Main Title Header Here

Transcription

1 Case Study: How The Coca-Cola Company Reduced Time and Effort Spent on User Access Reviews with an Automated Role Main Title Header Here and Security Clean-Up Process Subheader Description Kyleen Wissell The Coca-Cola Company

2 Value for The Coca-Cola System is driven by Consumer love for our brands Customer satisfaction Operating effectiveness and it is earned 1.7+ billion times a day with more than 3,500 products in over 200 countries April

3 In This Session We ll talk about what automation we leveraged in SAP GRC to build more efficient and effective risk management processes, and specifically how we analyzed the traditional manual efforts around reviewing and monitoring access assignments and determined certain predictive analytics and insights which could be derived for guiding our decisions To meet this objective, I will share certain foundational efforts we had to accomplish prior to improving the user access review processes

4 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

5 Background: Our Vision for Improving Access to Information Vision: Improve security processes by developing an efficient, sustainable approach for assigning and monitoring access to information systems by utilizing a risk-based approach, aligned with business processes Simple Rationalize the number of access roles Scalable Standardize processes driving inefficiencies and higher costs Sustainable Increase capabilities for governing

6 Clearly Outlined Problem What (Activity Roles) Where (Organizational Boundaries) Who Legacy 107 Roles/1,898 Update Transactions 109 Countries Hypothetical User Optimized 9 Total Roles/35 Update Transactions Global L.A. N.A. Pacific Europe Eurasia So What? Show how your User has access to transactions not used in previous 12 months to perform activities perhaps not under their control or responsibility area: Perform Physical Inventory Adjustment Perform MRP Maintenance Perform Cash Application Reminder of why we are doing this (the business case): Balance risk vs. cost consideration Promote greater productivity and efficiency Allow flexibility for future organizational change Enable standardization of processes Define activities once and reuse globally

7 Our Vision Improve security processes by developing an efficient, sustainable approach for assigning and monitoring access to information systems by utilizing a risk-based approach, aligned with business processes Legacy Final State Optimized +25,000 SAP Users with +15,000 Roles results in +8,500 hours annually controlling & monitoring access +25,000 Users with ~ 1,600 Roles results in increased visibility into who has access to what Simple Lack of standardization and manual processes cause inefficiencies and higher costs Lower costs due to standardization and automation, increased confidence in how we are managing risk Scalable Inefficient use of resources and lack of clarity between IT and Business ownership Reduced compliance inefficiencies, clear role sort, increased capabilities for growth and more efficient onboarding Sustainable Key Solution: Be willing to add up the costs associated with inefficiencies

8 What Did We Do? Changed Mindsets Standardized SAP security design and provisioning, initially across the Finance and Human Resources environments Increased business accountability for security access, and increased support for governance oversight Supported business process transformation by providing visibility into who/where associates are performing business activities and cleaning up non-job related access Automated, risk-based access reviews to reduce compliance activities and the associated cost Expanded risk monitoring across additional SAP environments Provided a foundation for role-based security and the path for reducing SAP professional licenses Identified Business Need Help from business leads to own and manage security risks Increased security controls capabilities, shifting focus of resources towards managing risk and away from security maintenance and detective monitoring methods Accept living in multiple system worlds until remaining SAP environments are incorporated Utilized a risk-based approach aligned with business processes and performed diagnostics to identify where efforts weren t returning an invested value, e.g., manual compliance Classified - Internal efforts use

9 Outline of the Benefits Obtain the Value Global security design enables associates to see and do more by design, not by mistake Access expanded to the Group level and a reduction in access unrelated to the job Global security design enables associates to be leveraged across geographies Enabling alignment of resources with strategic priorities Increasing flexibility of resources so that activities are not tied to physical location Enhanced transparency of access information (who is doing what) leveraged to: Provide intelligence to create more centers of excellence Hone strategic capabilities Increased opportunities to scale, which provide asset and execution efficiencies that increase shareholder value in the Coca-Cola System and preparedness for our strategic vision Security access risks are managed more efficiently and effectively Costs for maintaining security are reduced Implemented standardized processes support company growth and organizational flexibility without increasing the complexity of security access

10 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

11 Overview of the Role Design to Achieve Our Guiding Principles A user s access is made up of several small definable activities performed in SAP: Each activity is accessed via a single role, i.e., AP Invoice Processing Each activity is assigned to one of 4 distinct access levels which is risk-associated and data-classified, linked to the business process What they can do Common Display Organizational Boundary Update ACCESS DESIGN General Use Restricted Display Update Activity Update Activity Special Update Where they can do it Organizational Boundary Display LEVEL 1: General User Access WHAT NO RISK Activities common to all users, such as printing and inbox, are grouped together into a single role. This is given to every user. LEVEL 2: Display Access WHAT LOW RISK Activities which allow display and reporting only access are grouped by process area into a single role. These activities may be grouped at the process or sub-process level. One or more display roles can be given to a user and provide a display view that is common to all. LEVEL 3: Functional Access WHAT MEDIUM or HIGH RISK Activities which allow update access are grouped by sub-process area and divided into single roles for each part of a more granular activity performed. Profiles are used to provide the correct combination of roles required to complete each distinct activity. Info type and movement type restrictions are built into each role where appropriate. LEVEL 4: Locations WHERE MEDIUM RISK Access is given to a user at the Group level. One or more organizational boundary roles can be given to a user, to allow them to perform activities for multiple locations.

12 Final Rationalization Results Achieved 90% Reduction of Roles Human Resources 386 Roles What 71 Where 313 Specialty 0 Template 2 Internal Use 22 Confidential 67 Restricted 297 Highly Restricted 0 Finance 583 Roles What 371 Where 135 Specialty 70 Template 7 Internal Use 184 Confidential 253 Restricted 89 Highly Restricted Total Roles What 442 Where 448 Specialty 70 Template 9 Internal Use 206 Confidential 320 Restricted 386 Highly Restricted 57 Defining activities once and reusing globally reduces the number of required roles, unless transactions are configured to perform a different activity Role naming convention clearly identifies the purpose of the activity for transparency to the requester, approver, end user, and compliance partners Organizational boundary roles defined Classified at a higher - level Internal enable use the user to transact in multiple locations, which are groupings of company codes, plants, sales locations, etc.

13 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

14 Actors in the Newly Designed Provisioning Process User completes an Access request form in Sharepoint Security team enters GRC request and routes to Business Steward Business Steward reviews request & runs risk analysis prior to decision Role Approver reviews business justification and makes approval decision Access is provisioned and measured against a 3-day SLA Post Deployment Workflow: KEY DECISION: The approval process shifted from Manager Approval to Business Steward-centric approval. These resources have a combination of security and internal controls backgrounds and sit at the Group level. They have knowledge of whether mitigating controls can be applied or whether the risk should be remediated, e.g., access removed. We have assessed what additional capabilities needed to be developed and began having regularly scheduled User Group calls with Business Stewards and Role Approvers, leveraged to deliver training, provide status updates and discuss or raise issues and concerns. Given that we are developing a road map for role-based security provisioning, we felt a greater focus and a sustainable investment in building capabilities for stewarding access management, subsequently reducing investment and focus for seeking manager approvals and involvement in user access reviews The key win is delivering a standard approach that is flexible and faster, but controlled and consistent.

15 RACI Chart Developed for Access Initiators, Business Stewards, Role Approvers & Security Operations Task # Task Description Capability Example Requestor Access Initiator Business Steward Role Approver 1 Identify need for change in access Ability to identify what system and what process. A/R - C C C 2 Enter request for access Knowledge of how to enter a GAM request on the GAM SharePoint or through local request process RACI ASSIGNMENTS Security Operations* A/R C C C C 3 Analyze Access Request Form for completeness and validity; Identify GAM roles needed Ability to identify if request is a valid request. C A/R C C C 4 Enter and submit GRC access request in AC Knowledge and ability to copy a user's profile within the GRC tool. - A/R - - C 5 Run initial SOD/SA task of GAM roles requested. Document any adjustments. Understanding of business process user supports. C C A/R C C 6 Submit GRC Request in AC Submit GRC Request in AC I A/R - - C 7 Process request, perform risk analysis and mitigation. Knowledge and ability to initiate risk analysis. C C A/R C C 8 Submit GRC-AC request to Role Owner Submit GRC-AC request to Role Owner I - A/R C C 9 Process request and perform risk analysis Ability to initiate risk analysis. C - C A/R C 10 Submit AC Request for Provisioning Submit AC Request for Provisioning I - C A/R C 11 Administer SNC encryption Determine if SNC is required A/R 12 Submit AC Request for Provisioning Submit AC Request for Provisioning A/R Responsible Does the task Accountable Makes the decision Consults Provides input Inform Kept in the loop * Security Operations = Help Desk & SAP Security

16 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

17 Guiding Principles for Periodic Access Reviews Process terminations daily with an automated feed into GRC Lock inactive users daily after 90 days of inactivity Automatically remove a user s system ID after 180 days of inactivity This has put us on a path for reducing annual maintenance/licensing costs Automatically remove inactive roles from a user s profile after 120 days of inactivity Defined exceptions include infrequently used roles and use which doesn t generate analytics Radio frequency devices, year-end transactions and roles with only authorizations and objects (organizational boundary & specialty access) Trigger an access review when a user shows a job formally changes Trigger an access review for non-employee workers, users with access mitigated by compensating controls, highly restricted, or organizational boundary every 180 days Annually review role content and data classification Required the development of role narratives in GRC These automated activities have replaced certain manual quarterly access review processes, which weren t bringing the expected value. We found that analytics and triggers were the key to establishing the most effective review prompts.

18 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

19 Predictive Analytics We designed several automated reviews within GRC however we developed two inactivity reviews using predictive analytics Assumption: Roles without inactivity after a period of time can indicate lack of need or indicate a minor shift in responsibility Determined 120 days is a pretty good indicator, with some exceptions identified for infrequently used roles, such as expense reporting, purchase order approvals, etc. Assumption: System IDs without inactivity after a period of time can indicate system access is no longer required Determined 180 days is a pretty good indicator, with some exceptions identified

20 120-Day Role Inactivity Review Benefits Maintain an accurate baseline of access assignments adjusted by regular clean up and removal of access no longer required or not being used Data input towards standardizing profile assignments Leverage data analytics to drive decisions Risks and Mitigation Risk: Remove access that is used more infrequently Mitigation: Develop a list of exceptions and an initial validation process Mitigation: Consider an adjustment to the inactivity trigger, e.g., 120 to 130 days Risk: Remove access that doesn t register activity Mitigation: Adjust the exception process

21 Approach to Implementation of the Automated Process for Removing Roles for Inactivity Get comfortable with what the report from SAP GRC was showing us prior to moving the automated process into production Review users/roles not used in 120 days, targeted to be removed, and make decisions (accept/reject results) Assess whether any incidents occurred as a result of the removal and adjust the exception process, when necessary Review users/roles which were excepted from the process in order to validate results Review available reporting within GRC to develop a communication of results Develop a timeline for moving to the automated process expected to run nightly in GRC, without manual intervention Encountered Defects During Testing The GRC user action interface did not collect 100% of transactional activity from each target environment, which SAP subsequently resolved

22 Observations from the Initial 120-Day Review Initial Inactivity Review Produced Lots of access recommended for removal from executives, senior leadership, and contractors Lots of access removed from employees who had been with the company for a long time (years of travelling from job to job) Some clean up of migration mistakes when users moved to the newly designed roles Approach to cloning access of users is apparent (absent a process for assigning standardized profiles) Lessons learned: Need to review what was excepted where there was never any use and additionally evaluate if it would have been removed anyway for 180-day

23 180-Day System Inactivity Review Benefits Maintain an accurate baseline of legitimate system users Data input towards standardizing profile assignments Reduce costs of maintenance licensing, especially by categorizing types of users, e.g., display versus transactional or power user Risks and Mitigation Risk: Remove system ID from legitimate user who is somehow not generating a last logon date Mitigation: Develop a list of exceptions Mitigation: Consider an adjustment to the inactivity trigger, e.g., more than 180 days

24 Approach to Implementation of the Automated Process for Removing System IDs for Inactivity Get comfortable with what the report from SAP GRC was showing us prior to moving the automated process into production Review users showing a last log-on date longer than 180 days, targeted to be removed, and make decisions (accept/reject results) Assess whether any incidents occurred as a result of the removal and adjust the exception process, when necessary We identified certain activities which were occurring through the Web/ portal or a hand-held device which didn t generate a last log-on date which drove us to change the exception logic to the program Review available reporting within GRC to develop a communication of results Develop a timeline for moving to the automated process expected to run nightly in GRC Encountered Defects During Testing None

25 Observations from the Initial 180-Day Review Initial Inactivity Review produced: Lots of system IDs targeting removal from executives, senior leadership, and contractors Many inactive users had an account only for travel expense purposes and often they have an assistant who is authorized to raise reports on their behalf System IDs for non-employee workers

26 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

27 Role Narratives Aid Control Sustainability What was the mission? Actors in the access assignment process and business owners do not always understand the content and purpose of access roles. Our mission was to develop role narratives which explain the purpose of the access granted, including the level of approval required, the primary business users and risk posed, identification of known conflicts and provide the ability display the technical content, such as transaction codes, company codes and data classification. What was the objective? The objective is to support accurate assignments of privileges based upon user job requirements, reduce the number of provisioning requests rejected or miss assigned, aid role owners with the ability to reaffirm role content periodically, and business stewards and custodians who periodically review access assignments. Aid better risk management. What were the benefits? Reduced turn-around for access initiators to process a GRC access request, and resolving follow up to clarify or correct requests. Reduce error rate for correcting assignment mistakes and resubmission for role approver rejections. Standardize information for performing user access reviews and onboarding new role or business owners. 27

28 Role Narrative Example Workbook: This is an example of a completed Role Narrative with the columns highlighted in yellow. Business Role Name Technical Role Name Business Primary Users Position Description Purpose of the Access Risk Known Conflicts RTR: FI P&L and Balance Sheet Reporting P08:S:RTR:FI:PL_BAL_SHEET_REP Finance Finance users performing end of the period type activities or those with responsibilities for top line analysis Role allows a user to view a quantitative summary of a company's financial condition at a specific point in time, including assets, liabilities and net worth. The first part of a balance sheet shows all the productive assets the company owns, and the second part shows all the financing methods (such as liabilities and shareholders' equity) Medium Often mistaken with FI Common Display role needed to perform most of the basic RTR activities, such as account reconciliation. Dependent Roles Alternate Roles None P08:S:RTR:FI:FI_COMMON_DSP Subject Matter Expert(s) Miguel Gonzalez and Debbie Bryan-Hall T-Codes S_ALR_ G/L Account Balances Additional Information (Optional) Description - The G/L account balance list shows the following monthly figures: Balance carried forward at the beginning of the fiscal year; Total of the period or periods carried forward; Debit total of the reporting period; Credit total of the reporting period; Debit balances or credit balances at the close of the reporting period (optional); With the Balances in Foreign Currency option, the first five fields are available in the accounts as well as in local currency At the end of the list, the system displays the following information per local currency: Totals per company code; Closing total of all company codes Output and Sorting - The sorting method and summarizations can be determined using ALV. The parameter Group Version controls output in the batch header and the default sorting method. Program Called: RFSSLD00- More output control Program Called - RFSSLD00 - Less output 28

29 What We ll Cover Background: Our vision for improving access to information An overview of the security design leveraged to achieve guiding principles The process we designed for provisioning SAP entitlements What key decision we made which changed the actor responsible for participating in the approval process The guiding principles behind more effective user access reviews Which activity reviews were automated and how predictive analytics leveraged Role Narratives The key for maintaining improvements in access controls Wrap-up

30 Wrap-Up Reporting of Results to Management Developed reporting routines to communicate periodically How many roles were removed? How many roles removed which were never used? What was the risk addressed? Where? Initial cleanups produces the most results Next steps in also include Planning for progressing standardized profile assignments Discussions are also taking place to evaluate IF we had additional predictive analytics, how could we leverage similar activities What access doesn t generate usage, e.g., authorizations and objects which aren t grouped with transactions and Web and portal activity not generating log-on insight

31 7 Key Points to Take Home 1. Intuitive and improved user access reviews are best accomplished with simplified role design and business rules for rationalization of roles 2. Global, standardized GRC user provisioning workflow for access assignments coupled with accurate assignment is a best practice 3. Appropriate user access assessments and approvals with access changes to be reflected for inactivity to support managed risk 4. Automated activities have replaced prior manual quarterly access review processes, which weren t bringing the expected value. We found that analytics and data triggers were the key to establishing the most effective review prompts. 5. Narratives are also key building blocks for sustaining improvements made in access controls 6. Surprise improvement in management of user licensing costs by getting more granular with access assignments 7. The key win is delivering a standard approach that is flexible and faster, but controlled

32 Your Turn! Questions? How to contact me: Kyleen Wissell