2013 GRC Value Award: Control Monitoring & Assurance
GRC 20/20 Research awarded SAP its 2013 GRC Value award in the Control Monitoring & Assurance category. When SAP was implemented at a large multinational beverage corporation, during the first year, the company was able to remove more than 4,000 invalid system IDs, implement a process to remove roles from users if the role is not used within 120 days, and decrease license maintenance costs by identifying and removing unused access assignments for users and roles.
SAP Access Control automates the process of detecting, remediating and ultimately preventing access risk violations. Automation with SAP Access Control extends beyond risk analysis to automation of user and role assignments with these features:
- Automatic detection and remediation of access risk violations across SAP and non-SAP systems
- Automated review of user access, role authorization, risk violation and control assignment
- Periodic access reviews and centralized closed-loop super-user management
- Process-embedded compliance checks and mandatory risk mitigation
- Self-service workflow-driven access requests and approvals
- Comprehensive audit trails of user and role management activities
The SAP Access Control solution is suitable for any business of any size that requires real-time visibility into their current risk position. Users can accurately manage reduce unauthorized access, fraud and the cost of compliance.
Moving from a scattered system to a precision tool
SAP Access Control's success with the leading multinational beverage corporation meant the company could move away from its legacy disparate provisioning processes spread over multiple systems. The old system had a lack of visibility, so the company could not get a handle on how roles were used or who held which roles – in fact, they had found that there were a high number of roles being maintained in the system that were no actually used by any users — thousands of inactive roles were removed from users, and about 4,000 unused system IDs were removed as well.
In the old system, it took two to four weeks to provision user access to perform their primary work tasks. The provisioning system was scattered across the enterprise in disparate systems, with little real visibility. This lack of visibility also meant the different parts of the business had poor awareness of the importance of identity and access management, and didn't have much involvement in the process.
A new solution that works, and drives down risk
This leading multinational beverage corporation has standardized their user provisioning and user access review processes, resulting in decreased time to provision access, decreased risk exposure, and decreased software licensing maintenance costs. The new system provides a sustainable process for measuring accurate access assignments, automation and consolidation of of processes, increased analytics for maintaining efficient user and role assignments and continued and increased insight and visibility to risk.
The new system decreases time to provision a new user from two to four weeks to about three days. This change in process also resulted in a decrease in the number of roles and users maintained by the system.
To prevent the buildup of unused roles and save on license maintenance costs, the system implemented a process to remove roles from users if the role is not used within 120 days. The beverage giant was also able to sunset a number of tools be moving to one standardized provisioning process.
Standardization of processes areas made possible by the SAP Access Control solution brought efficiencies and effectiveness. Risks are addressed in a more controlled manner, and provides increased visibility and insight into risk across multiple systems. Standardized processes also improved decision-making abilities and increases users' ability to do their job in a timely manner due to decreased provisioning time.
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients