Archer and SAP - community.rsa.com

1 © Copyright 2012 EMC Corporation. All rights reserved.

Archer and SAP

Working Together for Enterprise Compliance

Presented by LyondellBasell and KPMG LLP


Agenda …what you’re going to get

Speakers and Companies

GRC Technology Landscape

Background and Case

Integrating SAP GRC and Archer

LyondellBasell’s Roadmap to Integration

Questions


Speakers

Scott von Fischer Chief Information Security Officer LyondellBasell Industries, NV CISSP, CIPP/IT.

Scott vonFischer is the CISO for LyondellBasell and manages the IT compliance and protection of corporate electronic data assets. In Scott’s 25 plus years of IT experience, he has led several Archer deployments, built large global event management solutions, secure e-commerce sites, and the security architecture that protect customer information for the world’s largest financial institutions.

Scott is a frequent speaker on best practices for information privacy for young adults. As a classically-trained chef from Johnson and Wales University in Rhode Island, Scott also has experience opening and managing restaurants.

Gavin Mead Director, Advisory KPMG

Gavin Mead is a director in KPMG’s Atlanta office with over 14 years of information security management experience. Gavin leads KPMG Information Protection’s innovation program, spanning Identity and Access Management, Security and Technology Assessment, Business and Technology Resiliency, Information Privacy, Security Strategy and Governance, and Security and IT GRC.

Gavin has led projects including IT transformation, access governance and identity management strategy, virtualization strategy, vulnerability assessment, penetration testing, governance framework alignment, GRC deployment, and compliance management program development.

Gavin previously led the Security and Technology Assessment and IT-GRC Centers of Enablement, and has delivered services across many industries.


Company Profiles

LyondellBasell participates in the entire petrochemical value chain, from refining to specialized petrochemical product end uses. We are the largest producer of polypropylene and polypropylene compounds; a leading producer of propylene oxide, polyethylene, ethylene and propylene; a global leader in polyolefins technology; and a producer of refined products, including biofuels. Additionally, LyondellBasell is a leading provider of technology licenses and a supplier of catalysts for polyolefin production.

We are geographically diverse with an extensive global manufacturing, supply, technical and commercial infrastructure. We market and sell our products in more than 100 countries. As economies around the globe develop, the demand for our products continues to grow.

KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative ("KPMG International"). KPMG International’s member firms have 145,000 professionals, including more than 8,000 partners, in 152 countries.

KPMG’s Information Protection and Business Resiliency (IPBR) consists of over 800 dedicated professionals from network member firms around the world, focused on security, privacy, and continuity. IPBR’s service network has over 200 trained and certified Archer resources and has completed over 100 Archer projects for some of the largest companies in the world.

Materials presented remain the intellectual property of the company presenting it.


GRC Technology Landscape …more than one GRC?

Strategic – Supports Enterprise

Assurance by providing Executive

Monitoring capabilities in the form

of dashboards and macro level

analysis

Tactical – Supports GRC management by

providing a repository for documenting

business processes, policies, risks, control

objectives and risks. Control assessments

and remediation management is automated

through workflows and approvals. Reports

provide information on Risk and Compliance

Management

Operational – Supports the GRC

Operational model by providing

capabilities in the areas of:

Configurable Controls Monitoring

Access Controls/SOD analysis

Automation of access authorization

Periodic attestation of system

privileges

Transaction analysis

Archer Data Feed Manager

Archer API

Archer Data Publication Manager

SAP

BLACKLINE

Oversight Systems Approva

Trintech


Integrating SAP GRC and Archer …complimentary technologies

Why SAP GRC? SAP GRC provides clear benefit to organizations leveraging the SAP ERP package, specifically:

– Firefighter access management – Segregation of duties analysis – Real-time access monitoring and enforcement

How does this fit the GRC Technology Model? These functions exist at the “Operational” layer of the GRC Pyramid: enforcing and analyzing risk in business processes through the enabling applications

Why Archer? Archer enables broader enterprise GRC via a unified library of risk and control, and through its customization capabilities, aligns process automation closely with business processes for risk assessment and compliance management throughout a global enterprise

Bringing together SAP GRC’s ability to analyze the activities and access models inside SAP ERP along with Archer’s ability to gather multiple enterprise data sets and unify with a common library of control means:

– Reduced cost of compliance – Increased risk transparency


Integrating SAP GRC and Archer Continued

Integration Objectives – Assimilate SAP GRC Findings/Issues into Archer and link them to risks to move

the needle on risk profile – Integrate Automated Controls Monitoring results from SAP GRC and report on

Overall Compliance

Achieving Integration Archer’s integration features provide the potential ability to perform integration of SAP GRC data

– Utilize Data Imports for one time upload of SAP GRC data like processes, sub processes, controls, risks etc.

– Utilize Data Feed Manager for periodic updates of SAP GRC Findings and Automated Test Results into Archer

lyondellbasell.com

Archer as a Complimentary eGRC

Archer Threat Manageent

Business Continuity

Management

(Disaster Recovery)

Vendor Management

(Contract Management)

Incident Management

Audit Management

Policy Management

Risk Management

Compliance / Enterprise

Management

Automated Compliance Monitoring

Automated Monitoring for non-SAP

(e.g. Microsoft, Qualsys, and point solutions)

SAP GRC SOD & Access

Controls

(currently owned & being implemented)

SAP Continuous

Control Monitoring

Policy Management

Risk Management

Compliance Management

Additional Capability

SAP Access

Controls Risk Management Modules

Maturing products

Workflow Automation for Remediation

SAP Process

Controls

Strategic

Tactical

Operational

CCM


Integrating SAP GRC and Archer Continued

Org Structure

Processes

Sub Processes

Controls Risks

Account Groups

Assessment

Effectiveness Testing

Automated Controls

Monitoring

Issue Remediation

Enterprise Management

Compliance Management

Risk Management

Issue Management

Archer eGRC

SAP GRC Process Control

Control Documentation Evaluation Issue Management

Archer Data Integration Services

Integration Architecture between SAP GRC PC and Archer


LyondellBasell’s Roadmap to Integration

Tool Procurement and Initial Configuration

Archer Enterprise Mgmt

- Product governance established / admin training

Archer Compliance Mgmt

- IT GRC

- Enterprise SOX

Rollout & Deployment

Archer Compliance Mgmt

- User tools training & Rollout

Archer Risk Mgmt

- General rollout and ITGRC Risk mgmt. to align with ISO27001

Archer Policy Mgmt

- IT GRC Policy::Standards refresh to align with ISO27001

Archer Audit Management

- Integrated Internal Audit and IT Audit management platform

Extension Opportunities

Archer Policy Mgmt

- Enterprise policy management

Archer Incident Mgmt

- IT GRC CSIRT Process

Archer Vendor Mgmt

- IT GRC Vendor Assessments

- Enterprise Procurement mgmt

Archer BCP Mgmt

- Enterprise BCP mgmt

Q4, 11 Q3, 12 Q4, 12 and Beyond


Adoption Strategy

Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.

Policy Management Centrally manage policies, map them to control objectives and guidelines, and promote awareness to support a culture of corporate governance.

Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.

Build the foundation…

SOX Compliance

Create Control Repository

Enhance policies and control frameworks

IT GCC Testing

Map compliance activities and

controls to enterprise assets

Archer capabilities LYB objectives

Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation/acceptance.

Establish risk and control

relationships

Repository for ERM activities


Sharing ownership, building trust Engage the business as an equal partner

Share ownership with business partners early in the adoption process

– Show clarity of strategic, tactical, and operational component roles

– Partner with industry experts to understand their requirements and show relevant opportunities

Be wary of module (“Archer solution”) specific silo discussions. – The answer to the business problem could cross solutions… and the

business really doesn’t care.

Develop an adoption strategy that allows an incremental investment

– Give business time to see success and value in a complimentary technology model

– Incremental adoptions will increase probability of success


Questions?

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Thank you.

Documents

Archer and SAP - community.rsa.com