SEC302 Umoja Security GRC Analysis. Umoja Security GRC Analysis Version 8 1

Size: px

Start display at page:

Download "SEC302 Umoja Security GRC Analysis. Umoja Security GRC Analysis Version 8 1"

Berenice Hunt
5 years ago
Views:

1 SEC302 Umoja Security GRC Analysis Umoja Security GRC Analysis Version 8 Last Copyright Modified: United 16-August-13 Nations 1

2 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 2

3 Introduction Please share with us: Your Name Your Section/Unit # Years with the UN Interesting Fact About Yourself 3

Please step out of the class to take any important phone call Please do not access your e-mail or the Internet

4 Ground Rules Please consider the following guidelines during the training session: Turn your cell phone to silent mode. Please step out of the class to take any important phone call Please do not access your or the Internet outside of breaks Participate fully in the training session and respect each other s contribution Breaks are included at the discretion of the trainer X X No Phones Do Not Access Participate Ask Questions Breaks 4

5 Course Overview The purpose of the Umoja Security Administration in GRC course is to explain how checks for Segregation of Duties (SoD) and other authorization activities are performed at UN. Prerequisite Review You should have completed the following prerequisite courses: Umoja Overview Umoja Master Data & Coding Block Overview Course Duration: 3 hours 5

Course Objectives After completing this course, you will be able to: List the key roles and responsibilities involved in security administration in GRC Explain User Access Risk Analysis Perform User

6 Course Objectives After completing this course, you will be able to: List the key roles and responsibilities involved in security administration in GRC Explain User Access Risk Analysis Perform User Access Risk Analysis for existing Umoja end users Perform User Access Risk Analysis for new Umoja end users Perform User Access Risk Analysis for Umoja end users who require Enterprise role changes Describe the steps to access requests without and with Segregation of Duties (SoD) risks Mitigate SoD risks for Umoja end users 6

7 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 7

8 Module 1 Objectives After completing this module, you will be able to: Identify the GRC components Explain the SoD principle List the GRC risks Explain User Access Risk Analysis 8

9 Key Terminology Key Term Governance, Risk and Compliance (GRC) Identity Management (IdM) Risk ineed Segregation of Duties (SoD) International Public Sector Accounting Standards (IPSAS) Description A tool in Umoja referenced to validate segregation of duties and overall risk mitigation activities for Umoja applications A tool utilized to manage user provisioning for Umoja applications The possibility of a potential fraudulent activity. In Umoja, a risk is enabled when two or more actions or permissions are available to a single user A tool used to request access to Umoja tools and applications. This request is routed to the Supervisor for review and approval A security principle that requires more than one person to complete a process. This ensures that processes that pose opportunities for fraudulent activity are not performed in the system (Umoja) by one person from beginning to end A set of accounting standards used by public sector entities around the world to prepare financial statements 9

10 Roles & Responsibilities The following Umoja Enterprise roles are involved in security administration in GRC: User Access Mapper Executes risk analysis in GRC Submits the request for an Enterprise role assignment Compliance Officer Reviews and approves the request for assigning an Enterprise role 10

GRC Components Umoja GRC has the following two components: Access Risk Analysis It was

It contains the following elements: Ruleset Maintenance Approval Process for Functions

Mitigation Mass Mitigation Emergency Access Management It was formally known as Super

11 GRC Components Umoja GRC has the following two components: Access Risk Analysis It was formally known as Risk Analysis and Remediation. It contains the following elements: Ruleset Maintenance Approval Process for Functions Audit Trail Tracking New Risk Analysis Framework Shared Master Data System Specific Mitigation Mass Mitigation Emergency Access Management It was formally known as Super User Privilege Management. It contains the following elements: Plan for Emergency Access Monitor Emergency Access Centralized Firefighting 11

12 Segregation Of Duties (SoD) As per the SoD principle, processes that pose opportunities for fraudulent activity should not be performed by one person from beginning to end in the Umoja system. The SoD principle ensures appropriate system authorizations for a specific business process. This is done by disseminating tasks and associated privileges across multiple users. Role A Creates Document Role B Reviews and Approves Document Assigned to User A Assigned to User B 12

13 Segregation Of Duties (SoD) - Example Suppose, in UNIFIL, the same individual is assigned the Umoja Enterprise role of Requisitioner and Approver within the SRM portal. Effectively, they would be able to create and approve shopping carts. This would be a segregation of duties conflict. Role A Creates Document Role B Reviews and Approves Document Assigned to User A 13

14 SoD Risks: Examples Examples of high SoD risks are as follows: Authority to create and approve the same financial document Authority to create new vendors and approve payments 14

15 SoD Non-compliance Non-compliance with the SoD principle can result in the following: Misstatement of financials Improper use of funds Inability to properly review and record transactions to meet IPSAS requirements 15

Examples of the If-then Principle If an employee has authorization to create a Vendor Master Record

16 GRC Risks GRC risks are defined by mutually exclusive functions and are established on the basis of the if-then principle. Examples of the If-then Principle If an employee has authorization to create a Vendor Master Record and approve the payment of the vendor invoice, then this is a GRC risk. If an employee has authorization to create a Funds Commitment and approve it, then this is GRC risk. 16

If Role A and Role B are assigned to the same end user, then it will result in a high GRC risk.

17 GRC Risks: Example The graphic below illustrates an example of a high GRC risk. Role A maintains the Purchase Order (PO) and Role B approves the PO. If Role A and Role B are assigned to the same end user, then it will result in a high GRC risk. System Access Role A Maintain PO Assignment of Role A and B to the End User will result in GRC Risk System Access Role B Approve PO End User 17

18 User Access Risk Analysis User Access Risk Analysis is a comprehensive check that ensures that Umoja end user s Enterprise role assignments do not lead to non-compliance with the SoD principle. User Access Risk Analysis is performed when there is an incoming ineed request for an Umoja Enterprise role addition or modification. An Umoja Enterprise role addition or modification is requested when: One or more Umoja Enterprise roles are assigned to an Umoja end user (User Level Simulation) Additional Umoja Enterprise roles are assigned to a current Umoja end user (User Level Simulation) The content of the Enterprise role changes due to technical and/or policy mandates (Role Level Simulation) 18

19 User Access Risk Analysis: User Level Simulation There are two methods of conducting GRC Risk Analyses for Umoja Enterprise roles. User Level Simulation is used of when the individual in question is already an Umoja end user. Ideally, this simulation evaluates the what if scenario for any Umoja end user obtaining new roles, or changing roles One or more Umoja Enterprise roles are assigned to an Umoja end user (User Level Simulation) Additional Umoja Enterprise roles are assigned to a current Umoja end user (User Level Simulation) The content of the Enterprise role changes due to technical and/or policy mandates (Role Level Simulation) Risk analysis is performed on current Umoja Users Risk analysis is performed on current Umoja Users requiring additional Umoja Enterprise roles Risk analysis is performed on current Umoja Users requiring a change in Umoja Enterprise roles 19

20 User Access Risk Analysis: Role Level Simulation Role Level Simulation is used when the individual in question is not an Umoja end user. Ideally, this simulation evaluates the what if scenario for a new Umoja end user, or to confirm the GRC risks of combining (altering) two or more Umoja Enterprise roles One or more Umoja Enterprise roles are assigned to an Umoja end user (User Level Simulation) Additional Umoja Enterprise roles are assigned to a current Umoja end user (User Level Simulation) The content of the Enterprise role changes due to technical and/or policy mandates (Role Level Simulation) Risk analysis is performed on current Umoja Users Risk analysis is performed on current Umoja Users requiring additional Umoja Enterprise roles Risk analysis is performed on current Umoja Users requiring a change in Umoja Enterprise roles 20

21 User Access Risk Analysis After User Access Risk Analysis is performed, the result displays whether or not there are SoD conflicts. In both the cases, the approval for the updated role assignments is directed to the Compliance Officer for final review and sign-off. After the Compliance Officer carries out the required steps to approve the request in IdM, the requested addition/modification to the Umoja Enterprise role is automatically completed. No SoD Conflict IdM: Compliance Officer approves the Umoja Enterprise role assignment SoD Conflict Note: The Compliance Officer performs the review and approval steps in Umoja IdM and not Umoja GRC. 21

22 Touch Points The Umoja system is an integrated system and most of its modules integrate with each other to complete a process. Touch points refer to these integration points across Umoja modules, processes and activities. IDM GRC Utilized to provide access to Umoja tools and applications Utilized to conduct risk analysis on Umoja end users and their assigned Umoja Enterprise roles 22

23 Learning Checkpoint 1 is used of when the individual in question is already an Umoja end user. Fill in the blank with the correct option. A. User Level Simulation B. Role Level Simulation C. Process Level Simulation 23

24 Learning Checkpoint 1 is used of when the individual in question is already an Umoja end user. Fill in the blank with the correct option. A. User Level Simulation B. Role Level Simulation C. Process Level Simulation Option A is the correct answer. User Level Simulation is used of when the individual in question is already an Umoja end user. 24

25 Learning Checkpoint 2 In which of the following systems, does the Compliance Officer perform the review and approval steps? Select the correct option. A. Umoja SRM B. Umoja GRC C. Umoja IdM D. Umoja BI 25

Learning Checkpoint 2 In which of the following systems, does the Compliance Officer perform the review and approval steps? Select the correct option. A.

26 Learning Checkpoint 2 In which of the following systems, does the Compliance Officer perform the review and approval steps? Select the correct option. A. Umoja SRM B. Umoja GRC C. Umoja IdM D. Umoja BI Option C is the correct answer. The Compliance Officer performs the review and approval steps in Umoja IdM. 26

27 Module 1 Summary The key points covered in this module are: There are two GRC components: Access Risk Analysis and Emergency Access Management The SoD principle ensures appropriate system authorizations by disseminating tasks and associated privileges across multiple users GRC risks are mutually exclusive functions and are established on the basis of the if-then principle The processes that pose opportunities for fraudulent activity should not be performed in Umoja by one person from beginning to end 27

28 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 28

29 Module 2 Objectives After completing this module, you will be able to: Perform User Access Risk Analysis for existing Umoja end users Export the risk analysis report List the steps performed after User Access Risk Analysis 29

30 Umoja Access Screen Umoja Access Screen can be access at Login with your EIDMS credentials

31 Umoja Access Screen The Citrix XenApp start screen is displayed. It displays all the tools that one can access as an Umoja end user 2 31

User Access Risk Analysis for Existing Users The steps to perform User Access Risk Analysis for existing Umoja end users are as follows: 1 Click

32 User Access Risk Analysis for Existing Users The steps to perform User Access Risk Analysis for existing Umoja end users are as follows: 1 Click the 4. Umoja Identity Manager link to access the GRC portal 1 Note: The GRC and IdM portal are accessed from the same link: Umoja identity Manager. 32

33 User Access Risk Analysis for Existing Users Enter the appropriate login credentials in the User and Password fields 2 3 Click the Log On button. The Umoja GRC home screen is displayed

34 User Access Risk Analysis for Existing Users Click the Access Management tab 4 5 Click the User Level link in the Access Risk Analysis section To proceed further, ensure that the Umoja end user has credentials provisioned in Umoja IdM

35 User Access Risk Analysis for Existing Users The Risk Analysis: User Level screen is displayed. In the Analysis Criteria section, enter the required details in the following fields: 6 User: Enter the username for the Umoja end user Select the appropriate Risk Level from the drop-down list 7 In the Report Options section, select Business View from the second dropdown list of the Format field 8 Click the Run in Foreground button

36 GRC Risk Analysis - Results 9 The result displays all GRC Risks currently associated to this user. The pre-defined risk level associated to each line item in the results list and a brief description of the GRC risk is also provided

37 User Access Risk Analysis for Existing Users Click the Roles tab 10 Click the Add button 11 Select Business Role from the Role Type drop-down list 12 Select the Umoja Enterprise role to be analyzed against the Umoja end user s current accesses within Umoja from the Role From drop-down list 13 The System column usually remains blank as roles span across multiple systems. More than one Umoja Enterprise role can be selected if User Access Risk Analysis needs to be simulated for a combination of Umoja Enterprise roles being proposed for the end user

User Access Risk Analysis for Existing Users Click the Run in Foreground button to generate the GRC analysis report based on the listed roles 14 Analysis Results The screen refreshes after

38 User Access Risk Analysis for Existing Users Click the Run in Foreground button to generate the GRC analysis report based on the listed roles 14 Analysis Results The screen refreshes after the GRC analysis report is successfully generated. The SoD conflicts are displayed in the Result section. This section displays the SoD conflicts in a predefined summary view by default. 38

39 User Access Risk Analysis for Existing Users Result Section: If there are no SoD conflicts, then the Result section appears blank. 39

40 User Access Risk Analysis for Existing Users You can also switch to an executive summary view for the displayed results. The steps to view the results in an executive summary format are as follows: 1 Select Executive Summary from the Format drop-down list to review the SoD conflicts grouped together by Access Risk ID 2 The Access Risk ID column displays all SoD risks or conflicts that are defined by UN Secretariat Process Communities 2 1 Access Risk ID: Pre-defined SoD 40

41 Risk Analysis Report The steps to export the risk analysis report are as follows: 1 Click the Export Result Sets button. The Result Set Detail pop-up window is displayed 2 Select the report and click the Export Result Sets button

42 Steps After User Access Risk Analysis The steps followed after performing User Access Risk Analysis are as follows: 1 The User Access Mapper communicates the identified SoD risks or conflicts to the Compliance Officer and the Requestor 2 The Compliance Officer reviews and identifies the mitigating control to be applied for the identified risks and conflicts 3 The User Access Mapper logs into IdM to create or modify the Umoja end user s privileges to the Umoja system, based on the information provided by the Compliance Officer 4 The Compliance Officer logs into IdM to approve an Umoja end user s new (or updated) access to the Umoja system, after reviewing the comments by User Access Mapper Note: The end user must be informed of the new Umoja Enterprise roles assigned to him/her through appropriate local communication channels. 42

43 Simulation Activities Throughout this training, users will have the opportunity to conduct activities in the form of simulations. Simulations are interactive recordings of the Umoja system used to help facilitate a hands-on learning experience. The simulation links are provided on the corresponding activity slides. Users can access simulations in three different modes: Show me: Users view a video of an entire transaction being conducted Let s do it together: Users will be prompted to input data at key points during the transaction (recommended) Try it: Users can complete an entire transaction on their own, with no additional instructions provided 43

44 Activity 1 Transaction Name: User Level Simulation - Risk Analysis Link to the uperform simulation: ?mode=EU&originalContext=

45 Learning Checkpoint 1 When performing User Access Risk Analysis for existing users, ensure that the. Fill in the blank with the correct option. A. Umoja end user does not have credentials provisioned in the Umoja IdM system B. Umoja end user has credentials provisioned in the Umoja IdM system C. Umoja end user does not have credentials provisioned in the Umoja ECC system D. Umoja end user has credentials provisioned in the Umoja ECC system 45

46 Learning Checkpoint 1 When performing User Access Risk Analysis for existing users, ensure that the. Fill in the blank with the correct option. A. Umoja end user does not have credentials provisioned in the Umoja IdM system B. Umoja end user has credentials provisioned in the Umoja IdM system C. Umoja end user does not have credentials provisioned in the Umoja ECC system D. Umoja end user has credentials provisioned in the Umoja ECC system Option B is the correct answer. When performing User Access Risk Analysis for existing users, ensure that the Umoja end user has credentials provisioned in the Umoja IdM system. 46

47 Module 2 Summary The key points covered in this module are listed below: More than one Umoja Enterprise role can be selected if User Access Risk Analysis needs to be simulated for a combination of Umoja Enterprise roles being proposed for the end user After performing User Access Risk Analysis, the risk analysis report can be exported After User Access Risk Analysis, the final approval for updated role assignments is directed to the Compliance Officer for final review and sign-off 47

48 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 48

49 Module 3 Objectives After completing this module, you will be able to: Perform User Access Risk Analysis for a new Umoja end user request List the steps performed after User Access Risk Analysis 49

50 User Access Risk Analysis for a New User Request If a new user request includes only one Enterprise role, then risk analysis is not required. The steps to perform User Access Risk Analysis for a new Umoja end user are as follows: 1 Access the GRC portal by clicking the following link: 2 Enter appropriate login credentials in the User and Password fields 3 Click the Log On button. The Umoja GRC home screen is displayed 2 3 Note: The Enterprise roles are free of internal SoD risks. 50

51 User Access Risk Analysis for a New User Request 4 Click the Access Management tab 5 Click the Role Level Simulation link in the Access Risk Analysis section

52 User Access Risk Analysis for a New User Request The Simulation: Role Level screen is displayed. Performing User Access Risk Analysis for a new Umoja end user is a three-step process: Define Analysis Criteria Define Simulation Criteria Confirmation 52

Define Analysis Criteria 6 In the Analysis Criteria section, enter the required details in the System, Role Type and Role fields: System: The Umoja environment for which GRC analysis is being carried

53 Define Analysis Criteria 6 In the Analysis Criteria section, enter the required details in the System, Role Type and Role fields: System: The Umoja environment for which GRC analysis is being carried out Role Type: The type of role for which GRC analysis is being carried out Role: The name of the Umoja Enterprise role being evaluated for GRC analysis To proceed further, ensure that the Umoja end user does not have credentials provisioned in the Umoja IdM system. If the Umoja end user already has provisioned credentials in the Umoja IdM system, it means that the user is an existing one. 6 53

54 Define Analysis Criteria 7 In the Report Options section, select Business View from the second drop-down list of the Format field 8 Select the Permission Level check box 9 Click the Next button

55 Define Simulation Criteria The Define Simulation Criteria screen is displayed. Click the Roles tab 10 Click the Add button 11 Select Business Role from the Role Type drop-down list 12 Select the Umoja Enterprise role to be analyzed against the Umoja end user s current accesses in the Umoja system from the Role From drop-down list 13 Click the Run in Foreground button to generate the GRC analysis report based on the listed roles The System column usually remains blank as roles span across multiple systems. More than one Umoja Enterprise role can be selected if User Access Risk Analysis needs to be simulated for a combination of Enterprise roles being proposed for the end user. 55

56 User Access Risk Analysis for a New User Request Analysis Results The screen refreshes after the GRC analysis report is successfully generated. The SoD conflicts are displayed in the Result section. This section displays the SoD conflicts in a predefined summary view by default. 56

57 User Access Risk Analysis for a New User Request Result Section: If there are no SoD conflicts, then the Result section appears blank. 57

58 User Access Risk Analysis for a New User Request You can also switch to an executive summary view for the displayed results. The steps to view the results in an executive summary format are as follows: 1 Select Executive Summary from the Format drop-down list to review the SoD conflicts grouped together by Access Risk ID 2 The Access Risk ID column displays all SoD risks or conflicts that are defined by UN Secretariat Process Communities 2 1 Access Risk ID: Predefined SoD 58

59 Steps After User Access Risk Analysis The steps followed after performing User Access Risk Analysis are as follows: 1 The User Access Mapper communicates the identified SoD risks or conflicts to the Compliance Officer 2 The Compliance Officer reviews and identifies the mitigating control to be applied for the identified risks and conflicts 3 The User Access Mapper logs into IdM to create new Umoja end user s accesses to the Umoja system, based on the information provided by the Compliance Officer The Compliance Officer logs into IdM to approve an Umoja end user s new access to the Umoja system 4 Note: The end user must be informed of the new Umoja Enterprise roles assigned to him/her through appropriate local communication channels. 59

60 Learning Checkpoint 1 If a new user request includes Enterprise role(s), then risk analysis is not required. Fill in the blank with the correct option. A. One B. Two C. Three D. Four 60

61 Learning Checkpoint 1 If a new user request includes Enterprise role(s), then risk analysis is not required. Fill in the blank with the correct option. A. One B. Two C. Three D. Four Option A is the correct answer. If a new user request includes only one Enterprise role, then risk analysis is not required. 61

62 Module 3 Summary The key points covered in this module are listed below: If a new user request includes only one Enterprise role, then risk analysis is not required If a new user request includes more than one Enterprise role, then User Access Risk Analysis is performed for the new user request After User Access Risk Analysis, the final approval for updated role assignments is directed to the Compliance Officer for final review and sign-off 62

63 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 63

64 Module 4 Objectives After completing this module, you will be able to: Perform User Access Risk Analysis for Umoja end users who require Enterprise role changes List the steps performed after User Access Risk Analysis 64

User Access Risk Analysis for Users Requiring Changes The steps to perform User Access Risk Analysis for Umoja end users who require Umoja Enterprise role changes are as follows: 1 Access the GRC

65 User Access Risk Analysis for Users Requiring Changes The steps to perform User Access Risk Analysis for Umoja end users who require Umoja Enterprise role changes are as follows: 1 Access the GRC portal by clicking the following link: 2 Enter the appropriate login credentials in the User and Password fields 3 Click the Log On button. The Umoja GRC home screen is displayed

66 User Access Risk Analysis for Users Requiring Changes 4 Click the Access Management tab 5 Click the User Level Simulation link in the Access Risk Analysis section. The Simulation: User Level screen is displayed To proceed further, ensure that the Umoja end user has credentials provisioned in Umoja IdM

User Access Risk Analysis for Users Requiring Changes 6 In the Analysis Criteria section, populate the System and User fields 7 In the Report Options section, select Business

67 User Access Risk Analysis for Users Requiring Changes 6 In the Analysis Criteria section, populate the System and User fields 7 In the Report Options section, select Business View from the second drop-down list of the Format field 8 Select the Permission Level check box 9 Click the Next button. The Define Simulation Criteria screen is displayed

68 User Access Risk Analysis for Users Requiring Changes 10 Click the Roles tab 11 Click the Add button 12 Select Business Role from the Role Type drop-down list 13 Select the Umoja Enterprise role to be analyzed against the Umoja end user s current accesses within Umoja from the Role From drop-down list The System column usually remains blank as roles span across multiple systems. More than one Umoja Enterprise role can be selected if User Access Risk Analysis needs to be simulated for a combination of Enterprise roles being proposed for the end user

User Access Risk Analysis for Users Requiring Changes 14 Click the Run in Foreground button to generate the GRC analysis report based on the listed roles.

69 User Access Risk Analysis for Users Requiring Changes 14 Click the Run in Foreground button to generate the GRC analysis report based on the listed roles. The pre-defined risk level associated to each line item in the results list and a brief description of the GRC risk is also provided Analysis Report The screen refreshes after the GRC analysis report is successfully generated. The SoD conflicts are displayed in the Result section. This section displays the SoD conflicts in a predefined summary view by default

70 User Access Risk Analysis for Users Requiring Changes Result Section: If there are no SoD conflicts, then the Result section appears blank. 70

71 User Access Risk Analysis for Users Requiring Changes You can also switch to an executive summary view for the displayed results. The steps to view the results in an executive summary format are as follows: 1 Select Executive Summary from the Format drop-down list to review the SoD conflicts grouped together by Access Risk ID 2 The Access Risk ID column displays all SoD risks or conflicts that are defined by UN Secretariat Process Communities 2 1 Access Risk ID: Predefined SoD 71

Steps After User Access Risk Analysis The steps followed after performing User Access Risk Analysis are as follows: 1 The

reviews and identifies the mitigating control to be applied for the identified risks and conflicts 3 The User Access Mapper

Officer 4 The Compliance Officer logs into IdM to approve an Umoja end user s updated access to the Umoja system Note: The

72 Steps After User Access Risk Analysis The steps followed after performing User Access Risk Analysis are as follows: 1 The User Access Mapper communicates the identified SoD risks or conflicts to the Compliance Officer 2 The Compliance Officer reviews and identifies the mitigating control to be applied for the identified risks and conflicts 3 The User Access Mapper logs into IdM to modify Umoja end user s privileges to the Umoja system, based on the information provided by the Compliance Officer 4 The Compliance Officer logs into IdM to approve an Umoja end user s updated access to the Umoja system Note: The end user must be informed of the new Umoja Enterprise roles assigned to him/her through appropriate local communication channels. 72

73 Learning Checkpoint 1 Which of the following roles approves the Umoja end user s updated access to the Umoja system? Select the correct option. A. User Access Mapper B. Role Owner C. End user D. Compliance Officer 73

74 Learning Checkpoint 1 Which of the following roles approves the Umoja end user s updated access to the Umoja system? Select the correct option. A. User Access Mapper B. Role Owner C. End user D. Compliance Officer Option D is the correct answer. The Compliance Officer logs into IdM to approve the Umoja end user s updated access to the Umoja system. 74

75 Module 4 Summary The key points covered in this module are listed below: User Access Risk Analysis is performed for an Umoja user requesting one or more Umoja Enterprise role changes in order to access Umoja tools and applications After User Access Risk Analysis, the final approval for updated role assignments is directed to the Compliance Officer for final review and sign-off 75

76 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 76

77 Module 5 Objectives After completing this module, you will be able to: Explain the steps to access requests without SoD risks Explain the steps to access requests with SoD risks 77

78 Access Request Without SoD Risks The high-level steps to access a request without SoD risks are as follows: User Access Mapper User Access Mapper Compliance Officer Runs Role Level Simulation Risk Analysis Creates an Access Request for the New User Approves the Request Access Provided Automatically Activities performed in Umoja GRC Activities performed in Umoja IdM 78

79 Access Request With SoD Risks The high-level steps to access a request with SoD risks are as follows: User Access Mapper User Access Mapper User Access Mapper Role Owner Compliance Officer Compliance Officer Runs Role Level Simulation Risk Analysis Creates a Request to Mitigate the Risk Submits Request Creates a New Mitigating Control Approves the Request Access Provided Automatically Activities performed in ineed Activities performed in Umoja GRC Activities performed in Umoja IdM Note: The ineed request facilitates the communication between the User Access Mapper, Request Initiator and Function Approver. 79

80 Learning Checkpoint 1 Which of the following roles creates an access request? Select the correct option. A. User Access Mapper B. Role Owner C. End user D. Compliance Officer 80

81 Learning Checkpoint 1 Which of the following roles creates an access request? Select the correct option. A. User Access Mapper B. Role Owner C. End user D. Compliance Officer Option A is the correct answer. The User Access Mapper creates an access request for the user in Umoja IdM. 81

82 Module 5 Summary The key points covered in this module are listed below: The requests without and with SoD risks can be accessed The ineed request facilitates the communication between the User Access Mapper, Request Initiator and Function Approver 82

Agenda Course Course Introduction Module Module 1: User 1: <Insert Access Module Risk Analysis Name> Overview Module Module 2: User 2: <Insert Access Module Risk Analysis Name> for Existing Users

83 Agenda Course Course Introduction Module Module 1: User 1: <Insert Access Module Risk Analysis Name> Overview Module Module 2: User 2: <Insert Access Module Risk Analysis Name> for Existing Users Module Module 3: User 3: <Insert Access Module Risk Analysis Name> for a New User Request Module Module 4: User 4: <Insert Access Module Risk Analysis Name> for Users Who Require Enterprise Role Changes Course Summary Module 5: Access Requests Without and With SoD Risks Course Assessment Module 6: Mitigating SoD Risks Course Survey Course Summary Course Assessment Course Survey 83

84 Module 6 Objectives After completing this module, you will be able to: Create mitigating controls Mitigate SoD risks for Umoja end users View mitigated users Export mitigating controls 84

85 Mitigate Risk The high-level steps to mitigate a risk are as follows: Role Owner User Access Mapper Umoja Security Team Umoja Security Team Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls Activities performed in Umoja GRC 85

Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The steps to create a mitigating control are as follows: 1.

86 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The steps to create a mitigating control are as follows: 1. Access the GRC portal by clicking the following link: j/portal 1 2. Enter appropriate login credentials in the User and Password fields 2 3. Click the Log On button. The Umoja GRC home screen is displayed

87 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 44. Click the Master Data tab 55. Click the Mitigating Controls link

88 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 66. The Mitigating Control screen is displayed. Click the Create button to create a mitigating control You can also review the mitigating controls currently valid in Umoja. 6 88

89 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 77. Populate the Mitigating Control ID, Description, Organization and Process fields 7 89

90 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 88. Click the Access Risk tab to link this control to a risk 9 Click the Add Row button to enter the risks that need to be mitigated by this control 8 10 Click the Owners tab to define the owner of this control

Click the Add Row button to configure the assignment type

91 Create Mitigating Control Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls Click the Add Row button to configure the assignment type (Monitor or Approver) for this control 11 Click the Save button

92 Mitigate SoD Risks Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The steps to mitigate SoD risks for users (User Access Mapper) are as follows: 1 Click the Access Management tab 2 Click the Mitigated Users link

93 Mitigate SoD Risks Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 3 The SoD User Mitigations screen is displayed. Click the Assign button 3 93

the Details tab, populate the following fields: Access Risk

94 Mitigate SoD Risks Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 4 In the Details tab, populate the following fields: Access Risk ID Rule ID Control ID Monitor 5 Click the Save button

95 View Mitigated Users Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The steps to view mitigated users are as follows: 11. Click the Access Management tab 22. Click the Mitigated Users link

96 View Mitigated Users Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The list of mitigated users is displayed. 96

97 Export Mitigating Controls Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls The steps to export mitigating controls are as follows: 11. Select the Export to Microsoft Excel option from the Export drop-down list 1 97

98 Export Mitigating Controls Create Mitigating Control Mitigate SoD Risks View Mitigated Users Export Mitigating Controls 22. Click the Open button to review the mitigating controls in the Microsoft Excel format You can also click the Save button to save the mitigating controls list to your local computer. 2 98

99 Learning Checkpoint 1 Which of the following roles creates mitigating controls? Select the correct option. A. Role Owner B. User Access Mapper C. Compliance Officer D. All of the above 99

100 Learning Checkpoint 1 Which of the following roles creates mitigating controls? Select the correct option. A. Role Owner B. User Access Mapper C. Compliance Officer D. All of the above Option A is the correct answer. The Role Owner creates mitigating controls. 100

101 Module 6 Summary The key points covered in this module are listed below: The Role Owner creates mitigating controls The User Access Mapper mitigates the SoD risks for users The Role Owner and User Access Mapper can view mitigated users and export mitigating controls 101

102 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 102

Course Summary The key points covered in this course are listed below: There are four GRC components: Access Risk Analysis, Business Role Management, Access Request Management and Emergency Access

103 Course Summary The key points covered in this course are listed below: There are four GRC components: Access Risk Analysis, Business Role Management, Access Request Management and Emergency Access Management The SoD principle ensures appropriate system authorizations by disseminating tasks and associated privileges across multiple users The processes that pose opportunities for fraudulent activity should not be performed in Umoja by one person from beginning to end User Access Risk Analysis needs to be performed for existing users, new user requests and users who require Enterprise role changes After User Access Risk Analysis, the final approval for updated role assignments is directed to the Compliance Officer for final review and sign-off 103

104 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 104

Course Assessment Now that you have completed all the modules in this course, you can test your knowledge by completing the Course Assessment.

105 Course Assessment Now that you have completed all the modules in this course, you can test your knowledge by completing the Course Assessment. To receive credit for completing this course, you must pass this assessment with a minimum score of 90%. To complete the assessment you must return to the Learning Management System: 1. Log into Inspira 2. Navigate to Main Menu -> Self-Service -> Learning -> My Learning 3. Search for the name of the course under the My Learning Activities section 4. Click the Start link of the course assessment 5. Click the Submit button once you have completed the assessment 105

106 Agenda Course Introduction Module 1: User Access Risk Analysis Overview Module 2: User Access Risk Analysis for Existing Users Module 3: User Access Risk Analysis for a New User Request Module 4: User Access Risk Analysis for Users Who Require Enterprise Role Changes Module 5: Access Requests Without and With SoD Risks Module 6: Mitigating SoD Risks Course Summary Course Assessment Course Survey 106

Navigate to Main Menu -> Self-Service -> Learning -> My Learning 3.

107 Course Survey Your feedback is important to the continuous improvement of our training program. Please complete the evaluation for this course using the following steps: 1. Log into Inspira 2. Navigate to Main Menu -> Self-Service -> Learning -> My Learning 3. Search for the name of the course under the My Learning Activities section 4. Click the Start link of the course survey 5. Click the Submit button once you have completed the course survey 107

108 Congratulations! You have successfully completed the Umoja Security GRC Analysis course. 108