case study: how ogilvy utilized sap access control suite ......a rooted belief in brands; david...
TRANSCRIPT
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2019 Wellesley Information Services. All rights reserved.
Case Study: How Ogilvy Utilized SAP Access Control Suite to Remediate Audit Deficiencies, Strengthen Access Governance, and Streamline SAP Licenses
Susan Santos
Ogilvy
11
• We will discuss:
⬧ The right implementation approach to support immediate compliance requirements
⬧ How to leverage GRC reports to determine access required by users
⬧ How to use GRC reports to strengthen access governance
⬧ How license audits work and how Ogilvy was able to save money on license fees
In This Session
22
• Ogilvy Overview
• Challenges we faced
• SAP Access Control implementation approach
• Automated GRC reports
• Interpretation of action/role usage reports
• License Audits
• Wrap-up
What We’ll Cover
33
Ogilvy Overview
44
Ogilvy Overview
In 1948, David Ogilvy found the agency that has since become one of the most prominent
marketing communications brands in the world, Ogilvy. David’s legacy and three core pillars are
something we continue to live by today:
For nearly 70 years, Ogilvy has helped build some of the most valuable and iconic brands in the
world including American Express, Ford, and Dove, and more recently, IBM
1. A focus on the quality and diversity of our people
2. A commitment to quality of service and class of operation, as he often said, “Only first-class business,
and that in a first-class way”
3. A rooted belief in brands; David Ogilvy famously said, "We Sell or Else"
Our work is not just about selling products; it is more importantly about helping to carve out a
voice, reason and permission for our clients to exist in their target audiences' lives, and we do
this by “Making Brands Matter”
132 offices in 80 countries
55
Challenges We Faced
66
Challenges Faced Prior to Implementing GRC
Unreliable process for user access provisioning
• Paper based user access request forms with multiple levels of reviews, causing delays
• No ability to simulate the effect of additional access assignments and/or role updates
Excessive user access due to lack of firefighter management process
Difficulty in detecting SODs within new and existing roles
• SOD analysis was only being performed at transaction level, resulting in multiple false positives
Role creation process only took into account critical SODs which were manually referenced from an
offline matrix
77
SAP Access Control Implementation
Approach
88
Implementation Approach
Big Bang Approach Phased Approach
Considerations
• Full functionality of GRC provided
together
• Issues can grow quickly
• Significant learning curve in short
period of time
• Single "go-live"
• Faster access to key benefits such as
firefighter and ruleset
• Fewer issues at one time
• Allows time for lessons learned for
future phases
• Improves business acceptance of
change
• Team
• Scope and Time
• Implementation Partner
9
Phased Approach At Ogilvy
Phase 2
• Access Request Management
(ARM)
• Business Role Management
(BRM)
• User Access Review (UAR)
Phase 1
• Access Risk Analysis
(ARA)
• Emergency Access
Management (EAM)
Phase 3
• TBD
Access Control
Access ControlProcess Control
2017
2018
2020
1010
Advantages of Phased Approach
• Encourage promulgation of well thought-out specification
• Reduction of risk at multiple levels
• Complexity of planning is reduced
• Maximize control through the use of formal phase reviews
• Thorough progress reviews
• Better management of time and resources, especially of business partners
• Better change process management
• Helps overcome resistance to change
• Allows for lessons learned in early phases to be incorporated in later phases
1111
Automated GRC Reports
1212
GRC Reports
UAR Report
• This report allows
periodic review of
access assigned to
users
• It also shows the
frequency of role
usage for each user
Action Usage by User
Report
• This report lists the
number of times a
specific transaction
was executed by a
user
Action Usage by Role
Report
• This report lists the
number of times a
specific transaction
was executed within a
role
Consolidated Log
Report
• This report contains a
log of all actions
executed during a
firefighter session
• It includes executed
transactions, changes,
system, and OS
command
1313
UAR (User Access Review) Report
The UAR reviewer will review this screen and determine whether the indicated user requires the associated
roles
Here the reviewer can
see the roles have no
usage which may
indicate that they can
be removed
1414
Action Usage by User Report
The reviewer can view the user’s executed transactions during a specific time period
Here the reviewer can
see the number of
times the action was
executed
1515
Action Usage by Role Report
The reviewer can view the number of times each transaction in a role was executed within a specific time
frame
Here the reviewer can
see that these actions
were not executed
1616
Consolidated Log Report
This report shows an activity log of all transactions executed during a firefighter session
Here the reviewer can
see additional session
details
1717
Interpretation of Action/Role Usage
Reports
1818
Role Remediation Process
We utilize the Role Level
Risk Analysis to identify
roles with inherent SOD
conflicts
Once the conflicting actions
are identified within a role, we
leverage the Action Usage by
Roles report for more insight• If the conflicting actions are
not frequently executed, the
action(s) can be removed
from the role entirely
• If the action usage is high, we
consider moving the action(s)
to a different/new role
1919
Role Level Risk Analysis
The reviewer can see which actions within the role are causing a SOD conflict
Here the reviewer can
see the actions
causing SOD risks
2020
Action Usage by Roles
The reviewer can leverage the Action Usage by Roles report to see the number of times each action was
executed in the system
Here the reviewer can
see the conflicting
actions are not being
executed and can be
removed from the role
2121
Ensuring Roles Remain Conflict Free
Going forward, the Business Role Management (BRM) module is being used for the
creation and maintenance of roles within GRC
• Prior to role generation, a risk analysis is performed to ensure the role is SOD free
• The role creation/update methodology includes a role approval step
• All role updates are logged within GRC
2222
License Audits
2323
What is a SAP License Audit
All SAP customers are contractually obligated to perform a SAP User License Audit
This process compares the number of users actively using the system and the number
of licenses the customer has purchased
GRC reports have helped Ogilvy reduce the number of unnecessary licenses and
update users to lower ranked license types
• Depending on the user’s access, the user will be categorized into different license
types which vary in cost
• Reduced 10% of licensing cost
2424
License Report
We use the USMM License Report to view the number of active licensed users currently in the system
Here is a count of the
number of users
actively using the
system
2525
Our Process to Review and Reduce the number of SAP Licenses
UAR report is run and sent to reviewer
Reviewer leverages the Action Usage reports along with the UAR report to conduct the review
Access marked for removal is removed by HR / IT Security
USMM report is run, indicating a reduction in number of SAP licenses
Any unnecessary or unused access is marked for removal
x
2626
Advantages of Using GRC Reports to Prepare for License Audits
GRC reports enable administrators to proactively remove user access prior to running
the USMM report
• GRC consolidates data in a single location, that would otherwise need to be pulled
manually and manipulated from the backend
• UAR and Action Usage reports are leveraged to easily determine the frequency of
transactions executed by individual users
• By removing excess user access, total SAP licensing costs is reduced
⬧ Some user’s license types are moved to a lower rank
⬧ SAP licenses for users not utilizing SAP are removed
2727
Wrap-up
2828
• https://www.protiviti.com/sites/default/files/united_states/insights/grc-platform-considerations-whitepaper-
protiviti.pdf
⬧ Governance, Risk and Compliance Platform Considerations, Protiviti white paper
• http://tcblog.protiviti.com/2018/05/07/after-security-remediation-and-redesign-whats-next/
⬧ After Security Remediation and Redesign: What’s Next?, Protiviti blog
• https://help.sap.com/viewer/5cae1bc9a72348389e91183714220e30/12.0.03/en-
US/4e56dbfdd48028d6e10000000a421bc1.html
⬧ Introduction to SAP Access Control
• http://images.learnmore.protiviti.com/Web/Protiviti/%7Bc8b45210-1988-4693-be2c-
b3aafe151d23%7D_Protiviti_SAP_S4HANA_Security_Roundtable_111318.pdf
⬧ SAP S/4HANA Security & GRC 12.0 Roundtable event presentation hosted by Protiviti & SAP
• https://www.protiviti.com/US-en/insights/dont-leave-grc-behind
⬧ Moving to SAP® S/4HANA? Don’t Leave GRC Behind, Protiviti white paper
Where to Find More Information
2929
Key Points to Take Home
A phased implementation approach will allow for:
⬧ Quicker adoption of key functionality
⬧ Improved business acceptance of change
GRC reports can be leveraged to help with role remediation efforts
Upon completion of role remediation process, BRM can be used on an ongoing
basis to ensure roles remain SOD free
GRC reports can be utilized outside of their conventional use
⬧ Leverage GRC to proactively remove unnecessary user access prior to
performing the license audit, which may lead to a drastic reduction in
licensing costs
3030
Thank You
Any Questions?
in
Susan Santos
Your Turn!
https://www.linkedin.com/in/
susan-santos-124a13b7/
31
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
31
Disclaimer
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026Copyright © 2019 Wellesley Information Services. All rights reserved.