Case Study: How The Coca-Cola Company Reduced Time … f… · How The Coca-Cola Company . Reduced...

Main Title Header Here Subheader Description

Classified - Internal use

Case Study: How The Coca-Cola Company

Reduced Time and Effort Spent on User Access Reviews with an Automated Role

and Security Clean-Up Process Kyleen Wissell

The Coca-Cola Company

Value for The Coca-Cola System is driven by…

Consumer love for our brands

Customer satisfaction Operating effectiveness

…and it is earned 1.7+ billion times a day with more than 3,500 products in over 200 countries

2 April 2012


In This Session …

• We’ll talk about what automation we leveraged in SAP GRC to build more efficient and effective risk management processes, and specifically how we analyzed the traditional manual efforts around reviewing and monitoring access assignments and determined certain predictive analytics and insights which could be derived for guiding our decisions

• To meet this objective, I will share certain foundational efforts we had to accomplish prior to improving the user access review processes


What We’ll Cover …

• Background: Our vision for improving access to information • An overview of the security design leveraged to achieve

guiding principles • The process we designed for provisioning SAP entitlements

– What key decision we made which changed the actor responsible for participating in the approval process

• The guiding principles behind more effective user access reviews

• Which activity reviews were automated and how predictive analytics leveraged

• Role Narratives … The key for maintaining improvements in access controls

• Wrap-up


Background: Our Vision for Improving Access to Information

• Vision: Improve security processes by developing an efficient, sustainable approach for assigning and monitoring access to information systems by utilizing a risk-based approach, aligned with business processes

– Simple

• Rationalize the number of access roles – Scalable

• Standardize processes driving inefficiencies and higher costs – Sustainable

• Increase capabilities for governing


Wha

t (A

ctiv

ity R

oles

)

Whe

re

(Org

aniz

atio

nal

Bou

ndar

ies)

Clearly Outlined Problem

Who

Legacy Optimized

107 Roles/1,898 Update Transactions 109 Countries

9 Total Roles/35 Update Transactions Global

Show how your User has access to transactions not used in previous 12 months to perform activities perhaps not under their control or responsibility area: • Perform Physical Inventory Adjustment • Perform MRP Maintenance • Perform Cash Application So

W

hat?

Reminder of why we are doing this (the business case): • Balance risk vs. cost consideration • Promote greater productivity and efficiency • Allow flexibility for future organizational change • Enable standardization of processes • Define activities once and reuse globally

Hypothetical User

L.A. Eurasia

Pacific

Europe

N.A.


Our Vision Improve security processes by developing an efficient, sustainable approach for assigning and monitoring access to information systems by utilizing a risk-based approach, aligned with business processes

Simple

Scalable

Sustainable

+25,000 Users with ~ 1,600 Roles results in increased visibility into who has access to what

+25,000 SAP Users with +15,000 Roles results in +8,500 hours annually controlling & monitoring access

Lack of standardization and manual processes cause inefficiencies and higher costs

Lower costs due to standardization and automation, increased confidence in how we are managing risk

Inefficient use of resources and lack of clarity between IT and Business ownership

Reduced compliance inefficiencies, clear role sort, increased capabilities for growth and more efficient onboarding

Legacy Final State Optimized

Key Solution: Be willing to add up the costs associated with inefficiencies Classified - Internal use

Changed Mindsets

• Standardized SAP security design and provisioning, initially across the Finance and Human Resources environments

• Increased business accountability for security access, and increased support for governance oversight

• Supported business process transformation by providing visibility into who/where associates are performing business activities and cleaning up non-job related access

• Automated, risk-based access reviews to reduce compliance activities and the associated cost

• Expanded risk monitoring across additional SAP environments • Provided a foundation for role-based security and the path for reducing

SAP professional licenses

Utilized a risk-based approach aligned with business processes and performed diagnostics to identify where efforts weren’t returning an invested value, e.g., manual compliance efforts

• Help from business leads to own and manage security risks • Increased security controls capabilities, shifting focus of resources

towards managing risk and away from security maintenance and detective monitoring methods

• Accept living in multiple system worlds until remaining SAP environments are incorporated

Identified Business Need

What Did We Do?


• Global security design enables associates to see and do more by design, not by mistake

• Access expanded to the Group level and a reduction in access unrelated to the job

• Global security design enables associates to be leveraged across geographies

• Enabling alignment of resources with strategic priorities • Increasing flexibility of resources so that activities are not tied

to physical location • Enhanced transparency of access information (who is doing what)

leveraged to: • Provide intelligence to create more centers of excellence • Hone strategic capabilities

• Increased opportunities to scale, which provide asset and execution efficiencies that increase shareholder value in the Coca-Cola System and preparedness for our strategic vision

• Security access risks are managed more efficiently and effectively • Costs for maintaining security are reduced

Obtain the Value

Outline of the Benefits

Implemented standardized processes support company growth and organizational flexibility without increasing the complexity of security access









• Wrap-up


Overview of the Role Design to Achieve Our Guiding Principles

A user’s access is made up of several small definable activities performed in SAP: – Each activity is accessed via a single role, i.e., AP Invoice Processing – Each activity is assigned to one of 4 distinct access levels which

is risk-associated and data-classified, linked to the business process

ACCESS DESIGN

Organizational Boundary Update

Organizational Boundary Display

Update Activity Update Activity Special Update

Common Display Restricted Display

General Use

LEVEL 1: General User Access “WHAT” NO RISK Activities common to all users, such as printing and inbox, are grouped together into a single role. This is given to every user.

LEVEL 2: Display Access “WHAT” LOW RISK Activities which allow display and reporting only access are grouped by process area into a single role. These activities may be grouped at the process or sub-process level. One or more display roles can be given to a user and provide a display view that is common to all.

LEVEL 3: Functional Access “WHAT” MEDIUM or HIGH RISK Activities which allow update access are grouped by sub-process area and divided into single roles for each part of a more granular activity performed. Profiles are used to provide the correct combination of roles required to complete each distinct activity. Info type and movement type restrictions are built into each role where appropriate.

LEVEL 4: Locations “WHERE” MEDIUM RISK Access is given to a user at the Group level. One or more organizational boundary roles can be given to a user, to allow them to perform activities for multiple locations. “What they can do” “Where they can do it”


Final Rationalization Results Achieved 90% Reduction of Roles

Human Resources 386 Roles

• What – 71 • Where – 313 • Specialty – 0 • Template – 2

• Internal Use – 22 • Confidential – 67 • Restricted – 297 • Highly Restricted – 0

Finance 583 Roles



969 Total Roles



• Defining activities once and reusing globally reduces the number of required roles, unless transactions are configured to perform a different activity

• Role naming convention clearly identifies the purpose of the activity for transparency to the requester, approver, end user, and compliance partners

• Organizational boundary roles defined at a higher level enable the user to transact in multiple locations, which are groupings of company codes, plants, sales locations, etc.









• Wrap-up


User completes an Access

request form in Sharepoint

Security team enters GRC request and

routes to Business Steward

Business Steward reviews

request & runs risk analysis

prior to decision

Role Approver reviews business

justification and makes approval decision

Access is provisioned

and measured against a 3-day

SLA

Post Deployment Workflow: • KEY DECISION: The approval process shifted from Manager Approval to Business Steward-centric approval. These

resources have a combination of security and internal controls backgrounds and sit at the Group level. They have knowledge of whether mitigating controls can be applied or whether the risk should be remediated, e.g., access removed.

• We have assessed what additional capabilities needed to be developed and began having regularly scheduled User Group calls with Business Stewards and Role Approvers, leveraged to deliver training, provide status updates and discuss or raise issues and concerns.

• Given that we are developing a road map for role-based security provisioning, we felt a greater focus and a sustainable investment in building capabilities for stewarding access management, subsequently reducing investment and focus for seeking manager approvals and involvement in user access reviews

The key win is delivering a standard approach that is flexible and faster, but controlled and consistent.

Actors in the Newly Designed Provisioning Process


RACI Chart Developed for Access Initiators, Business Stewards, Role Approvers & Security Operations

ResponsibleDoes the task

AccountableMakes the decision

ConsultsProvides

input

InformKept in the

loop

* Security Operations =Help Desk & SAP Security

Task # Task Description Capability Example Requestor Access InitiatorBusiness Steward

Role Approver

Security Operations*

1 Identify need for change in access Ability to identify what system and what process. A/R - C C C

2 Enter request for access Knowledge of how to enter a GAM request on the GAM SharePoint or through local request process A/R C C C C

3 Analyze Access Request Form for completeness and validity; Identify GAM roles needed Ability to identify if request is a valid request. C A/R C C C

4 Enter and submit GRC access request in AC Knowledge and ability to copy a user's profile within the GRC tool. - A/R - - C

5 Run initial SOD/SA task of GAM roles requested. Document any adjustments. Understanding of business process user supports. C C A/R C C

6 Submit GRC Request in AC Submit GRC Request in AC I A/R - - C

7 Process request, perform risk analysis and mitigation. Knowledge and ability to initiate risk analysis. C C A/R C C

8 Submit GRC-AC request to Role Owner Submit GRC-AC request to Role Owner I - A/R C C

9 Process request and perform risk analysis Ability to initiate risk analysis. C - C A/R C

10 Submit AC Request for Provisioning Submit AC Request for Provisioning I - C A/R C

11 Administer SNC encryption Determine if SNC is required - - - - A/R

12 Submit AC Request for Provisioning Submit AC Request for Provisioning - - - - A/R

RACI ASSIGNMENTS









• Wrap-up


Guiding Principles for Periodic Access Reviews

• Process terminations daily with an automated feed into GRC

• Lock inactive users daily after 90 days of inactivity

• Automatically remove a user’s system ID after 180 days of inactivity

– This has put us on a path for reducing annual maintenance/licensing costs • Automatically remove inactive roles from a user’s profile after 120 days of inactivity

– Defined exceptions include infrequently used roles and use which doesn’t generate analytics • Radio frequency devices, year-end transactions and roles with only authorizations and objects

(organizational boundary & specialty access) • Trigger an access review when a user shows a job formally changes

• Trigger an access review for non-employee workers, users with access mitigated by compensating controls, highly restricted, or organizational boundary every 180 days

• Annually review role content and data classification

– Required the development of role narratives in GRC

These automated activities have replaced certain manual quarterly access review processes, which weren’t bringing the expected value. We found that analytics and triggers were the key to establishing the most effective review prompts. Classified - Internal use








• Wrap-up


Predictive Analytics

• We designed several automated reviews within GRC however we developed two inactivity reviews using predictive analytics – Assumption: Roles without inactivity after a period of time

can indicate lack of need or indicate a minor shift in responsibility

• Determined 120 days is a pretty good indicator, with some exceptions identified for infrequently used roles, such as expense reporting, purchase order approvals, etc.

– Assumption: System IDs without inactivity after a period of time can indicate system access is no longer required

• Determined 180 days is a pretty good indicator, with some exceptions identified


120-Day Role Inactivity Review

• Benefits – Maintain an accurate

baseline of access assignments adjusted by regular clean up and removal of access no longer required or not being used

– Data input towards standardizing profile assignments

– Leverage data analytics to drive decisions

• Risks and Mitigation – Risk: Remove access that

is used more infrequently • Mitigation: Develop a list

of exceptions and an initial validation process

• Mitigation: Consider an adjustment to the inactivity trigger, e.g., 120 to 130 days

– Risk: Remove access that doesn’t register activity

• Mitigation: Adjust the exception process


Approach to Implementation of the Automated Process for Removing Roles for Inactivity

• Get comfortable with what the report from SAP GRC was showing us prior to moving the automated process into production – Review users/roles not used in 120 days, targeted to be removed, and

make decisions (accept/reject results) – Assess whether any incidents occurred as a result of the removal and

adjust the exception process, when necessary – Review users/roles which were excepted from the process in order to

validate results – Review available reporting within GRC to develop a communication of

results • Develop a timeline for moving to the automated process expected to run

nightly in GRC, without manual intervention • Encountered Defects During Testing

– The GRC user action interface did not collect 100% of transactional activity from each target environment, which SAP subsequently resolved


Observations from the Initial 120-Day Review

• Initial Inactivity Review Produced – Lots of access recommended for removal from executives,

senior leadership, and contractors – Lots of access removed from employees who had been

with the company for a long time (years of travelling from job to job)

– Some clean up of migration mistakes when users moved to the newly designed roles

– Approach to cloning access of users is apparent (absent a process for assigning standardized profiles)

– Lessons learned: Need to review what was “excepted” where there was never any use and additionally evaluate if it would have been removed anyway for 180-day


180-Day System Inactivity Review

• Benefits – Maintain an accurate

baseline of legitimate system users

– Data input towards standardizing profile assignments

– Reduce costs of maintenance licensing, especially by categorizing types of users, e.g., display versus transactional or power user

• Risks and Mitigation – Risk: Remove system ID

from legitimate user who is somehow not generating a last logon date

• Mitigation: Develop a list of exceptions

• Mitigation: Consider an adjustment to the inactivity trigger, e.g., more than 180 days


Approach to Implementation of the Automated Process for Removing System IDs for Inactivity

• Get comfortable with what the report from SAP GRC was showing us prior to moving the automated process into production – Review users showing a last log-on date longer than 180 days, targeted to

be removed, and make decisions (accept/reject results) – Assess whether any incidents occurred as a result of the removal and

adjust the exception process, when necessary • We identified certain activities which were occurring through the

Web/ portal or a hand-held device which didn’t generate a last log-on date which drove us to change the exception logic to the program

– Review available reporting within GRC to develop a communication of results

• Develop a timeline for moving to the automated process expected to run nightly in GRC

• Encountered Defects During Testing – None


Observations from the Initial 180-Day Review

• Initial Inactivity Review produced: – Lots of system IDs targeting removal from

executives, senior leadership, and contractors – Many inactive users had an account only for travel

expense purposes and often they have an assistant who is authorized to raise reports on their behalf

– System IDs for non-employee workers









• Wrap-up


Role Narratives Aid Control Sustainability What was the mission? • Actors in the access assignment process and business owners do not always understand the

content and purpose of access roles. Our mission was to develop role narratives which explain the purpose of the access granted, including the level of approval required, the primary business users and risk posed, identification of known conflicts and provide the ability display the technical content, such as transaction codes, company codes and data classification.

What was the objective? • The objective is to support accurate assignments of privileges based upon user job

requirements, reduce the number of provisioning requests rejected or miss assigned, aid role owners with the ability to reaffirm role content periodically, and business stewards and custodians who periodically review access assignments. Aid better risk management.

What were the benefits? • Reduced turn-around for access initiators to process a GRC access request, and resolving follow

up to clarify or correct requests. • Reduce error rate for correcting assignment mistakes and resubmission for role approver

rejections. • Standardize information for performing user access reviews and onboarding new role or

business owners. Classified - Internal use

27

Role Narrative Example


Workbook: This is an example of a completed Role Narrative with the columns highlighted in yellow. Business Role Name RTR: FI – P&L and Balance Sheet Reporting

Technical Role Name P08:S:RTR:FI:PL_BAL_SHEET_REP

Business Primary Users Finance

Position Description Finance users performing end of the period type activities or those with responsibilities for top line analysis

Purpose of the Access

Role allows a user to view a quantitative summary of a company's financial condition at a specific point in time, including assets, liabilities and net worth. The first part of a balance sheet shows all the productive assets the company owns, and the second part shows all the financing methods (such as liabilities and shareholders' equity)

Risk Medium

Known Conflicts Often mistaken with FI Common Display role needed to perform most of the basic RTR activities, such as account reconciliation.

Dependent Roles None

Alternate Roles P08:S:RTR:FI:FI_COMMON_DSP

Subject Matter Expert(s) Miguel Gonzalez and Debbie Bryan-Hall

Additional Information (Optional)

Description - The G/L account balance list shows the following monthly figures: Balance carried forward at the beginning of the fiscal year; Total of the period or periods carried forward; Debit total of the reporting period; Credit total of the reporting period; Debit balances or credit balances at the close of the reporting period (optional); With the Balances in Foreign Currency option, the first five fields are available in the accounts as well as in local currency At the end of the list, the system displays the following information per local currency: Totals per company code; Closing total of all company codes Output and Sorting - The sorting method and summarizations can be determined using ALV. The parameter Group Version controls output in the batch header and the default sorting method. Program Called: RFSSLD00- More output control Program Called - RFSSLD00 - Less output

T-Codes S_ALR_87012043 G/L Account Balances

28








• Wrap-up


Wrap-Up – Reporting of Results to Management

• Developed reporting routines to communicate periodically … – How many roles were removed? – How many roles removed which were never used? – What was the risk addressed? Where?

• Initial cleanups produces the most results • Next steps in also include …

– Planning for progressing standardized profile assignments – Discussions are also taking place to evaluate IF we had additional

predictive analytics, how could we leverage similar activities • What access doesn’t generate usage, e.g., authorizations and

objects which aren’t grouped with transactions and Web and portal activity not generating log-on insight


7 Key Points to Take Home

1. Intuitive and improved user access reviews are best accomplished with simplified role design and business rules for rationalization of roles

2. Global, standardized GRC user provisioning workflow for access assignments coupled with accurate assignment is a best practice

3. Appropriate user access assessments and approvals with access changes to be reflected for inactivity to support managed risk

4. Automated activities have replaced prior manual quarterly access review processes, which weren’t bringing the expected value. We found that analytics and data triggers were the key to establishing the most effective review prompts.

5. Narratives are also key building blocks for sustaining improvements made in access controls

6. Surprise improvement in management of user licensing costs by getting more granular with access assignments

7. The key win is delivering a standard approach that is flexible and faster, but controlled


Your Turn!

Questions?

How to contact me: Kyleen Wissell [email protected]


Case Study: How The Coca-Cola Company Reduced Time … f… · How The Coca-Cola Company . Reduced...

Documents

Transcript of Case Study: How The Coca-Cola Company Reduced Time … f… · How The Coca-Cola Company . Reduced...