SAP GRC Access ControlEmergency AccessManagement

April 2016

www.pwc.be

PwC

PwC provides end-to-end SAP consulting servicesValue through SAP strategy, design, implementation & QA

PwCSAP

Consulting

HumanCapital

Valuechain

Technology& Security

EnterpriseAssets

Finance &Treasury

GovernanceRisk &

Compliance

April 2016Slide 2

PwC

PwC’s SAP security & GRC servicesIncrease quality & profitability with PwC services & SAP technology

April 2016Slide 3

PwC

Agenda

SAP security: What & why?

SAP GRC Access Control overview

Emergency Access Management deep-dive

Live demo

Implementation good practices

Question & answer

April 2016Slide 4

PwC

SAP security: What & why?

April 2016Slide 5

PwC

SAP authorisationsPwC’s five guiding principles for an effective design

Task basedmethodology

Smarttechnical

design

Know yourcontrol points

Qualitytechnical build

SoD freeEffective

SAPsecurity

April 2016Slide 6

PwC

PwC’s holistic view on SAP securitySAP GRC as an enabler for a sustainable authorisation model

Effective SAPSecurity Design

SAP RoleArchitecture

Security &Provisioning

Processes

OrgStructure &Governance

M

“Get clean, stay clean”

Use the right tools andprocesses to support yourSAP authorisation concept

April 2016Slide 7

PwC

SAP GRC Access Control overview

April 2016Slide 8

PwC

Access Risk Analysis

GRC

Accessmanagement

technology

1234

1

3 Access RequestManagement

2

Business RoleManagement

4

Emergency AccessManagement

SAP GRC Access ControlFour modules which enable controlled SAP authorisations

April 2016Slide 9

PwC

Emergency Access Management deep-dive

April 2016Slide 10

PwC

Your challenges

How to handle those midnight emergency calls…… without opening security gates permanently?

• Recent audits demonstrated that your SAP users in IT and Business had access to sensitive SAPtransactions or tables on a permanent basis whilst the access was not required to support the user’sday-to-day job activities. This sensitive access was granted to these users to allow them to support thebusiness in case of incidents and/ or emergency requests, but resulted in an uncontrolled usage ofsensitive SAP access.

Access to sensitive transactions is not controlled

Your desired response

dddsd

You want to address above challenges by implementing appropriate controls on the usage ofsensitive SAP access in support of incidents and emergency requests, and by installing regularrisk-based SAP access reviews. SAP GRC Access Control technology has been identified as animportant enabler for these controls.

SAP GRC to meet IT, business and internal control requirements

April 2016Slide 11

PwC

SAP GRC Emergency Access ManagementAn enabler for controlled management of elevated access!

• Pre-define emergency access for approved users• Activity monitoring for all emergency users• Enables compliance-focused emergency access for

SAP

• Avoid business obstructions with faster emergencyresponse

• Reduce audit time• Reduce time to perform• Workflow based log Review• Compliant Emergency access management process

Key Functionality

Key BenefitsNew session New session New session New session

Log Log Log Log

SAP_ALL

• Pre assigned firefighter IDs• Access restrictions• Validity dates and expiry• Field-level changes tracked in audit log• Workflow based Log review

Super user

Firecall IDSD

Firecall IDMM

Firecall IDFICO

Firecall ID…

April 2016Slide 12

PwC

SAP GRC EAM key terminologyTo assist you in not getting lost in translation

Term Definition

EAMEmergency Access Management, SAP’s tool for providing elevated securityauthorisations through a controlled process ensuring usage is appropriate.

SPM / VirsaFireFighter

Legacy names for EAM from GRC versions 5.3 and earlier.

Firefighter ID

A separate SAP user account typically assigned to a specific process area. Whenneeded, an end user logs into GRC and opens an emergency access session. Atthat point, a new SAP session is opened and all actions performed are logged inEAM.

EAM ID, SPM ID, FFID, FireFight ID

FirefighterAn end user who logs into EAM and checks out a Firefighter ID to performemergency actions.

OwnerResponsible for approving and periodically reviewing access granted to anindividual Firefighter ID. Owners are also responsible for authorizing the securityauthorizations assigned to the Firefighter ID.

ControllerResponsible for monitoring and assessing the appropriateness of activityperformed by a user using an individual Firefighter ID.

April 2016Slide 13

PwC

A typical SAP GRC EAM process flowAll actors need to take up responsibility to generate benefit!

April 2016Slide 14

PwC

Emergency Access Management live demo

April 2016Slide 15

PwC

Implementation good practices

April 2016Slide 16

PwC

Embed ownership of userprovisioning to businessprocess owners

Improved harmonybetween the goals of ITand the needs of business

Encourage consistentexecution of businessprocesses

Reduce access risks andtherefore avoid fraud anderrors

Simplify the access requestprocess for business users

Reduce time spent for userprovisioning

Get rid of recurring auditand compliance remarks

Determine your SAP GRC AC business caseHow to build a solid and compelling one?

SAP’s GRC value calculator tool:http://www.pulse-iq.com/SAP/AccessControlValueCalc/dashboard.html

April 2016Slide 17

PwC

Access Risk Analysis Integration

Continuous Compliant Access Management

GRC implementation roadmapWorking smart towards your goals

April 2016Slide 18

PwC

EAM & ARA implementation trajectoryKeep your objectives in mind and involve the right stakeholders

• SAP GRC Technicalinstallation

• EAM: Defineemergency accessmanagement (EAM)needs

• ARA: Define accessrisk analysis (ARA)usage needs

•Design “firefighter”accounts & accessand supportinggovernance structure& processes

•Define access risks tobe monitored for inscope processes

•Define ARAgovernance structure& processes.

• Build firefighter IDs,assign their access

• Configure EAM inSAP GRC back-end

• Set-up EAMreporting

• Construct ARA riskruleset

• Configure ARA inSAP GRC back-end

• Set-up ARAreporting

• Go-live of the testedEAM solution

• Provide ad-hocsupport to EAMadministrators andend-users

• Go-live of the testedARA

• Provide ad-hocsupport to EAMadministrators andend-users

Assess

• Perform EAM unit,integration and useracceptance testing

• Train EAM end-users

• Perform ARA unit,integration and useracceptance testing

• Train ARA end-users

Design

Construct

Implement

Operate &Review

Ongoing training & knowledge transfer

SAP GRC EAM

SAP GRC ARA

April 2016Slide 19

PwC

Determine your EAM relevant usageInvolve the right stakeholders to identify this usage

Appropriate usage includes

• Emergency changes required in production

• Sensitive transactions not available via end user security roles

• SOx-sensitive, restricted transactions

• Infrequent, sensitive tasks (opening/closing posting period)

• Cutover tasks

Inappropriate usage includes

• Daily business tasks by support users (creating purchase orders, etc)

• Non-sensitive tasks available via security roles

• Using EAM as a crutch to support a bad security design

April 2016Slide 20

PwC

Make smart design decisionsThese will drive actual & perceived value-add of your EAM

01

02

03

04

Design Firefighter users perbusiness process

Think of availablenotifications andworkflow functionality

Centralised vs.decentralised approach?

Pre-approved” Firefighter strategy vs.“ad hoc” approval required

05 What about ID vs. role-based firefighting?

April 2016Slide 21

PwC

SAP GRC governance structureEven SAP GRC needs governance to ensure its sustainability!

Functional use GRC tool maintenance

GRC process flows

Structure

Roles & responsibilities

April 2016Slide 22

PwC

Conclusion

April 2016Slide 23

PwC

Key takeawaysFor you to consider during our SAP GRC EAM journey!

• SAP GRC EAM delivers great return on investment for your organization froman internal control and efficiency perspective, when implemented right

• Determine a clear and realistic scope, with all the right stakeholders involved;don’t forget about your (external) auditor

• Smart design decisions are key: Garbage in = Garbage out

• Also your SAP GRC tool needs governance to deliver value

April 2016Slide 24

PwC

Question & answerPwC’s upcoming SAP GRC & security events

http://www.pwc.be/en/events-courses.html

Date & time28 April 201616:00h – 17:00h

Webinar: SAP HANA security - Prepare for what’s next• Obtain a clear and detailed view on the security set-up in a SAP HANA

based environment• Watch the theory come alive through a live SAP HANA security demo• Gain first-hand insight on security good practices in a SAP HANA context

through experience sharing by PwC experts• Learn about the security skills, processes & controls required to continue

safeguarding your sensitive data in a SAP HANA context

Date & time18 May 201610:30h – 16:00h

PwC Brussels

Increasing quality & profitability with SAP GRC Access Control• Live demo & good practice sharing• Gain insights from an SAP GRC AC client use case• Obtaining first-hand views on SAP GRC’s roadmap for the future• Explore how to generate value-add from your SAP GRC system by

quantifying potential risk violations using data analytics techniques usingPwC process mining expertise combined with SAP Access ViolationManagement technology

For moreinformation on thesubject, pleasecontact ...

Wim RymenDirector+32 473 269 227wim.rymen@be.pwc.com

Kris WautersSenior manager+32 499 558 949kris.wauters@be.pwc.com

Constance VervalckeManager+32 493 240 406constance.vervalcke@be.pwc.com

© 2016 PricewaterhouseCoopers. All rights reserved.“PricewaterhouseCoopers” refers to the network of member firms ofPricewaterhouseCoopers International Limited, each of which is aseparate and independent legal entity.