1. No category

Main Title Header Here

Case Study:
How The Coca-Cola Company
Reduced Time and Effort Spent on
User Access Reviews with an Automated Role
Main Title Header Here
and Security
Clean-Up
Subheader
Description Process
Kyleen Wissell
The Coca-Cola Company
Classified - Internal use
Value for The Coca-Cola System is driven by…
Consumer love for our
brands
Customer satisfaction
Operating effectiveness
…and it is earned 1.7+ billion times a day with more than 3,500 products in over 200
countries
April 2012
Classified - Internal use
2
In This Session …
• We’ll talk about what automation we leveraged in
SAP GRC to build more efficient and effective risk
management processes, and specifically how we
analyzed the traditional manual efforts around
reviewing and monitoring access assignments
and determined certain predictive analytics and
insights which could be derived for guiding our
decisions
• To meet this objective, I will share certain
foundational efforts we had to accomplish prior
to improving the user access review processes
Classified - Internal use
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Background: Our Vision for Improving
Access to Information
• Vision: Improve security processes by developing an
efficient, sustainable approach for assigning and
monitoring access to information systems by utilizing a
risk-based approach, aligned with business processes
– Simple
• Rationalize the number of access roles
– Scalable
• Standardize processes driving inefficiencies and higher costs
– Sustainable
• Increase capabilities for governing
Classified - Internal use
Clearly Outlined Problem
Hypothetical
User
(Activity Roles)
107 Roles/1,898 Update Transactions
109 Countries
Optimized
9 Total Roles/35 Update Transactions
Global
N.A.
L.A.
Pacific
Europe
Eurasia
(Organizational
Boundaries)
So
Where
What?
What
Who
Legacy
Show how your User has access to transactions not
used in previous 12 months to perform activities
perhaps not under their control or responsibility area:
•
Perform Physical Inventory Adjustment
•
Perform MRP Maintenance
•
Perform Cash Application
Classified - Internal use
Reminder of why we are doing this (the business case):
•
Balance risk vs. cost consideration
•
Promote greater productivity and efficiency
•
Allow flexibility for future organizational change
•
Enable standardization of processes
•
Define activities once and reuse globally
Our Vision
Improve security processes by developing an efficient, sustainable approach
for assigning and monitoring access to information systems by utilizing
a risk-based approach, aligned with business processes
Legacy
Final State Optimized
+25,000 SAP Users with
+15,000 Roles results in
+8,500 hours annually
controlling & monitoring access
+25,000 Users with
~ 1,600 Roles results in
increased visibility into who
has access to what
Simple
Lack of standardization and
manual processes cause
inefficiencies and higher costs
Lower costs due to
standardization and
automation, increased
confidence in how we are
managing risk
Scalable
Inefficient use of resources
and lack of clarity between IT
and Business ownership
Reduced compliance
inefficiencies, clear role sort,
increased capabilities for
growth and more efficient
onboarding
Sustainable
Key Solution: Be willing to add up the costs associated with
Classified - Internal use
inefficiencies
What Did We Do?
•
•
•
Changed
Mindsets
•
•
•
•
•
Identified
Business Need
•
Standardized SAP security design and provisioning, initially across the
Finance and Human Resources environments
Increased business accountability for security access, and increased
support for governance oversight
Supported business process transformation by providing visibility into
who/where associates are performing business activities and cleaning
up non-job related access
Automated, risk-based access reviews to reduce compliance activities
and the associated cost
Expanded risk monitoring across additional SAP environments
Provided a foundation for role-based security and the path for reducing
SAP professional licenses
Help from business leads to own and manage security risks
Increased security controls capabilities, shifting focus of resources
towards managing risk and away from security maintenance and
detective monitoring methods
Accept living in multiple system worlds until remaining SAP
environments are incorporated
Utilized a risk-based approach aligned with business processes and
performed diagnostics to identify where efforts weren’t returning an invested
Classified - Internal
value, e.g., manual compliance
effortsuse
Outline of the Benefits
•
•
Obtain the
Value
•
•
•
•
Global security design enables associates to see and do more by
design, not by mistake
• Access expanded to the Group level and a reduction in access
unrelated to the job
Global security design enables associates to be leveraged across
geographies
• Enabling alignment of resources with strategic priorities
• Increasing flexibility of resources so that activities are not tied
to physical location
Enhanced transparency of access information (who is doing what)
leveraged to:
• Provide intelligence to create more centers of excellence
• Hone strategic capabilities
Increased opportunities to scale, which provide asset and execution
efficiencies that increase shareholder value in the Coca-Cola System
and preparedness for our strategic vision
Security access risks are managed more efficiently and effectively
Costs for maintaining security are reduced
Implemented standardized processes support company growth and organizational
flexibility without increasing the complexity of security access
Classified - Internal use
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Overview of the Role Design to Achieve Our
Guiding Principles
A user’s access is made up of several small definable activities performed in SAP:
– Each activity is accessed via a single role, i.e., AP Invoice Processing
– Each activity is assigned to one of 4 distinct access levels which
is risk-associated and data-classified, linked to the business process
LEVEL 1: General User Access “WHAT”
NO RISK
Activities common to all users, such as printing
and inbox, are grouped together into a single
role. This is given to every user.
LEVEL 2: Display Access “WHAT”
LOW RISK
ACCESS DESIGN
Activities which allow display and reporting only
access are grouped by process area into a single
role. These activities may be grouped at the
process or sub-process level. One or more
display roles can be given to a user and provide
a display view that is common to all.
General Use
Common Display
Update Activity
Update Activity
Organizational
Boundary Update
“What they can do”
Restricted Display
“Where they can do it”
Special Update
Organizational
Boundary Display
Classified - Internal use
LEVEL 3: Functional Access “WHAT”
MEDIUM or HIGH RISK
Activities which allow update access are
grouped by sub-process area and divided into
single roles for each part of a more granular
activity performed. Profiles are used to provide
the correct combination of roles required to
complete each distinct activity.
Info type and movement type restrictions are
built into each role where appropriate.
LEVEL 4: Locations “WHERE”
MEDIUM RISK
Access is given to a user at the Group level. One
or more organizational boundary roles can be
given to a user, to allow them to perform
activities for multiple locations.
Final Rationalization Results Achieved 90%
Reduction of Roles
Human Resources
Finance
386 Roles
583 Roles
969 Total Roles
• What – 71
• Where – 313
• Specialty – 0
• Template – 2
• What – 371
• Where – 135
• Specialty – 70
• Template – 7
• What – 442
• Where – 448
• Specialty – 70
• Template – 9
• Internal Use – 22
• Confidential – 67
• Restricted – 297
• Highly Restricted – 0
• Internal Use – 184
• Confidential – 253
• Restricted – 89
• Highly Restricted – 57
• Internal Use – 206
• Confidential – 320
• Restricted – 386
• Highly Restricted – 57
•
Defining activities once and reusing globally reduces the number of required roles, unless transactions are
configured to perform a different activity
•
Role naming convention clearly identifies the purpose of the activity for transparency to the requester, approver,
end user, and compliance partners
•
Organizational boundary roles definedClassified
at a higher- level
enable
Internal
usethe user to transact in multiple locations, which
are groupings of company codes, plants, sales locations, etc.
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Actors in the Newly Designed Provisioning
Process
User completes
an Access
request form in
Sharepoint
Security team
enters GRC
request and
routes to
Business
Steward
Business
Steward
reviews
request & runs
risk analysis
prior to
decision
Role Approver
reviews
business
justification
and makes
approval
decision
Access is
provisioned
and measured
against a 3-day
SLA
Post Deployment Workflow:
•
•
•
KEY DECISION: The approval process shifted from Manager Approval to Business Steward-centric approval. These
resources have a combination of security and internal controls backgrounds and sit at the Group level. They have
knowledge of whether mitigating controls can be applied or whether the risk should be remediated, e.g., access
removed.
We have assessed what additional capabilities needed to be developed and began having regularly scheduled
User Group calls with Business Stewards and Role Approvers, leveraged to deliver training, provide status updates
and discuss or raise issues and concerns.
Given that we are developing a road map for role-based security provisioning, we felt a greater focus and a
sustainable investment in building capabilities for stewarding access management, subsequently reducing
investment and focus for seeking manager approvals and involvement in user access reviews
The key win is delivering a standard approach that is flexible and faster, but
controlled and consistent. Classified - Internal use
RACI Chart Developed for Access Initiators,
Business Stewards, Role Approvers & Security
Operations
RACI ASSIGNMENTS
Task #
Task Description
Capability Example
Requestor
Access Initiator
Business
Steward
Role
Approver
Security
Operations*
1
Identify need for change in access
Ability to identify what system and what process.
A/R
-
C
C
C
2
Enter request for access
Knowledge of how to enter a GAM request on the
GAM SharePoint or through local request process
A/R
C
C
C
C
3
Analyze Access Request Form for completeness
Ability to identify if request is a valid request.
and validity; Identify GAM roles needed
C
A/R
C
C
C
4
Enter and submit GRC access request in AC
-
A/R
-
-
C
5
Run initial SOD/SA task of GAM roles requested.
Understanding of business process user supports.
Document any adjustments.
C
C
A/R
C
C
6
Submit GRC Request in AC
Submit GRC Request in AC
I
A/R
-
-
C
7
Process request, perform risk analysis and
mitigation.
Knowledge and ability to initiate risk analysis.
C
C
A/R
C
C
8
Submit GRC-AC request to Role Owner
Submit GRC-AC request to Role Owner
I
-
A/R
C
C
9
Process request and perform risk analysis
Ability to initiate risk analysis.
C
-
C
A/R
C
10
Submit AC Request for Provisioning
Submit AC Request for Provisioning
I
-
C
A/R
C
11
Administer SNC encryption
Determine if SNC is required
-
-
-
-
A/R
12
Submit AC Request for Provisioning
Submit AC Request for Provisioning
-
-
-
-
A/R
Knowledge and ability to copy a user's profile within
the GRC tool.
Responsible
Does the task
Accountable
Consults
Makes the
Provides
decision- Internal use
input
Classified
Inform
Kept in the
loop
* Security Operations =
Help Desk & SAP Security
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Guiding Principles for Periodic Access
Reviews
• Process terminations daily with an automated feed into GRC
• Lock inactive users daily after 90 days of inactivity
• Automatically remove a user’s system ID after 180 days of inactivity
– This has put us on a path for reducing annual maintenance/licensing costs
• Automatically remove inactive roles from a user’s profile after 120 days of inactivity
Defined exceptions include infrequently used roles and use which doesn’t generate analytics
• Radio frequency devices, year-end transactions and roles with only authorizations and objects
(organizational boundary & specialty access)
• Trigger an access review when a user shows a job formally changes
–
• Trigger an access review for non-employee workers, users with access mitigated by compensating controls,
highly restricted, or organizational boundary every 180 days
• Annually review role content and data classification
–
Required the development of role narratives in GRC
These automated activities have replaced certain manual quarterly access review
processes, which weren’t bringing the expected value. We found that analytics and
triggers were the key to establishing
mostuseeffective review prompts.
Classifiedthe
- Internal
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Predictive Analytics
• We designed several automated reviews within GRC
however we developed two inactivity reviews using
predictive analytics
– Assumption: Roles without inactivity after a period of time
can indicate lack of need or indicate a minor shift in
responsibility
• Determined 120 days is a pretty good indicator, with some
exceptions identified for infrequently used roles, such as expense
reporting, purchase order approvals, etc.
– Assumption: System IDs without inactivity after a period of
time can indicate system access is no longer required
• Determined 180 days is a pretty good indicator, with some
exceptions identified
Classified - Internal use
120-Day Role Inactivity Review
• Benefits
• Risks and Mitigation
– Maintain an accurate
baseline of access
assignments adjusted by
regular clean up and
removal of access no
longer required or not
being used
– Data input towards
standardizing profile
assignments
– Leverage data analytics
to drive decisions
– Risk: Remove access that
is used more infrequently
• Mitigation: Develop a list
of exceptions and an initial
validation process
• Mitigation: Consider an
adjustment to the
inactivity trigger, e.g., 120
to 130 days
– Risk: Remove access that
doesn’t register activity
Classified - Internal use
• Mitigation: Adjust the
exception process
Approach to Implementation of the Automated
Process for Removing Roles for Inactivity
•
•
•
Get comfortable with what the report from SAP GRC was showing us prior to
moving the automated process into production
– Review users/roles not used in 120 days, targeted to be removed, and
make decisions (accept/reject results)
– Assess whether any incidents occurred as a result of the removal and
adjust the exception process, when necessary
– Review users/roles which were excepted from the process in order to
validate results
– Review available reporting within GRC to develop a communication of
results
Develop a timeline for moving to the automated process expected to run
nightly in GRC, without manual intervention
Encountered Defects During Testing
– The GRC user action interface did not collect 100% of transactional activity
from each target environment, which SAP subsequently resolved
Classified - Internal use
Observations from the Initial 120-Day
Review
• Initial Inactivity Review Produced
– Lots of access recommended for removal from executives,
senior leadership, and contractors
– Lots of access removed from employees who had been
with the company for a long time (years of travelling from
job to job)
– Some clean up of migration mistakes when users moved to
the newly designed roles
– Approach to cloning access of users is apparent (absent a
process for assigning standardized profiles)
– Lessons learned: Need to review what was “excepted”
where there was never any use and additionally evaluate if
it would have been removed anyway for 180-day
Classified - Internal use
180-Day System Inactivity Review
• Benefits
• Risks and Mitigation
– Maintain an accurate
baseline of legitimate
system users
– Data input towards
standardizing profile
assignments
– Reduce costs of
maintenance licensing,
especially by categorizing
types of users, e.g.,
display versus
transactional or power
user
– Risk: Remove system ID
from legitimate user who
is somehow not
generating a last logon
date
Classified - Internal use
• Mitigation: Develop a list
of exceptions
• Mitigation: Consider an
adjustment to the
inactivity trigger, e.g.,
more than 180 days
Approach to Implementation of the Automated
Process for Removing System IDs for Inactivity
•
•
•
Get comfortable with what the report from SAP GRC was showing us prior to
moving the automated process into production
– Review users showing a last log-on date longer than 180 days, targeted to
be removed, and make decisions (accept/reject results)
– Assess whether any incidents occurred as a result of the removal and
adjust the exception process, when necessary
• We identified certain activities which were occurring through the
Web/ portal or a hand-held device which didn’t generate a last log-on
date which drove us to change the exception logic to the program
– Review available reporting within GRC to develop a communication of
results
Develop a timeline for moving to the automated process expected to run
nightly in GRC
Encountered Defects During Testing
– None
Classified - Internal use
Observations from the Initial 180-Day
Review
• Initial Inactivity Review produced:
– Lots of system IDs targeting removal from
executives, senior leadership, and contractors
– Many inactive users had an account only for travel
expense purposes and often they have an
assistant who is authorized to raise reports on
their behalf
– System IDs for non-employee workers
Classified - Internal use
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Role Narratives Aid Control Sustainability
What was the mission?
•
Actors in the access assignment process and business owners do not always understand the
content and purpose of access roles. Our mission was to develop role narratives which explain
the purpose of the access granted, including the level of approval required, the primary
business users and risk posed, identification of known conflicts and provide the ability display
the technical content, such as transaction codes, company codes and data classification.
What was the objective?
•
The objective is to support accurate assignments of privileges based upon user job
requirements, reduce the number of provisioning requests rejected or miss assigned, aid role
owners with the ability to reaffirm role content periodically, and business stewards and
custodians who periodically review access assignments. Aid better risk management.
What were the benefits?
•
•
•
Reduced turn-around for access initiators to process a GRC access request, and resolving follow
up to clarify or correct requests.
Reduce error rate for correcting assignment mistakes and resubmission for role approver
rejections.
Standardize information for performing user access reviews and onboarding new role or
business owners.
Classified - Internal use
27
Role Narrative Example
Workbook: This is an example of a completed Role Narrative with the columns highlighted in yellow.
Business Role
Name
RTR: FI – P&L and Balance Sheet Reporting
Technical Role
Name
P08:S:RTR:FI:PL_BAL_SHEET_REP
Business Primary
Users
Finance
Position Description Finance users performing end of the period type activities or those with responsibilities for top line analysis
Purpose of the
Access
Role allows a user to view a quantitative summary of a company's financial condition at a specific point in time, including assets, liabilities and net worth. The first part of
a balance sheet shows all the productive assets the company owns, and the second part shows all the financing methods (such as liabilities and shareholders' equity)
Risk
Medium
Known Conflicts
Often mistaken with FI Common Display role needed to perform most of the basic RTR activities, such as account reconciliation.
Dependent Roles
None
Alternate Roles
P08:S:RTR:FI:FI_COMMON_DSP
Subject Matter
Expert(s)
Miguel Gonzalez and Debbie Bryan-Hall
T-Codes
S_ALR_87012043
Additional
Information
(Optional)
G/L Account Balances
Description - The G/L account balance list shows the following monthly figures: Balance carried forward at the beginning of the fiscal year; Total of the
period or periods carried forward; Debit total of the reporting period; Credit total of the reporting period; Debit balances or credit balances at the close of
the reporting period (optional); With the Balances in Foreign Currency option, the first five fields are available in the accounts as well as in local currency
At the end of the list, the system displays the following information per local currency: Totals per company code; Closing total of all company codes
Output and Sorting - The sorting method and summarizations can be determined using ALV. The parameter Group Version controls output in the batch
header and the default sorting method. Program Called: RFSSLD00- More output control
Program Called - RFSSLD00 - Less output
Classified - Internal use
28
What We’ll Cover …
• Background: Our vision for improving access to information
• An overview of the security design leveraged to achieve
guiding principles
• The process we designed for provisioning SAP entitlements
– What key decision we made which changed the actor
responsible for participating in the approval process
• The guiding principles behind more effective user access
reviews
• Which activity reviews were automated and how predictive
analytics leveraged
• Role Narratives … The key for maintaining improvements in
access controls
• Wrap-up
Classified - Internal use
Wrap-Up – Reporting of Results to
Management
• Developed reporting routines to communicate periodically …
– How many roles were removed?
– How many roles removed which were never used?
– What was the risk addressed? Where?
• Initial cleanups produces the most results
• Next steps in also include …
– Planning for progressing standardized profile assignments
– Discussions are also taking place to evaluate IF we had additional
predictive analytics, how could we leverage similar activities
• What access doesn’t generate usage, e.g., authorizations and
objects which aren’t grouped with transactions and Web and
portal activity not generating log-on insight
Classified - Internal use
7 Key Points to Take Home
1.
2.
3.
4.
5.
6.
7.
Intuitive and improved user access reviews are best accomplished with
simplified role design and business rules for rationalization of roles
Global, standardized GRC user provisioning workflow for access
assignments coupled with accurate assignment is a best practice
Appropriate user access assessments and approvals with access changes
to be reflected for inactivity to support managed risk
Automated activities have replaced prior manual quarterly access review
processes, which weren’t bringing the expected value. We found that
analytics and data triggers were the key to establishing the most
effective review prompts.
Narratives are also key building blocks for sustaining improvements
made in access controls
Surprise improvement in management of user licensing costs by getting
more granular with access assignments
The key win is delivering a standard approach that is flexible and faster,
but controlled
Classified - Internal use
Your Turn!
Questions?
How to contact me:
Kyleen Wissell
[email protected]
Classified - Internal use

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz