Notas Curso GRC100

Governance, Risk & Compliance AVIANCA SAP

Este documento recopila información de referencia para responder a consultas presentadas durante el curso GRC100 de AVIANCA.

En ningún caso representa información que defina el alcance del proyecto, pues ese tipo de definiciones los alumnos deben obtenerlas directamente del equipo y responsables del proyecto SAP de AVIANCA.

Info en la WEB

Intro Video (40min)

https://www.youtube.com/watch?v=_EJDeIpuL7Y

https://www.youtube.com/watch?v=eEhLtXeaQFY

SAP HELP – GRC 10.1 – Access Control

https://help.sap.com/viewer/product/SAP_ACCESS_CONTROL/10.1.18/en-US

https://help.sap.com/viewer/5cae1bc9a72348389e91183714220e30/10.1.18/en-US

SAP Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance.

SAP HELP – GRC 10.1 – Risk Management

https://help.sap.com/viewer/product/SAP_RISK_MANAGEMENT/10.1.16/en-US

https://help.sap.com/viewer/51bbedc6646d4ff5b35b9d883be390a6/10.1.16/en-US

SAP Risk Management enables an enterprise-wide risk management process as mandated by certain legal requirements and recommended by best practice management frameworks

SAP HELP – GRC 10.1 – Process Control

https://help.sap.com/viewer/product/SAP_PROCESS_CONTROL/10.1.16/en-US

https://help.sap.com/viewer/211202168a4d41749caba30ee97d6c73/10.1.16/en-US

SAP Process Control is an enterprise software solution for compliance and policy management. The compliance management capabilities enable organizations to manage and monitor their internal control environments.

SAP HELP – GRC 11.0 – Global Trade Services

https://help.sap.com/viewer/product/SAP_GLOBAL_TRADE_SERVICES/11.0.09/en-US

https://help.sap.com/viewer/bdb1d2fb216941a69f6300006343e977/11.0.09/en-US

SAP HELP- GRC BI Content

https://help.sap.com/viewer/7975bb870bda47fe98496560fa11d48c/7.07.24/en-US/9a6b895360b93d58e10000000a174cb4.html

SAP Audit Management

https://help.sap.com/viewer/product/SAP_ASSURANCE_AND_COMPLIANCE_SOFTWARE_-_SAP_AUDIT_MANAGEMENT/1.1.8.0/en-US

https://help.sap.com/saphelp_fra110/helpdata/en/ab/ce1b52bd543c3ae10000000a441470/frameset.htm

Access Control – 4 Components Summary

ARA – Access Risk Analysis

EAM – Emergency Access Management

ARQ – Access Requests

BRM – Business Role Management

An access risk is an object that associates two or more conflicting functions or a critical action and critical permission.

SAP GRC False Positive examples

1–> https://blogs.sap.com/2014/06/19/organizational-rules-in-grc-access-control/

2–>https://wiki.scn.sap.com/wiki/display/GRC/Access+Control+10.X{043d22ade59af420831094f906a9f5c1b407b4b8b98497cceca6576ed0983cd6}3A+Org+Rule+concept+with+an+example

AC Rule Sets explanation

https://blogs.sap.com/2014/04/22/business-risks-rule-set/

AC – Types of Access Risk

Access Control enables you to specify the following types of access risks:

Segregation of Duties – This is defined as one individual having the ability to perform two or more conflicting functions to control a process from beginning to end without the involvement of others. For example, one person might be able to set up a vendor and process payments, or manipulate sales and customer invoices, to conceal kickbacks.
Critical Action – Certain functions are so critical in nature that anyone who has access needs to be identified and assessed to ensure the access is appropriate. This is different from segregation of duties risks in that the person only needs to have access to a single function. For example, the ability to configure a production system is considered a critical action regardless of any other access the person might have.
Critical Permission – Similar to a critical action, there are certain permissions (authorization objects) that are considered critical on their own. For example, having background job administration permissions might be considered critical by certain organizations.