on 2014 Jan 14 9:58 PM
Dear Expert,
This is my first post here at SCN.
Our company recently implemented SAP 6.0 over from AS400. After almost a year of settle down, I'm start looking for GRC monitor and our SOD control because we will be subject to audit by the year end.
Would anyone of you please let me know what is the best solution to implement GRC/SOD? What kind of software that I need? and what is the requirement?
Thanks
MV
Hi Minh
I'm not sure if you are asking about product selections (i.e. different vendors) or which SAP GRC component to use. This community is mostly about the SAP GRC Suite of Products.
If you are looking at what to use in GRC then have a read up on SAP GRC Access Controls. The key area would be to look at Risk Analysis and Remediation. However, if you have audit looking at segregation of duties your Support Access will probably get red flags for too much and as a result you then may need to implement Emergency Access Management (known as Firefighter)
If you have marketplace access you can go in and look at the installation guides that provide the technical requirements. You can also search this community for questions are that area too.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Colleen,
Thank you for your answer.
Yes, I'm looking for GRC Access controls. What is the process to implement it? Do I need to get a consultant for this GRC implement or can I do it ? Can I do the GRC impletment in the test system first to get a hand on first b4 move it to production or just do directly from production?
As of now all the roles what we have are little mess and required a clean up, what is your recommendation: redesign/build completely new roles or modify existing. What is the best practice guide to build a new roles?
Yes, I do have a "Firefighter" role that will assign to developer as needed (will remove it after they done). What is the transaction to run the logs EVERYTHING that they did durring Firefighter period?
(SM20 does not meet our requirement as it only show the transaction they user start.)
Regrad,
MV
Hi MV
Do I need to get a consultant for this GRC implement or can I do it ?
I can't answer this one for you as I do not know your or your company. I think the best was you can answer this is:
Can I do the GRC impletment in the test system first to get a hand on first b4 move it to production or just do directly from production?
Alarm bells are now ringing, especially when our motiviation is to appease audit? Treat this at you would any other IT system project - appropriate change control as well as development, testing and implementation to Production
As of now all the roles what we have are little mess and required a clean up, what is your recommendation
Sorry, can't help you here without seeing your system. however, if this is what you claim I suspect implementing GRC will call out a major security cleanup which may result in complete redesign. Again, does your site have the expertise to do this?
What is the best practice guide to build a new roles?
There's a heap of material out there and the SCN Security community is quite large with a bunch of material and debates on this topic. having a strategy, design and someone with know-how is usually first place to start.
do have a "Firefighter" role that will assign to developer as needed
GRC EAM resolves this issue and captures additional logging beyond SM20
What is the process to implement it?
Now you're starting to ask for consultancy advise and suspect you may need to consider the options if you do not have in-house capabilities.
Sorry if this seems a bit harsh. It sounds like you are truly trying to think this through and do what's best. My only other question to you is what training have you had on SAP? Have you (or someone in your company) attended the ADM940 Course for SAP Authorisations. If you are going to do get GRC AC then book yourself on GRC300 course as well
My last comment int his post to you - don't underestimate GRC and treat it as a tool to appease the auditors. Implementing the tool is not the only part - you need to consider how you remediate and mitigate risk and how to keep your system clean. The tool only helps you so far and the rest is process and culture
let us know if you have any other questions
Regards
Colleen
Colleen, thanks again for your quick reply.
Let me introduce myself (I should do this one first) and my company.
We had a SAP team from Japan that do all the works like build/configure & migrate data from AS400 to SAP and they will continue to support us for another year before take off.
Here is our SAP team: We have hired 2 new SAP programers to handle day-to-day issue. My self as SAP
My background is 15+ years experience on IT Network. I have been doing small part of SAP basis for the last 8 months such as: building a new role, create new users; assign role... monitor SAP performance. Shutdown and bootup SAP server. Schedule JP1 jobs....
Our SAP system contain 270 users and we don't use Netweaver.
I'm planing to take some BASIS and Security classes. Any course/class that you recommended for a new person like me? Are those course/class are online or in-person?
Regard,
MV
Hi MV
Glad to hear you are looking at training
I recommend you go to SAP Training and Education site to look at available courses. I can't really comment on Basis as Security/GRC is my background
Security Course ADM940 will cover the SU01/PFCG/SU25/SU24 transactions and authorisation concept (check out http://scn.sap.com/community/security for SCN security community further advise)
GRC Access Controls is GRC300 course code
In addition, there are other courses depending on what you need to learn. Delivery methods and cost will depend on your location so you'll have to discuss with SAP (sorry I don't work for them). They do have classroom and online delivery depending on the course.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.