For SAP Beginners: Segregation of Duties SOD: GRC GRC View and GRC – SAP GRC. Grc pdf download - File size: Kb Version: 4. SAP AG. All rights reserved. iii. About This Handbook GRC Icons in Body TextThe following icons are used in this handbook. This particular Sap Grc PDF start with Introduction, Brief Session till the Index /Glossary page, look at the table of content for additional.
|Language:||English, Spanish, Japanese|
|Genre:||Business & Career|
|ePub File Size:||23.89 MB|
|PDF File Size:||10.35 MB|
|Distribution:||Free* [*Register to download]|
GRC GRC Principles and Harmonization.. COURSE OUTLINE purpose without the express permission of SAP SE or an SAP affiliate company. SAP and . GRC GRC Principles and Harmonization other solution Date Training Risk, and Compliance (GRC) GRC Lesson: Introduction to SAP. GRC - GRC Principles and Harmonization(Col96) by vansh in Book Excerpts. Download as PDF, TXT or read online from Scribd. Flag for.
SAP Governance, Risk and Compliance Solutions GRC SAP governance, risk, and compliance GRC solutions provide organizations with a preventative, real-time approach to GRC across heterogeneous environments, enabling complete insight into risk and compliance initiatives, greater efficiency, and a faster response to changing business conditions. Overview of Access Control SAP Access Control is an enterprise software application that allows organizations to manage their access governance policies and to monitor for compliance. Users can create requests to access systems and applications. Approvers can review the requests, perform analysis for user access and Segregation of Duties SoD risks, and then approve, reject, or modify the requests. Security analysts and business process owners run reports to determine if violations of SoD or user access policies have occurred. They can identify the root cause of the violations and remediate the risks.
GRC's content framework allows close work with both system integrators andtechnology service providers to provide out-of-the-box content that provides a startingpoint for customers with specific business scenarios. Explain the business benefits of an integrated solution Describe a business example of how the GRC solution addresses the issue ofdisconnects between risks, policies, and compliance SAP AG.
Identify and describe key benefits of enhancements to the GRC Thecompany is also looking for a more unified platform to reduce the amount of trainingneeded to increase the skills of their workforce, reduce hardware utilization, and toreduce the cost of audit services. Thecommon platform will reduce the amount of time to train users because the userinterface is the same across all three of the mentioned solutions and will allow forimproved efficiency in IT maintenance.
Common Technical Platform Purpose and ValueThe unified Risk Management, Access Control, and Process Control data model andtechnology platform enables optional sharing of selected risk and compliance dataand functions. Sharing is optional because some customers prefer a silo approach,whereas others seek to consolidate and integrate their GRC activities. Streamlined user navigationwith shared work centers emphasizes function rather than component.
Thissignificantly reduces duplication of menu items for example, one inbox, not three and facilitates sharing of data and functions. Key Features and BenefitsThe menu items that the individual user sees within each work center is controlled bythat user's GRC roles. This also enables data shared across components to be vieweddifferently by different users. For example, the organization field Average Cost perControl can be shown for those users authorized for Process Control and hidden forthose users authorized for Access Control.
Field statuses required field, optionalfield, displayed, or hidden can be selected by field by component or even regulation,if applicable. Changes to the field status are reflected in the user interface withoutrequiring programming.
Configurable User Interface Enhancements and BenefitsThe configurable user interface allows customers to configure without programming: Which fields are relevant to regulations, or even to specific regulations2.
Which fields are relevant to each underlying component3. Which fields should be mandatory, optional, or hidden4. Which fields can be changed locally and which must be maintained centrally. For Process Control, the assignment of subprocess to organization has beenmade more flexible to allow local editing of some fields in a control whiledisallowing editing of other fields.
This lowers total cost ofownership and extends the benefits and functionality of Crystal without the need for aseparate SAP BusinessObjects Enterprise server.
Policy Management provides complete lifecyclemanagement for corporate policies, and it aligns policies with risk and compliancemanagement activities. Effective policy management reduces enterprise risk andimproves corporate governance with management guidance for the organizationsbehavior, actions, and decision-making processes.
The enhanced,user-configurable rule engine gives customers maximum flexibility in defining theirautomated rules. You can now monitor a much wider range of back end systems,consume data from non-SAP systems without needing third-party tools, processasynchronous events, and automatically analyze SAP Basis change logs. CLM also formalizes the abilityto export structured content out to Excel and check changes back inan enormousproductivity boost for initial implementations, getting content into GRC from legacyor reference systems, periodic updates, and expanding implementations.
Discuss how particular applications integrate with the GRC You want to use SoD analysis results automatically,weekly or monthly to mitigate a risk identified in Process Control. Handling some responses for risks appears to be a complicated andtime-consuming process with a lot of resources involved. Therefore, havingprojects in the appropriate SAP application Project System based on suchresponses is a good way to track response status and completeness. During the internal and external auditing of this fiscal year, auditors addresscompliance and operational problems outside of the control evaluation cycle.
These issues need to be documented and tracked for the improvement of theorganizational compliance status. Creating an issue helps to speed up the identification of risk that may lead toputting timely actions in place to mitigate exposure. Timely issue resolutionprevents spending excessive amounts of time and efforts in resolving anynegative impacts that the delay of resolution may lead to. IntegrationFigure GRC Centrally maintain organizations and organization hierarchy Use one organization hierarchy in Access Control, Process Control, and RiskManagement solutions Access to organization hierarchy is possible from Access Control, ProcessControl, and Risk Management solutions Maintain different views of organization structures to adapt it to your needsMitigating ControlsYou can create mitigating controls within Access Control from the Analysis Resultsscreen after executing User Risk Analysis.
You can also create mitigating controlsfrom the Process Control user interface with Business Processes. To create fromProcess Control: Add a mitigating control ID2. Assign an access risk, mitigation monitor, and mitigation approver3.
While creating more entries with the same name, but a differentapplication component, you can specify for which of the components thehierarchy should be used. Users and OwnersOwners are responsible for the correctness of risks, roles, mitigating controls, and soon. These owners have different responsibilities throughout Access Control, however,only Mitigation Monitors and Mitigation Approvers may be assigned to controls andare therefore shared with Process Control and Risk Management.
Access Control Integration: When an event is triggered in the SAP HR system, such as hiring a newemployee, rules are applied and a corresponding action to create a workflow request isinitiated in Access Control. The request can be processed through workflow and canbe provisioned to the back-end system by direct assignment or indirect assignment.
Users do not need to complete an access request form. User is maintained in the HR system2. Access Control currently provides integrationwith IdM solutions for enterprise-wide, compliant provisioning. The integration of Access Control and Identity Management enables customers todeploy an automated business and risk driven Access Control solution enterprisewide.
With this solution, business owners can control access, security posture and riskbased on business relevant values without requiring the domain-specific knowledgefor each of the IT systems.
GRC-driven provisioning and IdM-driven provisioning. IntegrationIntegrations for Process Control Process IntegrationProcess Integration allows you to monitor deficiencies in other systems. The ProcessIntegration Proxy must be completed before you can proceed on the portal. Process Integration Job ResultConfigure Process Integration, then create an automated monitoring job to test forcontrol deficiencies.
Results appear both in the Job Monitor and as a workflow task ifthe deficiency is high or medium. Risk Management IntegrationRisk Management integrates with several other systems to help users identify andmanage risk from one location.
The project is actually maintained by aProject Manager or another responsible person and Risk Managers may only trackthe current status of the project they created. Current status is obtained by a periodicbackground job. The Risk Manager just opens the response. Integration with project system: Process FlowPlant Maintenance IntegrationSome responses for risks require that service, maintenance, or quality inspectionprocedures be performed over the technical objects or fixed assets.
Therefore,automatic creation of Plant Maintenance notifications directly from Risk Managementcan be helpful in this regard. A notification is actually processedby a Plant Maintenance manager or another responsible person and Risk manager mayonly track the current status of the notification created.
Current status is obtained by aperiodic background job. To see this, the Risk manager just opens the response. Having these risks in Risk Management as well allows users to track allthe enterprise risks with one application Risk Management. To see this, the Risk manager just opens the analysis. Issue Management IntegrationFeatures include: Ad Hoc issues can be created during the Aggregation of Deficienciesand Sign-Off level, but currently are not considered.
If you create an issuewhile working these tasks, you do not get an error message. Policy Management IntegrationYou can set up automatic updates of response completeness for all responses created,based on the policy. Each time the policy status is updated, the response completenessis updated accordingly. If you would like to customize automatic response completeness update basedon policy status: Then execute the task Policy Status and Response Completeness link.
IntegrationLesson SummaryYou should now be able to: How can you begin to leverage your Governance, Risk, and Complianceprograms to optimize performance?
Choose the correct answer s. A Know your business B Know business-related risks C Know compliance and policy requirements D Know what reserves your company has for litigation2.
Continuous Transaction Monitoring helps you to confidently manage and reduceaccess risk enterprise-wide. Determine whether this statement is true or false. True False4. Continuous Transaction Monitoring provides protection against fraud, waste,misuse, and errors.
True False5. Compliance regulations can be specific to a particular region or country, or maybe applicable to multiple regions. Implementing policies and supporting regulatory mandates at the departmentallevel is an example of. Fill in the blanks to complete the sentence. The Enterprise Risk Management process allows management to prioritizescarce resources to mitigate the company's highest risk areas.
True False8. When it comes to managing governance, risk, and compliance efforts, GRCConvergence helps companies: Enterprise GRC enables organizations to more efficiently manage across thedisciplines of risk management, compliance management, audit management,policy management, and access management. True False The unified Risk Management, Access Control, and Process Control datamodel and technology platform enables optional sharing of selected risk andcompliance data and functions because some customers prefer a silo approach.
Streamlined user navigation with shared work centers emphasizes eachcomponent rather than function. The Configurable User Interface allows configuration to determine: Considering the business use and purpose of the Access Control solution, whichof the following would be logical integrations? SoD Integration is between which solution components? With a shared organization hierarchy, you can configure whether an organizationview is used for one solution component or shared between all GRC components.
A, B, CKnowledge of your business, related risks, and compliance and policyrequirements are the starting point to leveraging your Governance, Risk, andCompliance programs to optimize performance.
FalseThe statement is false. Access Risk Management helps you to confidentlymanage and reduce access risk enterprise-wide. TrueThe statement is true. Implementing policies and supporting regulatory mandates at the departmentallevel is an example offragmentation.
CThe correct answer is Process Control. BThe answer is Access Control. A, B, DGRC Convergence helps companies reduce costs and required resources, reducerisk exposure, and improve overall business performance. FalseStreamlined user navigation with shared work centers emphasized functionrather than component. CThe Configurable User Interface allows configuration to determine field statusby application components and by regulation.
In addition, authorization concepts and role requirements arediscussed, as they relate to the user interface. Explain what the information architecture is and why it is important Explain the harmonization goals of the information architecture Describe major changes to the GRC Information Architecture..
Security and Authorizations View Role Assignments.. Thebuttons, tabs, and other navigation items that you see in the user interface representsthe information architecture. The Importance of the Information ArchitectureFigure Information ArchitectureThe information architecture IA determines the presentation of user interfaceelements: Menu structure Tabs Navigation alternativesThe IA presents the application or solution to its users and defines much of the initialuser experience.
Harmonization Goals of the Information ArchitectureGoals of information architecture harmonization include: Providing a consistent user experience across GRC Optimizing for users of multiple GRC applications by minimizing redundancyand streamlining navigation. Enhancing the user experience while providing users the tools needed to dotheir job.
Information Architecture HarmonizationThe Information architecture harmonization for GRC solutions goal is to provide aneasier and more consistent user experience for users who may interact with multipleGRC products. Prior Information Architecture: This required that users with cross-product responsibilities navigateeach application separately, and even login multiple times if Access Control, ProcessControl, and Risk Management were used.
This also resulted in multiple inboxes,multiple document searches, and so on.
Eliminates redundant menu items. Varies based upon user authorization. Information ArchitectureFigure As an example of streamlining, note that there is a singleshared work inbox no longer multiple inboxes for AC, PC and RM.
The usernavigates the work centers tabs based upon the tasks they need to perform or thedata they need to access, not the product they wish to use. This better supports theconcept of GRC convergence and facilitates appropriate sharing of data and functions.
Information ArchitectureExercise 1: Connect to the training environment Log on to the GRC Task 1: Connect to the Training Environment. Open a browser window and enter http: Enter the logon and password provided by your instructor.
Task 2: Connect to the Remote Desktop1. Click Start Run. Enter mstsc. Enter the system name provided by your instructor, then click Connect. Enterpassword initial. Click OK in the Language Dialog box. Log On to the GRC If you do not see the Start button in the lower left corner, you mayneed to maximize the Remote Desktop window. Enter passwordinitial, then click the system OK icon or press Enter. Note the user menu items displayed for your User ID.
Task 4: Expand the Governance, Risk, and Compliance node. View the nodes listed here. This is where you perform customizing activities andmaintain configuration settings for the GRC solution.
Note that there are nodesfor shared configuration settings as well as for solution component-specificconfiguration settings. Task 5: Log on to the NetWeaver Business Client1. Click through the various work centers and note the work sets under each one.
Task 6: On the Launch NetWeaver Business Client screen, copy the address of the page,ending with the forward slash after nwbc. What you copy should be similar tothis: Click the New icon for a new connection.
Information Architecture5. Enter the following information: For the URL, paste the one you copied. Click OK when finished. Information Architecture3. Information ArchitectureLesson SummaryYou should now be able to: It alsoidentifies key roles and how they are used, as well as what controls the user interfacefrom an authorization perspective.
This also drives what the userwill have access to in regards to Work Centers both in general and what can beaccessed within a Work Center and Reports. Security and AuthorizationsAuthorization OverviewFigure Authorization Changes for GRC Security and AuthorizationsFigure What Can You See?
The work centers are fixed in each base role. SAP delivers these roles,but they can be modified by the customer. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.
Youmay see this in the IMG configuration. The service map is then generated dynamically based upon user authorization.
That is, if the user does not have authorization to see given application folders orapplications, they will be hidden from view not grayed out. Reminder About How What you See is DeterminedAs a reminder, what the end user sees is determined by a combination of factors, asshown above.
Security and AuthorizationsExercise 2: Locate and review role assignments for business subprocesses via GRC RoleAssignment Locate and review role assignments for business subprocesses via OrganizationsBusiness ExampleTo access specific Process Control or Risk Management data or transactions, you mustensure that entity-level authorizations are assigned within the application. This willpermit actions to specific entities, such as organizations, processes, subprocesses,controls, and risks.
Enter a time frame of Year , then click Apply. Choose the Subprocess role level. Add a filter for Organizations. Choose Next to continue to the Assign Roles section. Review the roles assigned to the subprocesses which are listed under the Objectheader. A white space in the role column means that norole is assigned. Roles have been assigned, so do not save your changes. Click Cancel to exit.
Navigate to the Master Data work center. Choose Organizations under the Organizations work set. Choose any organization from the list, then click Open. Note that the trianglenext to the organization means that there are sub-organizations and the dot nextto the organization means that it is the lowest level.
Use todays date. Choose the Subprocess tab, then click Assign Subprocess. Choose one or more subprocess es from the list, then click Next. Without making any changes, click Finish on the Select Controls step. Choose the first subprocess from the list, then click Open. You should see theSubprocess details. Click the Roles tab. Choose a role from the list, then click Assign. Normally you would Save your changes, but for the purposes of this exercise,choose Cancel. Do not Save your changes.
Security and AuthorizationsSolution 2: View Role AssignmentsTask 1: Security and Authorizations9. The determines thepresentation of user interface elements. A key feature of the GRC Users navigate the work centers based upon the tasks they need to perform or thedata they need to access, not the product they wish to use. While authorization concepts are similar to prior releases, changes in GRC To access GRC Portalauthorization or NWBC authorization; 2. Applicable PFCG base roles; and 3.
True False6. If you use Access Control Which of the following determine what users see in the GRC The information architecture determines the presentation of user interfaceelements.
BA key feature of the GRC A, B, CSoD risk analysis cannot be performed for entity-level authorization. Harmonized navigation concepts are discussed, as well as how authorizations affectwhat users can view and access. Hands-on activities include navigating the workcenters and assigning a delegate. Identify and access key components of the GRC Work Centers..
Navigate the Work Centers and Assign a Delegate Harmonized Navigation in the GRC Harmonized Navigation Work CentersLesson OverviewThis lesson introduces work centers and their purpose.
Utilizing the Work Center concept, the user cannavigate easily to the specific area that is desired and have similar actions available onthe screen. This helps to correctly find the specific task more efficiently and also helpsin managing the security between different types of users more easily. They can be organizedbased on what the customer has been licensed to operate. Delivered work centersare shown below. Work Centers in GRC Work CentersThe default delivered system contains the work centers displayed above.
However,your system administrator can customize the work centers to support yourorganization's preferred structures.
View, access, and perform workflow tasks assigned to you, including viewingcompleted reports that you scheduled.
Perform document searches across all documents including document content for which you have authorization. Assign delegates to perform your tasks or activities. View and process your user data. The service maps and applications under each work center are controlled by youraccess. If you are a delegate and choose to work as that person, you will inherit theirauthorization.
My Home Work Center in the PortalMy Home provides a central location to view and act on your assigned tasks andaccessible objects: Dependingon the products you have licensed, the My Home work center contains these sections: Ad Hoc Tasks - From the My Home work center, the Ad Hoc Tasks sectionenables you to process risk proposals, incidents and issues, depending on theapplications to which you have access.
In the My Objects section of the My Home work center, you can maintain theGRC objects to which you have accessDocument Search - Document Search enables you to search for documents acrossGRC solutions, including business entities and compliance initiatives.
Thesearch includes documents and hyperlinks, which you can add as attachments. This can only be used if you have activated TREX. My Delegation - You can delegate the access rights and tasks of one user, thedelegator, to another user, the delegate, for a specific time period or indefinitely.
This relates to PC and RM applications. From My Home work center, click My Delegation. Assign one or moredelegates for the desired period.
From My Home, click Change Delegation. Choose to work on behalf of yourself or on behalf of another person. This applies to Process Control and Risk Management only. Delegation does not remove access or forward tasks from the delegator.
Instead, itallows the delegate to work with the same access and tasks as if he or she were thedelegator. Both the delegator and the delegate can access the system at the same time,as long as they do not access the same objects or activities. Master Data Work Center in the PortalThe Organizations section of the Master Data work center enables you to define andwork with the organizations of your company.
Regulations and Policies gives you visibility into your compliance framework andaccess to end-to-end policy management. Business objectives relateto strategies and risks, while control objectives are assigned to relevant subprocesses. The Activities and Processes section is where you maintain your company's activities,business processes, subprocesses, and controls. The Risks and Responses section of the Master Data work center enables you tomaintain your organization's risk, opportunity, and response catalogs.
Use the Accounts section to create account groups that are relevant to your complianceinitiatives. Consistency checks are a set of reports to help ensure data validity. These are especiallyuseful during initial implementation and after significant changes.
Currently these arefor the Risk Management product only. The Reports section includes links to master data reports.
Work CentersFigure The Critical Access Rules section allows you to identify individual roles and profilesthat pose an access risk to your company. If your system uses profiles, you may havedefined profiles that pose an access risk. Make sure that you designate these profilesas critical profiles. The Exception Access Rules section allows you to eliminate false positives based onorganizational-level restrictions.
This functionality was created to aid exception-basedreporting for organizational rules and supplemental rules. The Generated Rules section shows generated rules and related details includingaccess risks, functions. The Continuous Monitoring section not displayed above due to space gives youaccess to data sources, business rules, assignment of business rules and Key RiskIndicators KRIs. The Scheduling section enables you to maintain schedules for continuous controlmonitoring and track job progress in the areas of monitoring and automated testing.
The Legacy Automated Monitoring section allows you to continue to use automatedrules created in Process Control 3. The Reports section of this work center include reports specifically related tocontinuous control monitoring setup and execution. The Critical Access Rules section allows you to define additional rules that identifyaccess to critical roles and profiles.
Work CentersThe Generated Rules section allows you to find and view generated access rules. Under Organizations, you can maintain the company's organization structure forcompliance and risk management with related assignments.
The Mitigating Controls section allows you to manage controls to mitigate segregationof duty, critical action, and critical permission access violations. Superuser Assignment is where you assign owners to firefighter IDs and assignfirefighter IDs to users. Superuser Maintenance is where you maintain firefighter, controller, and reason codeassignments. Under Access Owners, you manage owner privileges for access managementcapabilities. Assessments Work Center in the PortalThe Surveys section of the Assessments work center provides setup of surveycomponents.
Within GRC, surveys are used to obtain information on the existenceand evaluation of risks Risk Management or the adequacy of controls ProcessControl. Surveys are used to carry out assessments of objects such as risks, activities,controls and policies, for example.
The Manual Test Plans section allows you to create a manual test plans which consistof test steps performed to determine whether a control is operating effectively. The Risk Assessments section enables you to create activities to be evaluated for risksand opportunities, such as projects or business processes.
The Incident Management section provides documentation of risks that occurthatis, incidents. Download app on Google Play on App Store. Introduction to Principles and Harmonization.
Are you looking for Golf Training Aids? This manual contains the function of product, installation method, caution information. Contents Course Overview. Hi Experts I want to start studying for GRC 10 but I don' t have any documents on this subject, and there is not much out there in regards this tool so can anyone help me out with this. Txt or read book online. Audible Download. Vii Course Goals. Once you know, you Newegg! GR- C Bicycle Accessories pdf manual download.
Download the registration form and the consent form,. GR- Series offers the solution for protection of power transmission and distribution systems. Is it an ebook or an. Use the same test routine no matter what test set. Create and copy requests for user access and organizational assignments. Configure parameters for periodic access review requests. Configure password self-service. Maintain risks and critical access rules.
Define shared master data. Guide customer to recognize and remediate risks. Create mitigating controls and assignments based on customer requirements. Configure and track audit trails.