cancel
Showing results for 
Search instead for 
Did you mean: 

GRC monitor / SOD control

Former Member
0 Kudos

Dear Expert,

This is my first post here at SCN.

Our company recently implemented SAP 6.0 over from AS400.  After almost a year of settle down, I'm start looking for GRC monitor and our SOD control because we will be subject to audit by the year end.

Would anyone of you please let me know what is the best solution to implement GRC/SOD?  What kind of software that I need? and what is the requirement?

Thanks

MV

Accepted Solutions (0)

Answers (1)

Answers (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Minh

I'm not sure if you are asking about product selections (i.e. different vendors) or which SAP GRC component to use. This community is mostly about the SAP GRC Suite of Products.

If you are looking at what to use in GRC then have a read up on SAP GRC Access Controls. The key area would be to look at Risk Analysis and Remediation. However, if you have audit looking at segregation of duties your Support Access will probably get red flags for too much and as a result you then may need to implement Emergency Access Management (known as Firefighter)

If you have marketplace access you can go in and look at the installation guides that provide the technical requirements. You can also search this community for questions are that area too.

Regards

Colleen

Former Member
0 Kudos

Hello Colleen,

Thank you for your answer.

Yes, I'm looking for GRC Access controls.  What is the process to implement it?  Do I need to get a consultant for this GRC implement or can I do it ?  Can I do the GRC impletment in the test system first to get a hand on first b4 move it to production or just do directly from production?

As of now all the roles what we have are little mess and required a clean up, what is your recommendation:  redesign/build completely new roles or modify existing.  What is the best practice guide to build a new roles?

Yes, I do have a "Firefighter" role that will assign to developer as needed (will remove it after they done).  What is the transaction to run the logs EVERYTHING that they did durring Firefighter period?

(SM20 does not meet our requirement as it only show the transaction they user start.)

Regrad,

MV

Colleen
Advisor
Advisor
0 Kudos

Hi MV


Do I need to get a consultant for this GRC implement or can I do it ?

I can't answer this one for you as I do not know your or your company. I think the best was you can answer this is:

  • Do you know what GRC AC is?
  • Do you have a skilled SAP Security and Basis resources on site that are capable of doing this project?
  • Do you have someone with Internal Controls knowledge as well as people who know business process and risk that can identified what SoD rules are required
  • Did you company engage people to move you to SAP?
  • Size and organisational complexity of your company as well as the functionality you are using in SAP? 100 users vs 100,000k users is quite a difference in approach and needs.


Can I do the GRC impletment in the test system first to get a hand on first b4 move it to production or just do directly from production?

Alarm bells are now ringing, especially when our motiviation is to appease audit? Treat this at you would any other IT system project - appropriate change control as well as development, testing and implementation to Production


As of now all the roles what we have are little mess and required a clean up, what is your recommendation

Sorry, can't help you here without seeing your system. however, if this is what you claim I suspect implementing GRC will call out a major security cleanup which may result in complete redesign. Again, does your site have the expertise to do this?


What is the best practice guide to build a new roles?

There's a heap of material out there and the SCN Security community is quite large with a bunch of material and debates on this topic. having a strategy, design and someone with know-how is usually first place to start.


do have a "Firefighter" role that will assign to developer as needed

GRC EAM resolves this issue and captures additional logging beyond SM20


What is the process to implement it?

Now you're starting to ask for consultancy advise and suspect you may need to consider the options if you do not have in-house capabilities.

Sorry if this seems a bit harsh. It sounds like you are truly trying to think this through and do what's best. My only other question to you is what training have you had on SAP? Have you  (or someone in your company) attended the ADM940 Course for SAP Authorisations. If you are going to do get GRC AC then book yourself on GRC300 course as well

My last comment int his post to you - don't underestimate GRC and treat it as a tool to appease the auditors. Implementing the tool is not the only part - you need to consider how you remediate and mitigate risk and how to keep your system clean. The tool only helps you so far and the rest is process and culture

let us know if you have any other questions

Regards

Colleen

Former Member
0 Kudos

Colleen,  thanks again for your quick reply.

Let me introduce myself (I should do this one first) and my company.

We had a SAP team from Japan that do all the works like build/configure & migrate data from AS400 to SAP and they will continue to support us for another year before take off.

Here is our SAP team:  We have hired 2 new SAP programers to handle day-to-day issue.  My self as SAP

My background is 15+ years experience on IT Network.  I have been doing small part of SAP basis for the last 8 months such as: building a new role, create new users; assign role... monitor SAP performance.  Shutdown and bootup SAP server.  Schedule JP1 jobs....

Our SAP system contain 270 users and we don't use Netweaver.

I'm planing to take some BASIS and Security classes. Any course/class that you recommended for a new person like me?  Are those course/class are online or in-person?

Regard,

MV

Colleen
Advisor
Advisor
0 Kudos

Hi MV

Glad to hear you are looking at training

I recommend you go to SAP Training and Education site to look at available courses. I can't really comment on Basis as Security/GRC is my background

Security Course ADM940 will cover the SU01/PFCG/SU25/SU24 transactions and authorisation concept (check out http://scn.sap.com/community/security for SCN security community further advise)

GRC Access Controls is GRC300 course code

In addition, there are other courses depending on what you need to learn. Delivery methods and cost will depend on your location so you'll have to discuss with SAP (sorry I don't work for them). They do have classroom and online delivery depending on the course.

Regards

Colleen