Embed Size (px)
Citation preview
GRC – Emergency Access Management
Expertum - Bekaert
Topics
Bekaert - Introduction
IT Organization
Audit Findings - Proof of Need
EAM – Flow & Set-up
EAM – Conclusions
1
Bekaert in brief
- Founded in 1880 by Leo Leander Bekaert
- Customers in 120 countries and in the most diverse industry sectors
- Global manufacturing platform
- Almost 30 000 employees worldwide
- Combined sales of € 4.4 billion (2015)
- Consolidated sales of € 3.7 billion (2015)
- Listed on Euronext® Brussels – BEL20®
2
Construction
Automotive
Other
Energy & Utilities
Combined sales per region and per sector – FY 2015
North AmericaSales: € 593 million (13%)
Employees: 1 600
EMEASales: € 1 223 million (28%)
Employees: 7 300
Latin AmericaSales: € 1 451 million (33%)
Employees: 7 800
Asia PacificSales: € 1 136 million (26%)
Employees: 10 500
Bekaert global presence
3
Bekaert market leadership in diverse sectors
4
41%
11%
7%
24%
4%
7%
6%
Bekaert core competences
6
to metal fibers
6.5 mm 1 µm
from wire rod
from traditional
coatings
to advanced coatings
Steel wire transformation
Coating technologies
Adhesion
Corrosion resistance
Wear resistance
Anti-fouling
Drawing, bunching,
cabling, profiling, welding,
knitting, weaving, …
7
IT Application Management : Who are the players ?
Business Platforms / EntitiesBU IT management – Process Owners - Key users
TCS HCL
SAP
•Supplier
relationship
•System support
Process (Team)
Leads/
Project Leads
First line support
SAP Competence Center
Technical
Functional
Requirement
Delivery
Application Mgt Globally Spread, Centrally Coached
8
Central Design & Governance in Belgium
Regional FLS (steered central team)
Off shore delivery from India
GRC - Intro
Bekaert IT - why GRC?
Excessive access rights is the number one problem identified by internal and external
security audits
Top 3 areas of internal/external audit findings:
Excessive Access rights
Audit trails and logging issues
Lack of sufficient segregation of duties
9
IT Challenges to be addressed
Interventions going beyond IT specific activities
Sometimes driven by Business expectations (historically grown)
IT staff to intervene directly on Productive systems
IT staff doing corrections themselves (master & transactional data)
Requiring broad authorizations, irrespective of SOD or functional mandates
System critical transactions executed outside IT needing specific follow-up
10
Proof of Need
Mixed situations Business versus IT actions in Productive systems, sometimes
historically grown:
Business actions / transactions executed by IT people
• Support: unblock / correct transactions for incident handling
• Projects: data migrations, assist with first transaction processing,…
IT transactions executed by Business (former IT) people
• Directly accessing tables via SE16(N), SM30
• Executing programs via SE38 / SA38
Combination of Business and IT roles with same person
Based on (end user) transactions used on consistent & frequent basis every month:
• Person A: KS02 – Change cost centers, ME51N – Create Purchase Requisitions, ME21N – Create
Purchase Orders,…
• Person B: FTXP – Tax codes update, LT10 – Stock Transfer,…
• Person C: CK11N – Create Material Cost estimate, ZZMIRO – Enter Incoming Invoice,…
• Person D: IW32 – Change PM Order, QS41 – Edit Catalog, IL02 – Change Functional Location,...
• Person E: CU02 – Change Dependency, MM02 – Change Material
• …
11
Proof of Need - Business actions / transactions executed by IT
# financial postings in MP1 by IT (*) : 31.900
(*) SAP CC + TCS + BU IT – Period 1-5/2013
12
Document type:WP: Settlement
CO: CO-FI Integration
WA: Goods Issue
XA: BCC – Account.link
AA: Asset posting
WE: Goods Receipt
Proof of Need - Business actions / transactions executed by IT
Frequent used transactions in MP1 by IT (*)
(*) SAP CC + TCS + BU IT – Period 1-5/2013
13
Proof of Need - IT transactions executed by Business people
Frequent used “IT” transactions in MP1 (*)
(*) Non IT community – Period 1-5/2013
14
SAP GRC - Access Control Components
Emergency Access
Management (EAM)
Provision & Manage Users
(PMU)
Business Role Management
(BRM)
Analyze & Manage Risks
(AMR)
15
- Accurately identify and analyze access risk violations in real-time
- Remediate and mitigate conflicts for users and roles
- Continuously monitor access risks and user assignments across the enterprise
- Self service emergency access activation- Centrally approve and manage emergency
access on all SAP systems- Detailed usage logs for comprehensive
emergency access reviews
- Self service user access request process- Preventive risk analysis in user provisioning- Automated workflow for efficiently approving
requests- Streamline and automate reviews of user
access
- Centralized business role management- Enforced compliancy to format & SOD rules- Automated role governance process involving
business & technical owners
GRC - Emergency Access Management
SAP GRC EAM allows you to provide
extended access rights to users on a exceptional basis.
A complete logging ensures (ab)use of the access, is traced &
documented.
Centralized, automated, pre-approved cross-system emergency access
Detailed audit trails of performed actions
Integration with approval workflow possible
16
GRC – EAM Flow
17
GRC-EAM for IT – Bekaert + TCS
18
FIREFIGHTER ACCESS - MP1
TEAMS
FIN HRM SAL PPL MFG BIW RUN AUDIT
Internal External Internal External Internal External Internal External Internal External Internal External Internal External Super External
Firefighter-IDs See below
FF ID OwnersPeter Pollentier / Jan Quagebeur
Bruno CoomanPeter Pollentier / Jan Quagebeur
David Van De SypePeter Pollentier / Jan Quagebeur
Francis GregoirPeter Pollentier / Jan Quagebeur
Jean-Marie Delanglez
Peter Pollentier / Jan Quagebeur
Krist DewittePeter Pollentier / Jan Quagebeur
Peter PollentierPeter Pollentier / Jan Quagebeur
Dirk MatthysAbhay Desai /
Sachin Shirgaonkar
Peter Pollentier / Jan Quagebeur
FF ID Requesters Bruno Cooman Ranjan Kumar David Van De Sype Palaksha Kotian Francis GregoirAjeet Pokharna / Sandip Sawant
Jean-Marie Delanglez
Devendra Paralkar Krist DewitteDurgesh Kamat /
Milind NarwadkarPeter Pollentier Jacob Paul Dirk Matthys
Archana Raje / Sunil Joyous
Archana Raje / Sunil Joyous
Dirk Matthys
FF ID Controllers
Bruno Cooman Bruno Cooman David Van De SypeDavid Van De Sype Francis Gregoir Francis GregoirJean-Marie Delanglez
Jean-Marie Delanglez
Krist Dewitte Krist Dewitte Peter Pollentier Peter Pollentier Dirk Matthys Dirk MatthysPeter Pollentier / Jan Quagebeur
Peter Pollentier / Jan Quagebeur
Peter Pollentier Ranjan Kumar Peter Pollentier Palaksha Kotian Peter Pollentier Ajeet Pokharna / Sandip Sawant
Peter Pollentier Devendra Paralkar Peter Pollentier Durgesh Kamat /
Milind NarwadkarPeter Pollentier Jacob Paul Peter Pollentier
Archana Raje / Sunil Joyous
Archana Raje / Sunil Joyous
Dirk Matthys
Ding Yi / Uma Rawale / Pavol Pazitny / Karl
Hammes / Ivan Echevarria
Abhay Desai / Sachin
Shirgaonkar
Ding Yi / Uma Rawale / Pavol Pazitny / Karl
Hammes / Ivan Echevarria
Abhay Desai / Sachin
Shirgaonkar
Ding Yi / Uma Rawale / Pavol Pazitny / Karl
Hammes / Ivan Echevarria
Abhay Desai / Sachin
Shirgaonkar
Ding Yi / Uma Rawale / Pavol Pazitny / Karl
Hammes / Ivan Echevarria
Abhay Desai / Sachin
Shirgaonkar
Ding Yi / Uma Rawale / Pavol Pazitny / Karl
Hammes / Ivan Echevarria
Abhay Desai / Sachin
ShirgaonkarN/A
Abhay Desai / Sachin
ShirgaonkarN/A
Abhay Desai / Sachin
Shirgaonkar
Abhay Desai / Sachin
Shirgaonkar
FFXXX_CONS_y
DISPLAY FFFIN_CONS_y FFHRM_CONS_y FFSAL_CONS_y FFPPL_CONS_y FFMFG_CONS_y FFBIW_CONS_y FFRUN_CONS_y FF_AUDIT
FFXXX_UPD_Iy / FFXXX_UPD_Ey
UPDATE FFFIN_UPD_Iy FFFIN_UPD_Ey FFHRM_UPD_Iy FFHRM_UPD_Ey FFSAL_UPD_Iy FFSAL_UPD_Ey FFPPL_UPD_Iy FFPPL_UPD_Ey FFMFG_UPD_Iy FFMFG_UPD_Ey FFBIW_UPD_Iy FFBIW_UPD_Ey FFRUN_UPD_Iy FFRUN_UPD_Ey FF_BC_SUP
* Fine-tuned for ‘Consulting’ interventions
GRC-EAM for IT – Bekaert + TCS
FF ID’s by team Applicable Reason Codes
19
DISPLAY
CONS-Problem simulation/analysis
UPDATE
Support-Master data change/upload
Support-Monitor/fix automated processes
Support-Technical correction/fix (Debug)
Support-Transactional data change/upload
Project-Master data change/upload
Project-Monitor/fix automated processes
Project-Technical correction/fix (Debug)
Project-Transactional data change/upload
GRC-EAM for IT – Bekaert + TCS
FF Login notification
20
Reference to raised ticket
GRC – EAM Logging
EAM – Consolidated log report
21
GRC-EAM Logging
• Intervention by ‘Consulting’ FF ID• No log validation
• Weekly exception reporting
• Intervention by ‘Update’ FF ID• Log validation by Team Lead
22
GRC-EAM Conclusions
• Important change in WOW & “culture” for IT staff
• Improved control on IT interventions on Productive system• (Error) simulations
• Master data interventions
• Transactional data corrections
• Extra trigger for activation of central master data team
• Basis for evaluation of IT critical transactions within Business
• Removal & alternative approaches proposed
23
