RE:[sap-security] GRC - Compliance Calibrator
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by chris_van_schijndel (SAP Security Manager) on Mar 30 at 5:26 PM |  Mark as helpful |
Hi Mark,
There is no functionality like this that I'm aware of - certainly on our older release. I think you might have to approach this from an alternative angle. Here are some options.
1) If you're performing up-front analysis I'm thinking you may well be getting sign-off before assigning conflicting access. If that's the case you're all good - the auditors will simply take a sample of users with conflicts currently and ask for the evidence that the sign-off of the review was obtained. This is essentially what we do - get the conflict and compensating control signed-off up front. We don't store evidence of "clean" simulations or analyses.
2) If you haven't been doing that then you may still have been applying mitigating controls to your risks. If that's the case you can demonstrate that all risks have mitigations and therefore are detected up-front and thus the control is effective, even though you don't have evidence of the up-front reviews as per (1) for the past. Not ideal, but better than nothing.
3) If you really want to show that the analysis was run, and assuming it's run at pretty much the same time as you assign the access, then of course you could attempt to map the date/time stamp of role assingment changes from change history to an SM20 audit log of who ran the CC. Crude and cumbersome but possible. Of course you don't get any joy from new conflicts resulting from transported role changes either.
Honestly speaking, the fact that you run the analysis is neither here nor there in of itself. The auditor is wanting to see what you do with it once you have the visibility. If you just go ahead and assign the access that's no control at all and obviously adds no value. It's the risk acceptance or provision of compensating controls from the business before conflicting access is assinged that the auditors are going to want to see so I'd say option 1) or worst case a retro-fit to achieve option 2) are your best ways forward.
Cheers
Chris v S
---------------Original Message---------------
From: mpires100
Sent: Tuesday, March 30, 2010 3:03 PM
Subject: GRC - Compliance Calibrator
> Do you know of a report in Compliance Calibrator that can be run to show whether or not a risk analysis was run for SAP User changes? I am looking for proof that a risk analysis for SOD conflicts were performed and to be used as documentation in the event PWC request this info during the audit.
__.____._ There is no functionality like this that I'm aware of - certainly on our older release. I think you might have to approach this from an alternative angle. Here are some options.
1) If you're performing up-front analysis I'm thinking you may well be getting sign-off before assigning conflicting access. If that's the case you're all good - the auditors will simply take a sample of users with conflicts currently and ask for the evidence that the sign-off of the review was obtained. This is essentially what we do - get the conflict and compensating control signed-off up front. We don't store evidence of "clean" simulations or analyses.
2) If you haven't been doing that then you may still have been applying mitigating controls to your risks. If that's the case you can demonstrate that all risks have mitigations and therefore are detected up-front and thus the control is effective, even though you don't have evidence of the up-front reviews as per (1) for the past. Not ideal, but better than nothing.
3) If you really want to show that the analysis was run, and assuming it's run at pretty much the same time as you assign the access, then of course you could attempt to map the date/time stamp of role assingment changes from change history to an SM20 audit log of who ran the CC. Crude and cumbersome but possible. Of course you don't get any joy from new conflicts resulting from transported role changes either.
Honestly speaking, the fact that you run the analysis is neither here nor there in of itself. The auditor is wanting to see what you do with it once you have the visibility. If you just go ahead and assign the access that's no control at all and obviously adds no value. It's the risk acceptance or provision of compensating controls from the business before conflicting access is assinged that the auditors are going to want to see so I'd say option 1) or worst case a retro-fit to achieve option 2) are your best ways forward.
Cheers
Chris v S
---------------Original Message---------------
From: mpires100
Sent: Tuesday, March 30, 2010 3:03 PM
Subject: GRC - Compliance Calibrator
> Do you know of a report in Compliance Calibrator that can be run to show whether or not a risk analysis was run for SAP User changes? I am looking for proof that a risk analysis for SOD conflicts were performed and to be used as documentation in the event PWC request this info during the audit.
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
55% of IT Pros Use Social Media to Advance Their Careers. See the Survey Results
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
