Session @ GRC Conference 2015: Achieving collaborative GRC accountability: The power of successful communication between the business and IT

Who else is already excited for GRC 2015 in Las Vegas? I am already counting down the days! This year is going to be especially thrilling for me as I’ve been chosen as a speaker for one of the conference sessions. Read my abstract below and stay tuned for more information!

Achieving Collaborative GRC Accountability:

The Power of Successful Communication Between the Business and IT

This session will highlight the importance of collaboration between the business and IT within the realm of SAP Access Control, SAP Process Control, and SAP Risk Management and provide a better understanding of the communication opportunities within GRC. During this session:
• Learn what steps you can take to eliminate common fractures such as overlapping responsibilities, processes and systems, as well as gaps or other inefficiencies from your GRC processes

• Develop a deeper understanding of the key stakeholders and contributors as part of GRC, including who participates and at what stages, why they participate, and how they perform these tasks

• Walk through common instances of separation of powers within GRC and key examples of how collaboration drives checks and balances within the system

Tips and Tricks for GRC 10.1 Access Risk Analysis : Copying and Updating the GLOBAL Rule-Set

Hi all,

I know it’s been a while! I wanted to key everyone in on my first trick for your GRC Access Control 10.1 Implementation and this one is all about Access Risk Analysis.

Before you implement ARA, it’s best to create a separate connector and connector group for each system. This will allow you to have different role owners across systems and associate risks to different systems as well. Long-term, it will make your GRC maintenance much more manageable.

After completing post-install steps and ARA configuration steps, the generic GLOBAL rule-set will automatically be associated with sap connector group R3. However, you will most likely need to do rule-set updates to massage the generic rule-set a bit and account for any custom transactions, customs critcal actions, critical permissions and critical roles and profiles.

My recommendation is to copy the GLOBAL rule-set by downloading it and re-naming it (the below link is the one I found the most useful for instructions on how to do this). When you download the GLOBAL rule-set you can also make additions and modifications that are befitting to your business. By doing this you can freely make changes while still maintaining the integrity of the SAP standard to refer back to. Multiple custom rule-sets can be created to serve various purposes. Once the rule-set name has been changed and necessary changes have been completed, you can upload the custom rule-set to your system specific connectors via the same too (again refer to the link below).

Downloading and Uploading GRC Access Control Rule-Set Valuable Link

A few additional notes on the issues I found with the SAP generic GLOBAL rule-set:

1. Many transactions do not have account types activated, so false positives can occur unless they are activated if you have your roles broken up by customer, vendor, G/L and Asset account types.

2. Some of the activity types are not set up correctly in the functions. Many activies are set as “1” for instance instead of “01”, 2 instead of “02”, etc. etc. You will get false negatives (THE WORST KIND) if you don’t fix this when uploading the custom version of your rule-set.

2 Go-Lives in 2 weeks.


Your Happy Sleep-Deprived Security & GRC Consultant