CASE STUDY: An American retailing company
The Need: The SOX compliance is the need of the hour for each organization big or small. Being in retail business for over four decades, the corporation has their stores spread far and wide across North America, involving half million employees whose access needs to be managed. They were using Microsoft Active Life cycle Manager for User data source and as primary identity management tool. Without having any SoD tool, ensuring security was cumbersome activity for information security team and the loss of business hours led to thought of implementing SAP GRC and integrating it with existing identity management solution. This Retail Company, one of the largest retailer by sales revenue in United States had requirement not only to integrate GRC AC with IDM but also provide real-time authentication for SAP systems. The idea was clear and thoughts were streamlined. The project was aimed to automate SoD analysis and manage access for half million team members across its stores, warehouses and offices both in America and India
The Challenge: The challenge for GRC consultant was not only to provide integration between GRC AC5.3 and IDM but also make AC interface user friendly and easy to use. The customer was looking for an automated system that would enable not only single sign on but a simplified sign on into all SAP applications and that was a major undertaking for this large retail corporation. The idea of synchronizing user details from LDAP into SAP UME was never acceptable solution for them. They needed real-time dynamic authentication mechanism to be integrated within GRC allowing User credentials and details be fetched directly from LDAP in real time.
The Answer: Based on the extensive SAP GRC and IDM experience we re-designed the user creation and role provisioning process using CUP to not only provision in IDM and SAP systems but also check real time SoD using RAR. To realize the dream of simplified sign on, a tool named Centrify was configured and integrated with SAP to provide real-time SAP authentication. The entire SAP GRC AC5.3 Suite was designed, built, configured and implemented to provide compliance for products in the large enterprise environment. Apart from Access Management, Role Management was also implemented utilizing in-built capabilities of AC 5.3 to ensure integrated as well as complaint environment. The implementation of AC 5.3 involving IDM integration was a grand success, making corporation SOX Compliant thereby releasing the pressure from shoulders of stakeholders and the business users.
The project was realized and Go-Live flagged off!
CASE STUDY: Logistics Company
The Need: The logistics company had been happily using VIRSA 4.0 until their manual access provisioning process was questioned in the Audit cycle which directed them to upgrade their existing VIRSA to the latest version. The revamping required not only knowledge of new AC5.2 but also extensive experience with VIRSA 4.0
The Challenge: Upgrading from an older version VIRSA 4.0 to AC5.2 was always going to be a challenge for any consultant due to different platforms they were developed on. VIRSA 4.0 is core ABAP product whereas AC5.2 has two pieces to talk about; one being the web-interface built entirely in Java and other an interface to enable frontend to talk to SAP systems. It was challenging because the ongoing production 4.0 environments could not be disturbed.
The Answer: Access Enforcer implementation was prime requirement to answer the questions raised during the client’s audit. The workflows for AE5.2 were designed, documented and configured to ensure automated access provisioning with adequate audit trail.
Keeping the production VIRSA 4.0 system intact and not disturbing it , parallel implementation was performed where Java piece of CC5.2 was installed and VIRSA4.0 was upgraded to CC5.2 and the rules from 4.0 were migrated into the new Rule Set of 5.2 to allow close integration between Access Enforcer and Compliance Calibrator. The data migration was completed to avoid loss of existing valuable data and involving no messing with existing production setup.
The DGN GRC team comprising of ex.Virsa and ex.SAP GRC experts having comprehensive experience and knowledge of VIRSA and AC5.2 helped the company not only automate their existing provisioning process but also enabled them to use existing rules and mitigation controls in the new versions. The transition from 4.0 to 5.2 was planned, organized and smooth. It was like drinking old wine from new bottle! A proper training course was developed and comprehensive knowledge transfer was given to the IT, infrastructure, internal auditors, stakeholders and representatives from varied line of business. The team ensured proper documentation and learning maps are available to make maintenance of GRC easy after the project is handed over to client.
Case Study: Global Distributing Company
Global Distributor is one of the world's largest global distributors of electronic parts, enterprise computing and storage products. Global Distributing Company brings a breadth and depth of service capabilities, such as supply-chain and design-chain services, logistics solutions, product assembly, device programming, computer system configuration and integration, and technical seminars - all in addition to its core distribution services.
The company needed to implement automated Segregation of Duties (SoD) tool with customizable and flexible approval workflow to manage complex system maintenance and stay SOX compliant.
Customer Challenges: It is time-consuming and cumbersome to manage a large user base across different SAP systems and stay SOX compliant. Global Distributor had Central User Administration (CUA) in place to manage its users across various SAP systems. Global Distributor was using Risk Analysis and Remediation (RAR) component of SAP GRC Access Control 5.3 to check SoD and Compliant User Provisioning (CUP) component to automate the access approval process. Whenever global CUA roles were requested, checking for Segregation of Duties violations during approval process was troublesome. Global Distributor wanted to make this process simple and efficient. Global Distributor wanted to implement Single Sign On (SSO) between Enterprise Portal (EP) and SAP GRC Access Control (AC) 5.3.
Solution: Utilizing our SAP GRC Access Control expertise and extensive experience in CUA administration, we were able to redesign the workflow approval process which enforces compliance whenever users submit a request to modify access. We discussed with business people and gathered requirements. Once the requirements were finalized, we designed different workflows for full-time user, external users, off-boarding of users etc. We were able to enable SSO (Single Sign On) between EP and AC 5.3 by providing a simple workaround. Customer was very happy and they went live in less than two months.
Automate login to AC 5.3 and all SAP systems by enabling SSO
Automate the compliance check during user provisioning
Use CUA system to be the primary system for provisioning
Case Study: Large U.S. Oil Company
This Oil Company is one of the largest independent petroleum refiner and marketer in US. It supplies fuel and products that come from 16 refineries and seven ethanol plants.
The client was using Virsa Compliance Calibrator 4.0 (earlier version of Risk Analysis and Remediation component of SAP GRC Access Control) and FireFighter 4.0 (earlier version of Superuser Privilege Managment component of SAP GRC Access Control). They wanted to have automated SoD check and mitigating control assignment during user modification and/or role assignment. They wanted to implement a proactive solution to replace their existing reactive process. To achieve this, they evaluated they decided to implement Access Enforcer 5.2 (earlier version of Compliant User Provisioning component of SAP GRC Access Control) for ongoing compliance.
Customer Challenges: This Oil Company already had a home-grown interface which was being used to create ticket for user access and role assignment for SAP systems. They wanted to implement Access Enforcer (AE) / Compliant User Provisioning (CUP), but did not want to disrupt the look and feel of the end user interface with minimum impact on their large SAP user base. The challenge was to integrate AE/CUP with the home-grown ticketing solution.
Solution: Oil Company had explored alternative options before selecting DGN as a viable implementation partner to achieve their specific business needs. DGN GRC experts who have vast integration experience came with an innovative solution to integrate AE/CUP with the clients ticketing solution. AE/CUP comes with consumable web services written in Java for the integration with IdM like SUN, ITIM etc. Our consultants analyzed the webservices, and our in-house Java consultants built a custom java interface to fetch data from the ticketing solution and pass on to the AE webservices. With this custom interface the client now has a solution which allows real-time usage of AE/CUP without changing the look and feel for their End user thereby reducing any additional time, effort and cost in training that would have been incurred otherwise.
Time and Cost saving by not changing the end user experience
Streamlined and automated workflow approval process
SOX compliant user provisioning tool with audit trail
Improve the efficiency and effectiveness of the GRC business processes
Case Study: Global Semiconductor Company
Semiconductor manufacturer is an innovative technology company dedicated to collaborating with customers and partners to ignite the next generation of computing and graphics solutions. Global Semiconductor Company develops and manufactures its processors and other products in facilities in United States.
The company wanted to upgrade an older version of SAP’s Segregation of Duties (SoD) tool and implement Emergency Access Solution.
Customer Challenges: Semiconductor Company had been using older version of Risk Analysis and Remediation (RAR) component of SAP BO Access Control. They tried to upgrade from RAR (Compliance Calibrator) 4.0 to SAP BO Access Control 5.2 but the upgrade failed. They contacted us to help them upgrade and introduce them to new features of RAR 5.2. They also wanted to implement Superuser Privilege Management (SPM) component of SAP BO Access Control 5.2 to manage emergency access and stay compliant for elevated access.
Solution: By providing technical guidance to Semiconductor Company using our extensive knowledge around SAP BO Access Control, thorough understanding of SAP ABAP and NetWeaver administration, we were able to successfully upgrade to SAP BO Access Control (AC) 5.2 within 2 weeks. We guided business and IT team on processes around emergency access and designed well thought business processes. We guided Semiconductor Company about the latest feature and functionalities of AC 5.2. Superuser Privilege Management (SPM) 5.2 was implemented by applying best practices and focusing on customer specific industry. The customer went live with RAR 5.2 and SPM 5.2 in less than 2 months.
SOX compliant solution for emergency access
Better SoD checking and reporting using latest version of SAP BO Access Control
Case Study: Global Mining Company
This Global Mining Company is a one of the largest company in the resources industry and is a diversified miner. They are suppliers of aluminum, coal, copper, iron ore, mineral sands, oil, gas, nickel, diamonds, uranium, and silver. The company went thru a acquisition and merger phase and this led to them growing to a size where they went Public. As part of this growth and going Public they prepared and took the necessary steps to be ready for an audit and at the same time stay SOX compliant.
Customer Challenges: This Mining Company had selected GRC AC 5.3 and during the implementation they first implemented Risk Analysis and Remediation and next wanted to implement Compliant User Provisioning components of SAP GRC Access Control (AC) 5.3 to comply with Sarbanes-Oxly (SOX). The Risk Analysis and Remediation component was installed within in the project timeline with the usual hiccups. The real challenge started when they started implementing Compliant User Provisioning (CUP), as the client had SAP HR implemented and they wanted to have close integration between SAP HR and CUP component of AC 5.3 and ensure that they users had gone thru proper training before being assigned to any security roles.
Solution: DGN GRC team was selected for this challenge after we passed a strict selection criterion based on past successful implementations, experience, deliverables and pricing. The core DGN GRC team consists of Ex SAP GRC and (Virsa) took on this challenge, utilizing our technical expertise along with our proven methodology for GRC implementation. We discussed and gathered client requirements and implemented those requirements into CUP. To fully integrate SAP HR with CUP, we used HR Triggers functionality of CUP. As a result users of Mining Company were able to directly create requests for new hires, employee moving, employee off boarding, etc. into CUP via SAP HR. Workflows were setup. CUP was integrated to their LMS (Learning Management Systems). The successful implementation was received with great admiration for the team.
Streamlined request creation process
The CUP LMS integration automated this process and ensured that company policies were adhered to all times and that users were trained before getting access to new Roles.
Time and cost saving for the company as redundant step of request creation in CUP was removed
CASE STUDY: Software Company
The Need: The Information technology company with reputed global presence had existing extensive implementation of SAP HR and at no cost could get complaint without it, the need for position based provisioning with audit tracking report became key requirement for implementing SAP GRC.
The Challenge: Position based security is always challenging and providing position based access provisioning would without doubt be a tough implementation task.
The Answer: With DGN proven methodology we were able to in parallel support the Production Users and also design, build, modify and implement the existing HR trigger feature of Access Enforcer.
For cohesive integration between CC-AE and to ensure compliance standards are met, the rules specific to SAP HR were designed and setup in Compliance Calibrator with DGN experience and expertise.
A documented approach was followed to allow smooth transition from development to test to production systems. Knowledge transfer and training sessions were scheduled at every stage of transition to make sure the technology team stays on same page as the GRC implementation experts.
The successful issueless transition of go-live was realized with admiration from all the associated teams and getting to support the product for two quarters was cherry on the cake for DGN success.
CASE STUDY: Pharmaceuticals Company
The Need: The pharmaceuticals company was aspiring for compliance and to realize this dream DGN experts were contacted. The desire was to get an automated compliance machine which not only answers FDA needs but also enables easy, secure and safe business for their plants worldwide. The company’s IT security team required the remediation of existing SoDs throughout their current SAP landscape and enabling their GRC (formerly known as VIRSA) to help them stay clean henceforth.
The Challenge: The challenge for GRC consultant was to remediate SoD conflicts for such a large organization. The project involved VIRSA 4.0 implementation along with revamping the existing roles.
The Answer: DGN Security Analyst responsible for helping manage configuration, design, development, testing and implementation of role changes and assist with security strategy along with documented training on best security practices to be followed to stay clean.
The Security plans and procedure were well documented and extensive sessions held to reach a collateral and compliance environment.
Besides the DGN Security team, the DGN GRC team was in parallel working on setting up the VIRSA 4.0 and enabling automated risk analysis box to ease the life of IT security team. The Rule set was built and, separate Rule Matrix was setup to answer the requirements of their global plants and it was made sure all FDA regulations are met.
The Security SoD review of all the roles was performed using VIRSA 4.0 and the remediation process executed. After it was clean, the project was handed over to IT security team and proper KT was held for to help them support the product henceforth.
CASE STUDY: Large Automotive Company
The Need: This Indian automotive company due to its international presence required to be SOX compliant and the want to do away with the existing manual, risk management processes led to license of SAP GRC. The Company policies did not support On-site consultants therefore primary requirement was to install and implement the product remotely across their ECC6.0, BI7.0 and EP landscape.
The Challenge: The major challenge for engaged GRC Consultant was to install AC5.3 suite and collaborate with different stakeholders, business users and technology team remotely and help them achieve compliance. The customer was looking for remote system that would assist not only in remote installation but also in completing the implementation project and help them get rid of existing risk management processes and help them establish international compliance.
The Answer: The GRC Basis and functional consultants collaborated with all concerned teams for successful installation and implementation of GRC AC5.3 suite. The installation was performed both on ABAP as well as Java stack.
RAR, CUP and SPM were installed, designed, configured and closely integrated to make best use of all its capabilities ensuring Governance and Compliance. To ensure compliance for their plants worldwide, organization rules were built and configured.
The product support was handled for substantial period after go-live and after successful completion of internal audit the project was handed over to security board.