GRC TRAINING:RISK OWNERS
Table of ContentsGRC ROLES & RESPONSIBILITIES – RISK OWNERS . 3RESPONSIBILITIES REFERENCE . 3SAP SECURITY AND GOVERNANCE PROCEDURES . 4PROCESS 1: NEW OR AMENDED ROLES . 6PROCESS 2: MITIGATION ANALYSIS . 18PROCESS 3: NEW USERS AND USER ROLE PROVISIONING . 28PROCESS 4: FIREFIGHTER USERS AND ROLES . 34PROCESS 5: PERIODIC COMPLIANCE REVIEWS. 47GRC REPORTING . 55JOB AIDS . 56Job Aid 01 Risk Violations . 58Job Aid 02 User Analysis . 77Job Aid 03 Violations Comparisons . 94REFERENCE AIDS . 103Reference R1 Access GRC Reporting. 105GRC TERMINOLOGY . 114GRC ROLES & RESPONSIBILITIES. 124GRC SOD ANALYSIS STEPS . 129GRC FORMS . 136EXAMPLE FORM A: GRC MITIGATION CONTROL CHANGE REQUEST . 137EXAMPLE FORM B: GRC FIREFIGHTER CHANGE REQUEST . 140EXAMPLE FORM C: SAP USER OR ROLE CHANGE CHECKLIST . 143GRC CHANGE EVENTS . 148
GRC Training – Risk OwnersGRC Roles & Responsibilities – Risk OwnersRisk Owners will carry out the following tasks as part of their GRC-related responsibilities: Provide guidance on:oacceptable level of risk related to SODs and critical accessoadequacy of compensating (mitigating) controlsEnsure control processes are in place:oRegular access reviewoMitigation processes, including specific reports. Final approval on new/amended Mitigation Control definitions and assignment to Risk / Usercombinations. Approve recertification of mitigating controls – supported by Role Owner and Compliance Officer.Where designated as a FireFighter ID owner, will approve assignment of FireFighter ID to users.Responsibilities ReferenceTASKSMaintain Risk Awareness : Role Owner emails Risk Owner ofmajor role changesProvide guidance on acceptable risk during the MitigationAnalysis processFinal approval of Mitigation Control definition– based on RoleOwner’s recommendationsOverall monitoring of control processes / reportsFinal approval of Mitigation Control assignment to users –based on Role Owner’s recommendationsApprove assignment of FireFighter IDs to usersFinal approval of periodic recertification of MitigatingControlsPROCESS & STEP1.14REPORTS01 Risk Violations02 User Analysis03 Violations ComparisonsPROCESS555FORMSA: GRC Mitigation Control Change RequestPROCESS & STEP2.5WORKFLOW OR EMAIL-TRIGGERED ACTIONSEmail for Mitigation Changes – if designated as MonitorPROCESS & STEP232.1.c2.52.8, 53.85.M.2, 5.Q.104.55.A.3
GRC Training – Risk OwnersSAP Security and Governance Procedures4
GRC Training – Risk OwnersPURPOSE OF THIS DOCUMENTThe SAP Security and Governance Procedures are documented in five flowcharts. The sections in this documentdescribe the details of each step.CONTENTSProcess 1: New or Amended RolesProcess 2: Mitigation AnalysisProcess 3: New Users and User Role ProvisioningProcess 4: FireFighter Users and RolesProcess 5: Periodic Compliance Reviews5
GRC Training – Risk OwnersProcess 1: New or Amended Roles6
RiskOwnerMIT SAP Security & GRC Process : 1. New or Amended Roles14MAINTAINRISKAWARENESSFYI EMAILFYI EMAILRole OwnerSTART1.aInitiate proposal forNew / AmendedRoles5Approve Role Build /Amendment9Approve Role Build /AmendmentIn PROD13Close OutRT TICKETRTNEW TICKETEmail requestingPromotion to PRODFYIEMAILAll paperworkR/3Security AdminSTART6Process 3RoleProvisioning1.bInitiate proposal forNew / AmendedRolesBA / BSAYESFROM7, 11End UserNew SOD Risksidentified ?3Process 2MitigationAnalysis &DesignFROM7, 11IN TESTGRC-ARAreport2Role Design reviewand GRC-ARASimulations10Process 3RoleProvisioningand QANO4FinalizeRole Design / Redesignandrun GRC-ARAEmail -ready for testIN PRODNOSome minor fixesare requiredUSER LEVELGRC-ARAreportUSER LEVELGRC-ARAreportNEW ROLEDESIGNROLEMINI-SPECFILEDYES7SAP TESTTestNew/Changed Roleandrun GRC-ARATest OK ?YES11SAP PRODGRC-ARA reviewAndSupport USERFeedbackandTEST RESULTS8SAP TESTTest the roleSTEP3NOSome minor fixesare requiredNOAdditional SOD Risks IdentifiedNOAdditional SOD Risks IdentifiedTEST PLANTest OK ?Feedback12SAP PRODConfirm role worksSTEP3STEP6
GRC Training – Risk OwnersProcess 1: New or Amended RolesThe “New or Amended Role” process is for the scenario where a new or amended business role is needed, and includes the high-level steps for initialinvestigation, design, development and GRC Access Risk assessment.The requirement SAP Access Role maintenance can be identified during the following business events, with the first two being the most frequent andrepresented in the flowchart. The process for the other triggering events is almost the same, with any differences documented in the text.1. Departmental reorganization.2. New or changed job duties within a department.3. New SAP functionality which is not expected to be included in common roles but is needed for several users with different accessand does fit into an existing role. This may be :o Small changes, for extra functionality in existing applicationso Larger, project-related changes where a whole new application is rolled-out, and probably multiple SAP Access roles.4. Audits, Compliance and other reviews – this would be less common.5. SAP Access role redesign / tidy-up (triggered from technical reviews).6. Removal of functionality from roles – (no SOD risk issues).Roles & Responsibilities for Process 1: Risk Owner :Maintains awareness of role changes and potential for new risks Role Owner :Initiates proposals for role changes, approved role changes, closes out role change process BA / BSA :Involvement in several stepsoPerforms preliminary role change analysisoCreates role design / redesign documentation and test planoTests new roles in TEST – including GRC-ARA simulationoSupports end-user in Production.8
GRC Training – Risk Owners R/3 Security Admin:Builds roles and provisions role (see process 3). SOD Coordinator:Indirectly involved if there is any Mitigation requirements – see Process 2. GRC Admin:Indirectly involved if there is any Mitigation requirements – see Process 2. End User:Test their User in SAP Production.Reports available to support the Process 1:Rept. 5 R/3 SUIMRept. 6 GRCRoles by Role NameUser to Role relationshipRept. 7 GRCRept. 8 R/3 SUIMRole relationship with UserUsers by User IDRept. 9 GRCRept. 10 GRCRept. 12 GRCCount of AuthorizationsAction Usage by User, Role, ProfileUser Level access analysisRept. 13 GRCRept. 14 GRCUser Level access analysis – simulation with added / removed actions, roles, profiles.Role Level access analysisRept. 15 GRCRole Level access analysis – simulation with added / removed actions, roles, profiles.TCODE SU01DDisplay User information – with Roles and Profiles tabThe following report are also available, but will be less frequently used in the MIT environment:Rept. 16 GRCRept. 17 GRCProfile Level access analysisProfile Level access analysis – simulation with added / removed actions.9
GRC Training – Risk OwnersProcess 1: New or Amended Roles - Detailed StepsP.1STEPBusiness RoleResponsibility /ActionOutputDetails1Role OwnerInitiate proposal forNew/AmendedRoles. a. Role Owner identifies a potential need for a new role due to : Email to BA/BSAand Risk Owner,SAP Security Adminand MIT AuditRT Queue – newtask Departmental Reorganization – new roles are needed to reflectcompletely new, permanent job duties, and old roles probably can bedeactivated. New or changed job duties – may be combined roles or split role orjust completely new. This is less likely where provisioning is managedwith Composite roles which can have existing roles added / removedwithout the need for a new role. New SAP functionality which does not easily fit into an existing role.b. Role Owner communicates (email) potential need to BA/BSA and RiskOwner.c. The requirement may be triggered from a technical role redesignproposed by SAP Security Admin.Note that MIT’s has made more use of “composite roles” in the redesignedVPF access. The composite role is where several roles are linked together torepresent a job position or a specific user’s duties. 10So some minor User access changes can be managed by adding orremoving roles from the composite role.This would be identified by the Role Owner in simpler cases, or by theBA/BSA for more complicated cases – see step 2.
GRC Training – Risk OwnersP.1Business RoleResponsibility /ActionOutputDetailsBA/BSARole Design reviewand GRC-ARAsimulations GRC-ARA Risksimulation reports For existing risks,assessment ofexisting MitigationControls to newtcode combination.a. For major changes, e.g. complete business reorganization or new majormulti-role applications being rolled out, there will always be a need foreveryone to be involved, like the SOD project had.STEP2 If new Risks, kickoff a full riskassessment (seenext step Process 2).b. For minor changes, the BA/BSA will review the current role design (GRCand SUIM reports) and decide if any new Roles are necessary to achievethe business changes. Where there are any new action tcodes (create,change, post etc.), or new combinations of tcodes due to composite rolechanges, a GRC-ARA SOD analysis is required for : The proposed new / changed role The users for whom the change will be made The GRC-ARA simulation can use the current user in PROD, plus anytcodes (entered) or existing roles (in DEV, TEST/QA or PROD). SAP R/3 Security Admin may need to advise on additionalauthorizations (permission level) which may reduce the risk. The BSA may need to advise on alternative tcodes (actions) andstandard SAP equivalents of custom “Z” transactions. The proposed design can be workshopped, including bringing up anySOD issues and recommendations for mitigation. (See details inProcess 2: Mitigation Analysis).c. In defining design requirements for the request, the BA/BSA works withthe Role Owner and Risk Owner. to mitigate risks and SODs wherever possible, reaching out to the GRC Analysis Team when input is requiredd. Check any existing Mitigation Controls related to the current role, andcheck the detail of the new tcode combinations. It is possible the existingMitigation Control does not fully cover the new tcodes.11
GRC Training – Risk OwnersP.1Business RoleResponsibility /ActionOutputDetailsBA/BSAMitigation AnalysisSee Process 2Flowchart for detailsAlso, see Flowchart for Process 2 for more details.STEP3Risk OwnerRole Ownera. Mitigation analysis is required where :SODCoordinator New SOD Risks are reported Existing SOD Risks remain, but are changed due to the new tcodes New “Critical” transactions (actions) are reported.b. Detailed SOD Risk analysis will confirm if : risk is low level and is acceptable, or existing mitigation could apply / still applies, or a new mitigation control can be defined, or a new mitigation process may need to be developedonew reportosystem enhancementosystem configuration changeoadditional SAP Access restrictions – permission levelonew manual process.c. The output of this step will be one or more role redesigns and potentiallya new Mitigation Control if the Risk remains after the role redesigns.Note the Risk may have been avoided due to “Remediation” :12 Several roles and related user assignments were changed The tcode causing the issue was put in a “FireFighter” role.
GRC Training – Risk OwnersP.1Business RoleResponsibility /ActionOutputDetailsBA/BSAFinalize role