How to build an effective GRC process for SAP Security and Access?

Regardless of the business segment, it is a fact that all private or publicly traded organizations seek to establish the best Governance, Risk Management and Compliance (GRC) practices for their business processes.

Considered the basic pillar of GRC control, the access management process in organizations is the one that most causes divergence as it is a process that requires the engagement of multiple areas, such as: IT Security and Access, Governance, Internal Controls, Audit, Risks and business areas.

MAIN KNOWN PROBLEMS IN THE PROCESS OF ACCESS CONTROL AND RISK MONITORING SODs IN COMPANIES

Need an effective Access Management process, namely:

• Governance Model and Corporate Profile Management (Business and IT) – On-going;
• Definition of Roles and Responsibilities;
• Adoption of a systemic GRC platform;
• Definition and publication of the organization’s policies and regulations;
• Others.

MAIN TECHNICAL DEFINITIONS

• PROFILE OWNER (ROLE OWNER), person responsible for assessing the risks and approving profile requests that are their responsibility. It is also responsible for requesting and approving profile adjustments according to business requirements.
• TRANSACTION OWNER, person responsible for assessing the risks and approving requests for transactions that are their responsibility. It is also responsible for requesting and approving adjustments to transactions in accordance with business requirements.
• RISK OWNER (RISK OWNER), person responsible for defining and determining the best risk structure capable of identifying the risks of access attributed to users. It also recommends and approves adjustments to the SoD risk structure according to business requirements.
• CONTROL OWNER (CONTROL OWNER), person responsible for defining and determining the best compensatory control option capable of reducing or eliminating the risks of access attributed to users. It also recommends and approves adjustments to compensating controls in line with business requirements.
• RISK MONITOR (RISK MONITOR), person responsible for monitoring and also receiving notifications of violated and materialized risks. It needs to assess and determine the root cause and evidence decisions that may refer to acceptance of the breach and materialization of risk, or transfer of risk to another person.
• APPROVER (APPROVER), person responsible for approving access requests from users under its responsibility. It must also assess the risks arising from the requests for access being approved and make it aware that it recognizes the legitimacy of the risk.
• KEY USER (KEY USER), person with functional knowledge of the business process. It also supports the definition of access profiles and validation of access restrictions, executing business scenarios with the purpose of validating that there is no interference (less or more access) to carry out business transactional activities. Request profile adjustments when necessary according to business requirements.

SAP has incorporated SAP Fiori’s modern design into its products so that users can enjoy a consistent experience from start to finish. SAP Fiori is part of the SAP platform solutions for Governance, Risk and Compliance (GRC), which includes the SAP GRC Access Control (SoDs access management and risk monitoring solution). With the use of SAP FIORI interfaces for GRC, the SoDs Access Management and Risk Monitoring processes increase their acceptance by employees due to an appealing and customized design tailored to each task.

Examples of FIORI Apps for SAP GRC Access Control

End User | Managers | Administrators | Reports

EXAMPLE OF GOOD PRACTICES FOR THE ACCESS CONTROL PROCESS
AND RISK MONITORING IN COMPANIES