Security and Governance Done Right - Prof. Hernan Huwyler MBA CPA
•
0 gefällt mir•48 views
Learn how to: Centralize risk-based controls SAP GRC to simplify compliance Streamline access certifications Monitor with red flags analytics Manage segregation of duties rulesets Balancing SAP Security: Access, Protection, Authorization Aprender como: Centralice los controles basados en riesgos SAP GRC para simplificar el cumplimiento Optimice las certificaciones de acceso Monitorear con análisis de banderas rojas Gestionar conjuntos de reglas de segregación de funciones Equilibrio de la seguridad de SAP: acceso, protección, autorización
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Security and Governance Done Right - Prof. Hernan Huwyler MBA CPA
Ähnlich wie Security and Governance Done Right - Prof. Hernan Huwyler MBA CPA (20)
Mehr von Hernan Huwyler, MBA CPA
Mehr von Hernan Huwyler, MBA CPA (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Security and Governance Done Right - Prof. Hernan Huwyler MBA CPA
- 1. Security and governance done right Prof. Hernan Huwyler, MBA CPA
- 2. Agenda Centralize risk-based controls SAP GRC to simplify compliance Streamline access certifications Monitor with red flags analytics Manage segregation of duties rulesets
- 3. The centralization of processes is a prerequisite for cost saving and digitalization efforts in response to the COVID19 crisis
- 4. GRPC_STR_CHANGE Update and simplify the hierarchy of SAP processes and sub-processes GRPCRTA_PC Centralize local control catalogs with harmonized multi- compliance frameworks ASGN-TSTER Change the schedule of controls with problematic workflows SURVEY Align control surveys to yes/no confirmations with comments and attachments
- 5. The detection and investigation of suspicious fraudulent activity is critical during the operational adjustments triggered by COVID19
- 6. The economic crisis requires to closely monitor partners for performance, solvency and service continuity risks
- 7. SAP Business Partner Screening Ongoing due diligence on third-parties SAP Business Integrity Screening Notifications on fraud red flags SAP Tax Compliance Prevent fines and disputes SAP Risk Management Develop exit plans to address continuiry risks
- 8. SAP Risk Management Monte Carlo Simulations • cash-flow analysis • delays in supply • delays in orders • budgeting • insurance • price calculation • bidding
- 9. • Update process owners • Compare changes in the most used roles User access reviews • Evaluate recent changes for terminations and contractors • Sample some reviews to audit the full process
- 10. The operational changes during COVID19 triggered numerous inconsistencies in SAP data for cleanup
- 11. SAP Business Integrity Screening Exception reporting and management • Duplicated payments • Split orders • Invoice before reception • Inaccurate master data • Unusual discounts
- 12. SAP Segregation of duties Ruleset • Review changes in the access control attributes • Leverage checks based on pre-configured SAP Best Practices for industry • Continue improving the rules for display rights • Simplify roles for the new normal
- 13. Let´s connect Prof. Hernan Huwyler /in/hernanwyler/ hewyler
- 14. Leading analysts on information security in the era of digital transformation @kuppingercole info@kuppingercole.com
Hinweis der Redaktion
- security and governance done right - How to centralize risk-based controls in SAP GRC to simplify compliance - Tips to streamline access certifications and monitoring with red flags analytics - How to manage segregation of duties rulesets
- Hierarchy GRPC_STR_DISPLAY: Use the needs for reports following the C-level organization and the hierarchy of regulations, cannot centralize inconsistent processes, review with process owners the relevance, reassess the process to focus the resources Centralization: many control frameworks, follow group policies, assess the justification of having differetent controls in some entities, centralize the delegation of tasks for other users´ access rights. SAP and non-SAP applications. Use generic test plans for control clusters corporate, financial, IT, and industry-specific Schedule: evaluate the frequency to test controls, test shared controls by shared service centers, look for recurrent escalation of issues or rejected or pending.
- SAP GRC to simplify compliance: fraud, more risks from work from home How can we reduce risks from business partners, business integrity of partners Standard risk management should be done better (e.g- Credit Swiss dismissing the CRO)7 Need for a real management of risks, update and audit action plans, prevent hiding risks
- Scenario analysis using Monte Carlo enables you to select a list of risks, assign them to a random distribution, and decide on a distribution method for the number of losses involved (frequency). In this way, the system estimates the total aggregated loss (the sum) at risk for your simulation.
- Detect changes in uses to update SoD and Sensitive Access rule sets, unreversed temporary rules and conflicts on covid operations, improper change processes, . Changes in handling hybrid roles that blend duties, changes in sub-contractors, also administrators Sample some reviews to review the details of the certification: need to know, understanding, incompatibilities, review the removal of accesses
- Duplicated payments, errors and fraud split into smaller value POs to avoid additional approval checks Inaccurate client, vendor or bank master data to cleanup and training. incomplete or inaccurate sets of data Goods received after invoice date : goods receipts were posted after the date of inovices. Lack of resources in Warehouse is the main cause of late inventory accounting updates
- Attribute-Based Access Controls (ABAC) enable the use of “attributes” in authorization decisions. These attributes can be anything from user details such as role, department, nationality, or even a user’s security clearance level. You can consider additional contextual attributes such as IP address, location, time, device, and transaction history. And most importantly, for SoD, you can now use data attributes in authorization logic. This means that field-level values within SAP can be used to determine whether to block or allow a transaction, and these details can further be used in reporting activities.