Scribd
Upload
463 views4 pages

GRC Guide Note

The GRC and SOD Projects implemented the first phase of SAP's GRC tool and cleaned up SOD violations for two departments in June 2013. This included developing new roles, responsibilities, processes, and reports. Documentation and training materials were created covering the new roles and responsibilities, five security and governance processes, 17 GRC reports and reference guides, additional documents, and training presentations and packages.

Uploaded by

hossainmz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
463 views4 pages

GRC Guide Note

The GRC and SOD Projects implemented the first phase of SAP's GRC tool and cleaned up SOD violations for two departments in June 2013. This included developing new roles, responsibilities, processes, and reports. Documentation and training materials were created covering the new roles and responsibilities, five security and governance processes, 17 GRC reports and reference guides, additional documents, and training presentations and packages.

Uploaded by

hossainmz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

GRC & Segregation of Duties (SOD)

The GRC and SOD Projects completed the first phase of implementing the SAP GRC tool, and
cleaning up SOD violations for VPF and IS&T users, in June of 2013. As part of these two
initiatives, new roles & responsibilities, processes, and reports were developed.
Documentation and training materials on each of these can be found below.

On This Page

1.0 GRC Roles & Responsibilities


Risk Owners
Role Owners
Business Analysts (BAs)
Business Systems Analysts (BSAs)
All Users (During SOD Project)
2.0 SAP Security & Governance Processes
Process 1: New or Amended Roles
Process 2: Mitigation Analysis
Process 3: New Users and User Role Provisioning
Process 4: FireFighter Users and Roles
Process 5: Periodic Compliance
3.0 GRC Reporting
3.1 Job Aids
3.2 Reference Documents
4.0 Additional Documentation
4.1 SOD Analysis Steps
4.2 GRC Change Events
4.3 Proposed GRC Forms
4.4 GRC & SOD Terminology
5.0 Training Materials
5.1 Training Presentations
5.2 Training Packages

1.0 GRC Roles & Responsibilities


For those users with new responsibilities relating to GRC, below are quick reference guides
for each role that provide an overview of processes in which they are now involved, and
tasks for which they are now responsible. Also included, for future reference, is an overview
of all responsibilities as they were defined during the project.

Risk Owners

Roles and Responsibilities Risk [Link]

Role Owners

Roles and Responsibilities Role [Link]

Business Analysts (BAs)

Roles and Responsibilities [Link]

Business Systems Analysts (BSAs)

Roles and Responsibilities [Link]

All Users (During SOD Project)

Roles and Responsibilities [Link]

2.0 SAP Security & Governance Processes


Detailed process documentation was created for five new GRC-related processes. This
documentation includes both flowcharts and detailed descriptions of each step, including the
person responsible and details of the task to be completed.

Process 1: New or Amended Roles

Process 1 New or Amended [Link]


Process 1 New or Amended [Link]
GRC Process 1 - New or Amended [Link]

Process 2: Mitigation Analysis

Process 2 Mitigation [Link]


Process 2 Mitigation [Link]
GRC Process 2 - Mitigation [Link]

Process 3: New Users and User Role Provisioning

Process 3 New Users and User Role [Link]


Process 3 New Users and User Role [Link]
GRC Process 3 - New users and User Role [Link]

Process 4: FireFighter Users and Roles

Process 4 FireFighter Users and [Link]


Process 4 FireFighter Users and [Link]
GRC Process 4 - FireFighter Users and [Link]

Process 5: Periodic Compliance

Process 5 Periodic Compliance [Link]

Process 5 Periodic Compliance [Link]


GRC Process 5 - Periodic Compliance [Link]

3.0 GRC Reporting


A total of 15 new GRC reports, along with 2 SUIM (ECC) reports, were deployed to users in
IS&T and VPF. Below are the detailed job aids created for each of these new reports, along
with general reference documents for repeated actions related to GRC reporting. A quick
reference guide for reporting is also available here: GRC Reports Quick Reference
[Link].

3.1 Job Aids

01
02
03
04
05
06
06
07
07
08
09
10
11
12
13
14
15
16
17

Risk Violations
User Analysis
Violations Comparisons
Access Rule Library
SUIM Roles by Role Name
User to Role Relationship
User to Role Relationship Role Owners
Role Relationship with User - User Group
Role Relationship with User - User Group Role Owners
SUIM Users by User ID
Count Authorizations for Users
Action Usage by User, Role and Profile
Mitigation Control Report
User Level
User Level Simulation
Role Level
Role Level Simulation
Profile Level
Profile Level Simulation

3.2 Reference Documents

R1
R2
R3
R4
R5
R6
R7
R8
R9

Access GRC [Link]


Add or Remove Search Lines to a [Link]
Search for Input [Link]
Save a [Link]
Execute a Background [Link]
Filter a [Link]
Change Your Report [Link]
Export Data from [Link]
Simple [Link]

4.0 Additional Documentation

4.1 SOD Analysis Steps

GRC SOD Analysis [Link]

4.2 GRC Change Events

GRC Change [Link]

4.3 Proposed GRC Forms

Ex Form A_GRC Mitigation Control Change [Link]


Ex Form B_GRC FireFighter Change [Link]
Ex Form C_SAP User or Role Change [Link]

4.4 GRC & SOD Terminology

GRC [Link]

5.0 Training Materials


5.1 Training Presentations

05-23
06-03
06-04
06-05
06-17

GRC
GRC
GRC
GRC
GRC

Training
Training
Training
Training
Training

Business [Link]
Risk [Link]
Role Owners - [Link]
Role Owners - [Link]
IST [Link]

5.2 Training Packages


GRC Training - Business Analyst (BA)
GRC Training - Business Systems Analyst (BSA)
GRC Training - Risk Owner
GRC Training - Role Owner

You might also like