Governance, Risk, and

Compliance Trends
and Techniques in
Higher Education

Sherry Amos
Director, Industry Strategy, SAP

Craig Kennedy
Executive Solution Engineer, SAP

Craig Weisiger
SAP Security Analyst, Baylor College of Medicine
Governance, Risk, and Compliance Trends

Sherry Amos
Director, Industry Strategy, SAP
GRC in Detail

Craig Kennedy
Solution Engineer, SAP
 Context: What does SAP do?

SAP ERP
Student Lifecycle
Financials
Human Capital Management
Supply Chain
Facilities
Analytics

SAP NetWeaver™
PEOPLE INTEGRATION
Multi channel access SAP NetWeaver provides SAP ERP with a
…
Composite Application Framework

Portal Collaboration comprehensive integration platform …

INFORMATION INTEGRATION
„ integrated out of the box
Life Cycle Mgmt

Bus. Intelligence Knowledge Mgmt

Master Data Mgmt

„ delivers the foundation to serve all ERP
PROCESS INTEGRATION
Integration Business
applications
Broker Process Mgmt
„ Business Process Platform (ESOA)
APPLICATION PLATFORM
J2EE ABAP
„ built to extend mySAP ERP and to integrate
DB and OS Abstraction
non-SAP systems
 SAP Solutions for GRC
Providing the framework for an integrated approach to GRC

SAP solutions for GRC

Industries
Life Sciences Chemicals Oil & Gas
„ Standardize components
High Tech Utilities

„ Automate processes
Risk
„ Embed in processes
Enterprise Risk Management

Compliance Access Process Global Environ- GRC

Control Control Trade mental Composites
& Controls

Governance GRC Repository Corporate Sustainability Management

ESOA Platform SONA

Business
Applications and
IT Infrastructure

© SAP AG 2007, EDUCAUSE 2007

 SAP Solutions for GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Risk Management
Questions
 SAP GRC Access Control
Sustainable prevention of segregation of duties violations

Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)

Risk Identification Enterprise Role Compliant User Superuser Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit

Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean-up design time run time emergency access recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

© SAP AG 2007, EDUCAUSE 2007

 Real-time Compliance 24 x 7…

w Object T - Code Single Role Derived Role Composite Role User

F_BKPF_GSB
FB05 S1
F_BKPF_BUP C1
MIGO
M_MSEG_BWA
MB1A S2

M_MSEG_LGO
SU01
S_TCODE
F-29 S3
C2
M_MSEG_BWE
FK01

F_BKPF_BUK
MB21 S4

M_MRES_BWA
MB01
C3
F_BKPF_KOA
FK02 S5

Access Control

© SAP AG 2007, EDUCAUSE 2007

 Risk Analysis and Remediation (aka Compliance Calibrator)
Getting clean

Initial Risk Analysis and Remediation

• Facilitates collaboration
Risk between Business and IT to
Identification clean up access risks

Risk Elimination
End-to-End
Automation

Reporting
“The clean-up process has
brought a tremendous degree of
discipline to the way we think
Prevention about and manage user access
and authorizations.”
Synopsys Inc.

© SAP AG 2007, EDUCAUSE 2007

 Enterprise Role Definition (aka Role Expert)
Enables enterprise role definition and maintenance in a single location

Centralized Role Management • Reduce cost of role

maintenance
Enterprise SAP GRC
Rules Access Control
Audit log • Ease compliance and avoid
authorization risk
Across applications • Eliminate errors and enforce
best practices
• Assure audit-ready traceability
… and security checks

Role Role Role Role Role Role Role Role

Role
Role 28% time savings in role
management
Compliant enterprise roles Customer Survey, 3/2006

© SAP AG 2007, EDUCAUSE 2007

 Compliant User Provisioning (aka Access Enforcer)
Enables compliant end-to-end provisioning “hire to retire”

Compliant provisioning with dynamic workflow

HR event
Request 100% automated • Embed cross-enterprise
generated
preventive compliance in
Employee
hired/retired
Path workflow—based
on request type and
business process
user attributes
Mgr
• Reduce cost of user
approval Via e-mail administration
Escalation • Improve productivity of end
workflow
users
Risk One-click preventive
analysis simulation • Provide auditable tracking for
auditors
Exception
workflow

Automated
provisioning 100% automated

“We reduced provisioning from 2

… weeks to 2 days”
Rockwell Collins

© SAP AG 2007, EDUCAUSE 2007

 Superuser Privilege Management (aka Firefighter)
Enables compliance-focused emergency access for SAP

Compliant super user access • Close #1 open audit issue

Super user • Avoid business obstructions
with faster emergency response
SAP_ALL • Reduce audit time
• Reduce time to perform critical
New session New session New session New session tasks
Firecall ID Firecall ID Firecall ID Firecall ID
…
SD MM FICO

Log Log Log Log

• Preassigned firefighter IDs

• Access restrictions “Super users and auditors love it”
• Validity dates
Lincoln Electric
• Field-level changes tracked in audit log

© SAP AG 2007, EDUCAUSE 2007

 Management Oversight
Periodic Access Reviews

• Management by exception
Review
Review User Provisioning • Automated, pre-built access
Emergency Access
controls reporting
• Review of roles, users and
mitigation controls
Management
Review
Potential Risks
Review Policy

Review Actual Risks “The SAP applications not only

help ensure good governance and
compliance, they also reduce the
effort involved so that our people
can focus more on the business.”
Xerox Europe

© SAP AG 2007, EDUCAUSE 2007

 Audit
Comprehensive and efficient auditing

1) Validate
via sampling that
changes to access • Equips internal and external
were appropriately auditors to complete
authorized comprehensive and efficient
testing
• Saves audit and audit-related
Internal Audit fees

“[Our audit firm] agreed to use

2) Validate that the SAP GRC Access Control
segregation of duties
risks are appropriately reports in the audit as evidence
mitigated on a sample for control effectiveness. We
basis saved very significantly on time
and money spent on external
audit fees.”
Synopsys, Inc.

© SAP AG 2007, EDUCAUSE 2007

GRC at Baylor College of Medicine

Craig Weisiger
SAP Security Analyst
Baylor College of Medicine
 Background and General Info

Baylor College of Medicine

„ SAP Implementation - 1999
„ Major upgrade / role rebuild in 2003
„ Implemented Virsa VRAT, VFAT and VRMT in 2003
„ VFAT to Firefighter in 2004
„ VRAT to Compliance Calibrator in 2006

Presently on ERP - ECC5, SRM, ESS and Portal

© SAP AG 2007, EDUCAUSE 2007

 Current Environment

Users – 14000
R/3 Roles – 5200
„ Main Roles - 417
„ Composite Roles - 45
„ Derived roles - 2897 Biology Medicine

„ Fund Center Controlling Roles – 1841

SRM Roles – 34 Virology

„ End user assigned roles – 14

„ Communication or support roles – 30

Portal Roles – 10
„ Assigned to users – 4
„ Communications or Support Roles - 6

© SAP AG 2007, EDUCAUSE 2007

 Support and Admin

Decentralized Admin – 60+ (SAM - Security

Admin Module)
„ By Department

Central Support and Role Maintenance – 2

„ All Role Maintenance
„ Central Users Admin
„ Second Level Help Desk
„ Admin Support
„ GRC Management
„ IDM Project Lead

© SAP AG 2007, EDUCAUSE 2007

 The Access Control Suite

FireFighter
„ Widely used with SME and Audit
„ Use a one to one Firefighter account to User
„ Special Roles for Viewing Reports

Compliance Calibrator
„ In place during 3 external audits
„ Audit has found no issues with roles
„ Assignment issues with users
– Mitigation controls moved responsibility to Business Units

Role Expert
„ Have elected not to use at this time due to our role design
„ Would recommend Role Expert for new installations

Access Enforcer – Not installed

© SAP AG 2007, EDUCAUSE 2007

 Key Benefits

Reduce False Positives and focus on analyzing real issues

Catch “low hanging fruit” (e.g. Role analysis)
Focus on SOD issues by functional areas (HR, FI) and/or risk levels
„ Reduce analysis time (BPOs, WPOs, IT)

Assist with mitigation controls (i.e. documentation and risk

acceptance process)
Aid in monitoring actual execution of conflicting critical
transactions
Proactively maintain compliance via simulation
Reduce cost related to Audits
Additionally, provides monitoring capabilities for firefighter access
to Production (i.e. monitor every transaction used during firefighter
session)

© SAP AG 2007, EDUCAUSE 2007

 Key Drivers

Reduce auditing cost

„ Audit effort (Internal Audit)
„ Response effort (BPOs,WPOs, IT)

Proactively mitigate and reduce audit issues

Evaluate the business impact (role changes) prior to implementing

requested change
„ Reducing rework effort
„ Enabling pre-check of SOD issues

Reporting capabilities
„ Real Time
„ Distributed to appropriate Managers

© SAP AG 2007, EDUCAUSE 2007

 SAP Solutions for GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions

© SAP AG 2007, EDUCAUSE 2007

 SAP GRC Process Control
Controls process management and continuous controls monitoring

9 Increase confidence in the

Certify

9 9 effectiveness of controls
9 9 9 9 Certify and Sign-off
9 9 (302, Designs,…)
9 9
• Supports end-to-end enterprise control
management with single solution
Monitor

Reduce cost without compromising

Review Exceptions Remediate Issues compliance
• Provides centralized control management
Test Automated
for automated and manual controls
Test Perform
Controls Manual Assessments
Controls
Business Processes Effectively manage business risk
Test

E Yved withn

… 5
S pU
s
R Vn impro entatio
ucti
be e
on nd imp
rod tion a
Ha installa
m
le
• Enables management by exception
4
the AP?

• Prioritizes remediation activities

3

Ye s
12
1 2 11
1 9 10
18
19 of S
8 17
6 7 16
25
26
15
14 24

No
13 23
22
21
20 30
29
28
27

IT Infrastructure • Provides management insight into the

control environment
Document

Process-Control-Objective-Risk

© SAP AG 2007, EDUCAUSE 2007

 SAP
SAP Solutions
Solutions for
for GRC
GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
 SAP Global Trade Services (SAP GTS)

Logistics/ Trade Import/ IT Legal/ SOX

Team Export Officer Team Compliance Team

Increased
Productivity
and
Business
Insight

SAP Global Trade Services

Adaptable
Business Trade
Export Import Restitution
Processes Preference
Management Management Management
Based on Management
Flexible
Technology
Platform
SAP NetWeaver

Integrate
Applications Data Business Partners
Systems,
Data and
Business
Partners ERP
SCM/
CRM Legacy
HTS
ECCN,
Duty SPL
Rules
Of Customer Freight Customs
SRM Rates Data Banks
etc Origin & Supplier Forwarder Agencies
Key Compliance Issues for Higher Education

“Deemed” Exports

Public Domain Exemption

Fundamental Research Exemption

Full-time employee exemption

Educational Instruction Exemption

Government-sponsored research covered by

national security contract controls

ITAR -- “defense articles” and “defense services”,

especially in space research and, increasingly, in
life sciences and nanotechnology research

Other applications of U.S. export controls to faculty

or university research
What agencies are involved?

State Department - International Traffic in Arms Regulation (ITAR) 22 CFR 120-130

The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and
information inherently military in design, purpose, or use. Referred to as "defense articles," such items
are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for
military use, are on the Munitions List, along with their associated systems and related equipment.
Information related to Defense Articles is referred to as "technical data."

Commerce Department - Export Administration Regulation (EAR)15 CFR 700-799

The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over
every thing in the United States, although BIS does not require a license for every export. BIS controls
goods and information having both civilian and military uses by including them on the Commerce Control
List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term
"technology" when referring to information about the goods on the Commerce Control List.

Treasury Department - Office of Financial Assets Control (OFAC) CFR 500-599

The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets
Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency
Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs.
Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with
broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned
countries.
How GTS manages Deemed Exports

Universities screen…

Students 1) US Sanctioned Party

Lists
Faculty
Full-Time Employees 2) US Export
Administration
Part-Time Employees
Regulations
Researchers
3) UN Sanctioned Party
Contractors/Consultants
Lists
Visitors
4) Other regulations
Partners
based on industry and
corporate policy

…in the US and globally

 SAP GTS – Global Compliance Across the Organization

Visitor Entrance to Facilities –Screens visitors in real-time through a badging or visitor management system; no extra
steps needed. Centralizes a global audit trail of all visitor screening and results of sanctioned party matching, with alerts
triggered if a match is found.

Foreign National Students and Researchers – Screens all students and researchers against sanctioned parties lists as
well as EAR/ITAR controls. Manages the licensing and exception/exemption requirements

Human Resources Systems – Reviews all business partners, including current employees, external consultants and
applicants against the name, address, country of citizenship and project classification to ensure compliance with US EAR
deemed export regulations.

Web Download Transactions –Reviews web download transactions in real-time against sanctioned parties, US EAR, US
ITAR and OGA regulations.

Travel Itineraries – Screen all travel requests, itineraries and existing trips

Students Security Compliance Human

Team Resources

Alerts and
Business Intelligence

SAP Global Trade Services Rules engine

Integration Management,
SAP NetWeaver Workflow

Ad
Ad Sales
Sales Back-end systems
HR
HR Visit
Visit Download
Download Travel
Travel Hoc
Hoc Reps
Reps
 SAP
SAP Solutions
Solutions for
for GRC
GRC

Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
Environment, Health & Safety
Enables Environmental Execution and Legal Compliance

Product Stewardship/Hazardous Tracking

„ Specification Management
„ Rule Based automated classifications (EH&S Expert)
„ Automatic Report Generation and automated Distribution
and Redistribution
„ Label Management
„ Substance Tracking

Workers Health and Safety

„ Risk Assessment
„ Site Inspections / Safety Measures
„ Measurement Management / personal related exposure
profiles
„ Incident/Accident Management
„ Medical Services

Dangerous Goods / Waste Management

„ Regulation Data Management
„ Dangerous Goods Classification
„ Tremcard Management
„ Integration into logistic execution / Automated Dangerous
Goods checks
„ Internal and External Disposal Processing
 SAP EH&S Components

SAP EH&S offers comprehensive and complete business solution

for environment, health and safety management

ÎProduct Safety *
ÎHazardous Substance Management **
ÎDangerous Goods Management Substances
ÎGlobal Label Management
ÎIndustrial Hygiene and Safety
ÎOccupational Health Work
Employee
ÎWaste Management areas
ÎBasic Data & Tools
ÎEH&S Analytics & Reporting
* for producers of hazardous substances (regulatory)
** for users of hazardous substances (regulatory)
One solution for all industries
The World of SAP EH&S

SAP ERP
Human Enterprise Financials/
Capital Asset Research Procurement AR
Accounting
Management Management

Business process
integration

Occupational Industrial Hazardous Product Safety Dangerous Goods Waste

Health Hygiene Substance & Management Management
and Safety Management Global Label
Management

Basic Data and Tools (Specifications Database)

 SAP Environment, Health and Safety (SAP EH&S)
Summary

The business value derived from the most comprehensive,

fully integrated EHS solution includes:

Increase Efficiency
„ Seamless integration with SAP ERP
„ Flexible and easy reuse of master data from SAP ERP

§ Reduce Risk of Non-Compliance

§ § „ Ensure regulatory compliance
„ Transparency by use of a consistent and comprehensive reporting
Reduce TCO
€¥
£$ „ Designed for deployment around the world
„ Adaptive solution based on generic and proven process models,
that can be configured to the individual company needs

“We are now going to integrate EHS business processes such as product safety, dangerous
goods and waste management and industrial health and safety into the existing SAP R/3
environment. This integration is the real power of EH&S and will reduce EHS and other costs
significantly.”
Aventis
 SAP Environmental Compliance

Create regulatory compliance and

control your impact on air, water, soil
Cross-Industry Industry-Specific • Monitor and report environment
compliance issues on plant, corporate

Environ

REACH
CfP
OH IHS HSM PS DG WM
level

• Control compliance activities,

Environmental
management of exception, limit tracking

Compliance
Compliance
Compliance

Product

REACH
SAP
SAP

For
• Support legally and corporate defined
SAP
SAP EH&S
EH&S environmental processes - air and water
emissions and wastes - compliance
reporting and permit management

• Integration in SAP processes and

• Compliance Management production control systems
• Permit Management
• Emissions Management
• Greenhouse Gas Management "As soon as we had SAP Environmental
Compliance in place, people were using that
system almost entirely and stopped using
Excel spreadsheets to conduct calculations,"
Nova Chemicals
 Questions?

Sherry Amos Craig Weisiger Craig Kennedy

Director, Industry Strategy SAP Security Analyst Executive Solution Engineer

SAP Public Services, Inc. Baylor College of Medicine SAP Public Services, Inc.
Washington, DC Houston, TX Newtown Square, PA

E sherry.amos@sap.com E weisiger@bcm.edu E craig.kennedy@sap.com