Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2010 Wellesley Information Services. All rights reserved.
Vendor Solutions and Services
Leverage your GRC assets to gain better visibility into business risksLeo CastroNovell, Inc.
Brian ParkerDeloitte & Touche LLP
1
In This Session ...
We’ll cover three main topics:
1. Challenges that impact your visibility to business risk2. Our vision of how visibility to business risk can help balance
agility and security, in support of your business objectives3. Specific examples of how the solution builds on SAP
BusinessObjects capabilities
2
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
333
Risk and Compliance Challenges
• Many organizations are still challenged to progress along the continuum of risk and compliance maturity
Excessive Cost and Burden on the Business
Increasing Risks and Severity of Impact
Complex Compliance Landscape
Organizations are not leveraging risk and compliance efforts, which increases inefficiencies and testing costs
Silo approach to risk & compliance activities
Different results and ratings for the same environmentConflicting and contradictory results
Solutions tend to be created at division or department level and struggle to integrate into entire operational structure
Struggle to scale risk and compliance
solutions
Information Security 3rd Party HIPAAPCI SOX Privacy ● ● ●
Lines of Business
Functional Leads
Compliance Managers
Information SecurityLegal Audit Service/
Arch LeadsCompliance Managers
Corporate IT
Information Security 3rd Party HIPAAPCI SOX Privacy ● ● ●
Lines of Business
Functional Leads
Compliance Managers
Information SecurityLegal Audit Service/
Arch LeadsCompliance Managers
Corporate ITLines of Business
Functional Leads
Compliance Managers
Information SecurityLegal Audit Service/
Arch LeadsCompliance Managers
Corporate IT
Program Silos
*Source: Deloitte
4
Problem: The CIO Cannot Provide Business-Relevant Risk Data to CFO
The enterprise is set up with distributed security domains
Issue: Volumes of disparate data make it hard to assess the
risk to the enterprise
The enterprise is set up with distributed security domains
Issue: Volumes of disparate data make it hard to assess the
risk to the enterprise
Toni
CIO
5
Wouldn’t It Be Great To Convert Raw Data Into Information That Provides Full Visibility To Business Risk?
Monitor all events
in the enterprise, injecting identity into access events
and correlating
those to defined business processes and key risk indicators (KRIs).
6
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
7
Visibility to Business Risk A first step in balancing business agility and security
Visibility to Business Risk Helps Put In Place The Right Controls and Processes
More Secure
• Confidence in meeting compliance objectives
Greater Business Agility
• Move at the speed of business requirements
• Less compliance cost burden
Controls and Processes
SAP, Novell, and Deloitte Help Customers Drive Achieve the Right Balance of Controls and Processes
Non
Sustainable
–Triage–Manual processes–Limited awareness of risks and controls
Non
Sustainable–Triage–Manual processes–Limited awareness of risks and controls
Business
Agility
–Optimize access policies –Preventative controls –Automation of policy–Access visibility–Enterprise roles management
Business
Agility–Optimize access policies–Preventative controls–Automation of policy–Access visibility–Enterprise roles management
Business
Governance
–Map access to process compliance –Process visibility and accountability –Real-time event monitoring –Inspection of IT security risks –Integrating IT processes to business policy
Business
Governance–Map access to process compliance–Process visibility and accountability–Real-time event monitoring–Inspection of IT security risks–Integrating IT processes to business policy
Business
Intelligence
–Enterprise risk- driven business decisions –Risk mitigation and remediation –Mapping of risks that affect business objectives –Clear visibility to the enterprise of business/IT processes and policies
Business
Intelligence–Enterprise risk- driven business decisions–Risk mitigation and remediation–Mapping of risks that affect business objectives–Clear visibility to the enterprise of business/IT processes and policies
Reactive
Automated
Access
Continuous
Monitoring
Integrated
Excellence
Automate existing compliance framework
Automate the testing controls that protect the business
Provide clear visibility to the business
• Fully integrated processes and policies bringing clear visibility to impact on business objectives
• Risk management• Security
management• Process
management• Access
management• Integrated “out-of-
box”
policies, processes and best practices
• Identity/security integration with access and process controls
• Automated risk mitigation• Tight integration
with access control and identity management
• Spreadsheets• Manual
documentation
8
9
SAP, Novell, and Deloitte Mitigate Risks That Threaten Business Objectives
Define business objectives, policies and
Key Performance Indicators (KPIs) to help
meet objectives
Real time risk response
Allow business to determine best
long-term response
Monitor and detect risk
Analyze risk versus thresholds
Evaluate processes and business
objectives to help prioritize risks
Building the Crucial Bridge Between Strategic Applications
Strategic Business Applications
Strategic Business Applications
IT SystemsIT Systems
IT InfrastructureIT Infrastructure
IT ProcessesIT Processes
Novell®
Compliance Management
Platform
extension for
SAP
environments
SAP BusinessObjects
SAP ERP
SAP NetWeaver
HCM FIN OPS
Process Control
Risk Mgmt
Access Control
10
11
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
12
Personas
John
Controller
Bill
Accounting Manager
Toni
CIO
Sandra
Security Admin
Frank
Role Owner, SAP Biz Apps
Linda
Risk Analyst
Ted
CFO
Mike
IT Admin
13
Integration with SAP BusinessObjects Process Control
Sandra
Security Admin
Sandra, the IT Security Admin, puts IT computer controls in place to manage administrative access.
SAP BusinessObjects Process Control
Ensure that customer data is not replicated into uncontrolled environments
Access to customer data is restricted based on where the data resides and who has access to it
All information resources are subject to appropriate physical and logical security
Security Configuration
Information Security
ControlProcessObjectiveControl Sub Category
Control Category
Integration with SAP BusinessObjects Process Control
Mike
IT Admin
Frank
Role Owner, SAP Biz Apps
Business Role: Role Owner
Active DirectoryRole: ADDomainAdmin
CMP SAP BusinessObjects Process Control
Mike makes Frank an Active Directory Domain Administrator.
The Novell ® Compliance Management Platform sees the event as an out-of-policy action and sends an alert to SAP GRC Process Control.
14
Integration with SAP BusinessObjects Process Control
SAP BusinessObjects Process Control
Recognizing that the activity violates one of the established IT computer controls, Process Control creates a remediation event.
Event
System: Active Directory
Change in role: Frank is now an Active Directory Domain Admin.
User: Mike
Description:
Approve
Reject
Toni
CIO
Sandra
Security Admin
Notification is sent to Toni and Sandra.
15
Integration with SAP BusinessObjects Process Control
Access Event
System: Active Directory
Change in role: Frank is now an Active Directory Domain Admin.
User: Mike
Description:
Approve
Reject
Mike needs to remove Frank’s access to Active
Directory.
Sandra
Security Admin
Mike
IT Admin Frank
Role Owner, SAP Biz Apps
Business Role: Role Owner
Active DirectoryRole: ADDomainAdmin
Sandra notifies Mike that he needs to remove Frank’s Active Directory privileges.
16
17
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
Integration with SAP BusinessObjects Risk Management
Business Role: IT Admin
Mike
IT Admin
Administrator account logins are tracked for security purposes and historical trending.
SAP BusinessObjects
Risk Management
Every time an administrative account is used, SAP BusinessObjects Risk Management evaluates the login against the Key Risk Indicators (KRIs).
Novell ® Compliance Management Platform
(Novell Sentinel™)
Username: miked
CRMSystem
18
Integration with SAP BusinessObjects Risk Management
SAP BusinessObjects
Risk Management
In the past few weeks, the amount of administrative account usage has increased.
Business Role: IT Admin
CRMRole: CRMAdmin
Mike
IT Admin
Mike is the only person who knows the admin password. He’s questioned about the use of the Administrator Account.
19
20
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
New Accounting Manager Role-Based Access to SAP System
Business Role: Sales Contractor
CRMRole: SalesMgr1
• ViewReports
SAP Portal
Bill
Sales Contractor
I need to see the latest customer
purchase reports
Bill goes into the Customer Relationship Management section of the SAP Portal to see reports on recent customer purchases.
21
New Accounting Manager Role-Based Access to SAP System
SAP Portal
Business Role: Sales Contractor
CRMRole: SalesMgr1
• ViewReports
Bill
Sales Contractor
Why don’t I have access?
Bill clicks the link to view the reports, but finds he does not have access.
Instead of showing an “access denied” message, the Novell ®
Compliance Management Platform asks Bill if he would like to request access.
22
New Accounting Manager Access Request
Business Role: Sales Contractor
CRMRole: SalesMgr1
• ViewReports
Bill
Sales Contractor
I guess I will request it.
Bill requests access by providing the necessary information in the request form, and then submits it for approval.
CMP
23
New Accounting Manager Request Approval
I don’t see issues with giving him
access.
John
Controller
Access Request
System: CRM
Complete tasks assigned by my manager.
Requestor: Bill
Reason for Request:
Approve
Reject
CMP
The Novell ® Compliance Management Platform sees Bill’s access request and sends it to SAP Access Control to check for SoD violations.
John, Bill’s boss, sees Bill’s access request and the results of the SoD check. He approves the request.
The results from the check show no SoD violations.
SAP BusinessObjects Access Control
24
New Accounting Manager Granted Access through Bill’s Automated Role
SAP Portal
Bill
Sales Contractor
Wow, that was fast. I am glad that there is
not a lot of red tape in this organization.
Business Role: Sales Contractor
CRM Access: Approved
Bill receives notification that he has been granted access to the SharePoint system.
Bill clicks the “View Historical Reports” link in the SAP portal. He finds that he is now properly provisioned to begin working with the reports in the SharePoint system.
25
26
What We’ll Cover …
1. Challenges that impact your visibility to business risk
2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives
3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control
Wrap-up
27
Visibility to Business Risk A first step in balancing business agility and security
Visibility to Business Risk Helps Put In Place The Right Controls and Processes
More Secure
• Confidence in meeting compliance objectives
Greater Business Agility
• Move at the speed of business requirements
• Less compliance cost burden
Controls and Processes
SAP, Novell, and Deloitte Help Customers Drive Achieve the Right Balance of Controls and Processes
Non
Sustainable
–Triage–Manual processes–Limited awareness of risks and controls
Non
Sustainable–Triage–Manual processes–Limited awareness of risks and controls
Business
Agility
–Optimize access policies –Preventative controls –Automation of policy–Access visibility–Enterprise roles management
Business
Agility–Optimize access policies–Preventative controls–Automation of policy–Access visibility–Enterprise roles management
Business
Governance
–Map access to process compliance –Process visibility and accountability –Real-time event monitoring –Inspection of IT security risks –Integrating IT processes to business policy
Business
Governance–Map access to process compliance–Process visibility and accountability–Real-time event monitoring–Inspection of IT security risks–Integrating IT processes to business policy
Business
Intelligence
–Enterprise risk- driven business decisions –Risk mitigation and remediation –Mapping of risks that affect business objectives –Clear visibility to the enterprise of business/IT processes and policies
Business
Intelligence–Enterprise risk- driven business decisions–Risk mitigation and remediation–Mapping of risks that affect business objectives–Clear visibility to the enterprise of business/IT processes and policies
Reactive
Automated
Access
Continuous
Monitoring
Integrated
Excellence
Automate existing compliance framework
Automate the testing controls that protect the business
Provide clear visibility to the business
• Fully integrated processes and policies bringing clear visibility to impact on business objectives
• Risk management• Security
management• Process
management• Access
management• Integrated “out-of-
box”
policies, processes and best practices
• Identity/security integration with access and process controls
• Automated risk mitigation• Tight integration
with access control and identity management
• Spreadsheets• Manual
documentation
28
29
SAP, Novell, and Deloitte Mitigate Risks That Threaten Business Objectives
Define business objectives, policies and
Key Performance Indicators (KPIs) to help
meet objectives
Real time risk response
Allow business to determine best
long-term response
Monitor and detect risk
Analyze risk versus thresholds
Evaluate processes and business
objectives to help prioritize risks
30
The Integrated Offering Brings Exponential Value to You
31
Key Points to Take Home
• The joint Novell – SAP solution, powered by Deloitte, helps customers to:
Gain better visibility into business risks and mitigate them before they impact business objectivesLeverage existing compliance IT infrastructure to grow as needs growDraw upon Deloitte’s leading practices to minimize startup time and maximize ROI
32
Resources
• www.novell.com/cmpsapInformation on Novell’s Compliance Management Platform and the Compliance Management Platform extension for SAP environments
• http://www.novell.com/sapGeneral information on the SAP-Novell partnership, including the SAP BusinessObjects collaboration
• A rich set of white papers and additional information on enabling the risk intelligent organization
www.deloitte.com/us/riskintelligent
34343434
DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet™, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This [publication or presentation] is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
* Designates Pre-existing Works owned by Deloitte Development LLC, used herein pursuant to grant of license to WIS.
Novell General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.