business Integrity Screening (on SAP HANA): Combination of transactional automatic controls, with different weights assigned toeach one of them, to model a potential fraud scenario. Can block the execution of a SAP transaction in on-line. Non-SAP controls (on SAP HANA): Identification of non-SAP systems, creation of SLT replicator and synchronization of the data inthe HANA database to execute automatic controls over that. It’s not a real-time automatic control.In-scope ONLY for clients with SAP ”on HANA”19IBM Security
3. Next steps proposed by IBM in your companiesRegulation Affairs: SAP Regulation Management Data Import from SAP Process Control1. SAP RM “reads” thecompliance data from GRC PCGRC Platform20IBM Security2. SAP RM exploits this informationusing the “requirements” defined inGRC PC, and consolidating theresults in drill-down reports anddashboards1. Regulation Group2. Regulation3. Requirement
3. Next steps proposed by IBM in your companiesRegulation Affairs: SAP Regulation Management Requirements Change (Tracking)21IBM Security
3. Next steps proposed by IBM in your companiesRegulation Affairs: Compliance Dashboard Drill-down capabilities22IBM Security
3. Next steps proposed by IBM in your companiesRegulation Affairs: Regulation Dashboard “Requirement” and “Control” linkage23IBM Security
3. Next steps proposed by IBM in your companiesThe Three Lines of Defense: Main Actors and Stakeholders involvedGroup Board and CommitteesSenior Management Team132First LineSecond LineThird LineBusiness UnitsRisk Management Function & Compliance FunctionInternal AuditRisk ManagementThe business is the firstline of the defence. It istheir responsibility toidentify, assess, control andmitigate risks.They are likely to have themost experience ofoperational risk and incidentmanagement.For most banks, this iswhere the centre ofexcellence in technologyand operational riskdevelops.24IBM SecurityThe risk managementfunction will monitor theimplementation of the firstline’s risk managementpractices.ComplianceThe compliance functionwill facilitate and monitor theimplementation of effectivepolicy management, andspecific risks such as nonconformity with applicablelaws and regulations.The second line needs to develop adequate technicalexpertise to effectively challenge the first line, withoutdepleting the centre of excellence in the first line as itdevelopsThe internal audit functionprovides assurance to theBoard on how effectivelythe organisation assessesand manages its risks. Itwill also measure theeffectiveness of the firstand second lines ofdefence.The third line often hasrecourse to externalspecialist expertise to drillinto the effectiveness of thefirst two lines.
3. Next steps proposed by IBM in your companiesThe Three Lines of Defence Automation A Risk-driven approachClient’s BusinessProcesses orSubprocesses1. Prioritize BPsSelect 1 BP in-scope:Identify UnderlyingRisks of the BPCyclic Review ofall BPs in-scope5. BPO Controls?2. RiskRegisterEffectiveness TestingERM ToolSAP RiskManagement3. Input of newBusiness Risks4. Inherent RiskCalculation andUpload to ERMBP in-scope:Identify EmbeddedControls in the BP9. ICF Input11. Residual RiskCalculation andUpload to ERM10. Response toBusiness RisksORM Strategic RegulatoryMatLab @Risk / QRRAdvanced Calculation Engine6. ControlTestICF ToolSAP ProcessControl14. Automation of ICF Controls using CCM strategies19. RegulatoryRequirementsInputRegulations:SoX, SCIIF, MiFID, BaselSource of New Controls / Risks21. Controls – Requirements- Obligations LiaisonRegulatory ToolSAP RegulationManagementSoD ToolSAP AccessControl20. Requirements conversioninto Obligations16. FraudPatternsModeled?13. SoDAnalysisFeeders:Thomson Reuters, Bloomberg Regulatory RadarSAP ECCSAP HANApowered22. CCM Reporting17. Types of Controls Automation available:Head of InternalControlIBM Security15. PotentialFraud Cases?Fraud ToolSAP FraudManagementCROChief RiskOfficer25IAM ToolSAP AuditManagement12. SoD Controls Analysis using GRC engineBoard of Directors Dashboard23. Operational RiskProfile Exposure7. ControlEffectiveness?8. Control Register Description18. Regulatory Risk InputInput ofOperational andStrategic RisksAudit Tests:Are effective thoseidentified controls?1.2.3.4.5.Manual: Testing Plans Evidences WFSoD Analysis: Supported by Access ControlSemi-automatic: SAP Reports Human ReviewConfigurable: SAP Tables: Configuration LogTransactional: SAP Tables: Query all Universe
3. Next steps proposed by IBM in your companiesORM (Basel III): The rigor of banking quantitative risk models applied to other sectorsMany (non financial / banking) companies are starting to include to their current Strategic Risk model, the addition of theOperational Risks and Regulatory Risks, whose scenarios are quantifiable from a financial / operational point of view, tobuild an extended ORM model, that will provide the Operational Risk Exposure profile level per BU, BL andConsolidated to the Company Group level, that will be reported to the Board of Directors.Financial RisksBoard of Directors DashboardStrategic RisksMarket RiskDecrease in Market Volume DemandCredit RiskDecrease in Market ShareOperational Cash FlowPrice ErosionSuccess of AcquisitionsChanges in Regulatory EnvironmentOperational RisksFacility DisruptionERMRegulatory RisksIT System BreakdownChanges in LawsLogistic DisruptionEnvironmental AccidentsCriminal ActivityORM SR RRManagement of Contracts & AgreementsComply with Financial Reporting & TaxesComply with Ethics, Safety and EnvironmentInternal Rules and Procedures26IBM Security
3. Next steps proposed by IBM in your companiesORM (Basel III): Quantification based on Probability Distribution and Impact on Cash FlowImprovement of the Enterprise RiskManagement models moving from adeterministic approach based onexpert criteria of the key BU’sstakeholders to a brand new hybridstochastic model where mainFinancial KPI’s will be the base for amid-term / long-term calculationProbability%Most likely outcomeProbabilityDistributionWith the assistance of the BU’smanagement expert input thiscurve and it’s evolution over timeMetric that measuresimpact on Cash FlowParameterImpact onCash GSTaxesEnergyOther CostsOperatingCFFree CashFlowMainRiskPersonnelDriverChosen TransportcostWorkingcapitalInvestingCFCapexImpact onCash FlowParameterCorrelations27IBM SecurityWith the assistance of the BU’s managementopinion on correlations between drivers and/ormain risks, where requiredWith the assistance of the BU’smanagement expert input thiscurve and it’s evolution over time
4. The Rabid Future of GRCMachine Learning
4. The Rabid Future of GRCMachine LearningX Although many companies are in a pretty immature status yet, the controls automation via CCM is,from a technical perspective, a goal more than achieved. Some people is talking about making RPA in GRC. That’s a wrong concept, because GRC don’tautomate processes itself, only automates the testing of the processes, identifying the issues. The next step that is coming, is embed Machine Learning, in our GRC / Compliance. SAP is doing a significant investment on the SAP API Business Hub, where there is a consumablepre-trained models, as well as customizable nctionalServices?section Artifacts At this moment, SAP i
Integration with data-lakes (E.g. Hadoop) SAP HANA integration, using SAP Vora, with Apache Spark (Hadoop component for managing of data clusters) allow the usage of data hierarchies or analytical modelling typical in in SAP HANA
