ACS SIG

This event is kindly being sponsored by Turnkey Consulting.

Chris Haigh, ACS Co-Chair will present to the group Global SAP Security at Kimberly Clark. This will be a brief introduction to the new co-chair and the SAP Security environment at Kimberly-Clark. The security challenges of a global organisation, running nearly every SAP module for 53,000 users world-wide.

Simon Persin from Turnkey Consulting will be joined by Scott Waller and Richard Green from Royal Dutch Shell to deliver the presentation SAP GRC Access Controls Optimised for Operation. The components of the SAP GRC Access Controls Suite are often seen as individual tools designed to address different aspects of an organisations governance, risk and compliance requirements in isolation. While in release 5.3, the components can be deployed individually, the business case is often stronger by combining the capabilities into an integrated solution to have a consistent view of compliance throughout the organisation. However, trying to implement the whole solution at once can involve a complex project often resulting in a confused solution which is difficult to support.

In this session we take a look at the customer experience of integrating these components using real-life deployment examples to explore proven technical solutions for the integration of SPM, RAR and CUP.

We use the experiences of Royal Dutch Shell to provide an example of a phased implementation approach into a truly global organisation. We will look at the deployment and support of RAR and the approach toward introducing further functionality using GRC s CUP and SPM. We will also identify hints and tips for managing the operational use of GRC in a complex business environment.

Aims of the Session

• Understand the benefits of the GRC components in isolation or combined;
• Gain an understanding of customer experiences with implementing integrated GRC solutions.
• Learn technical tips and tricks for the operational use of GRC.

Presentation Outline

1. Introduction and agenda;
2. GRC Components in isolation;
   a. Taking a look at RAR, SPM, CUP and ERM to identify the functionality delivered by the individual components.
   b. Integration points between the components RAR, SPM and CUP.
3. Customer Experience Royal Dutch Shell
   a. Background and Scope;
   b. Phased Approach to implementation Phase 1 RAR, Phase 2 CUP & SPM / Use of Pilots before global roll out.
   c. Implementation experiences;
   d. Lessons Learnt; Dos and Donts.
4. Operations and Support for the tools in a global SoX environment.
   a. Tasks required from support team;
   b. Global vs local changes;
   c. Risk areas and controls.
5. Conclusions, Questions and close.

Alan Toomey, ACS Co-Chair, will deliver SAP Audit & Security Top 20 Risks

1. Default IDs in the systems
2. Use of default profile of SAP_ALL
3. Use of default profile of SAP_NEW
4. Authentication controls
5. Control of several key basis transactions
6. Controls over customized objects
7. Controls over customized programs
8. Controls over customized transactions
9. Controls over customized tables
10. Generic IDs
11. Change control
12. Obsolete/Inactive users on the system
13. Protection of the SAP* account
14. Programming standards for customized programs
15. System production locks
16. Job Termination
17. Locked Transactions
18. Validate Users
19. All Transaction Start Authority
20. Authorisation Groups

Chris Haigh from Kimberly Clark will present to the group Upgrading to ECC6 - On the other side of the world. How the recent upgrade of the Asia Pacific SAP system, was done. Lessons learnt, issues overcome and the approach we successfully used on a 4.6c to ECC6.0 technical upgrade for some 6,000 users.

Paul Jackson from SAP will present a session on SolMan? This will an insight into:

• What is the Solution Manager?
• What Solution Information is available for Audit & Controls?
• How can we Go Forward with SolMan?