Blinde la seguridad de su empresa

Descubra y detecte los fraudes de manera ágil y eficiente

Bruce Romney Global Center of Excellence

Riesgos de acceso y

administración de usuarios

© 2015 SAP AG. All rights reserved. 3

Por qué es tan dificil gestionar acceso y mitigar riesgos?

Procesos manuales que son ineficientes y costosos

Se enfrenta de una manera fragmentada

El área de negocio no se profundiza en lenguaje

técnico

Falta de visibiladad de riesgo en tiempo real del

panorama de usuarios y roles

Falta de habilidad de poner el riesgo especifico en

contexto con el impacto financiero


Monitorear los riesgos de

acceso de emergencia y usos

transaccionales

Certificar las asignaciones de acceso

Definir y mantener roles en términos de negocio

Automatizar la asignación

de accesos

Encontrar y remediar las SoD

SAP Access Control Administración de riesgos de acceso y prevención de fraude

SAP_ALL

X

Legacy


Análisis de riesgo de accesos automatizado basado en mejores practicas con

reglas predefinidas en sistemas SAP.Principales beneficios

Identificación y análisis

con precisión. Análisis de

violaciones en tiempo real

en aplicaciones SAP o No

SAP

Simulación de cambios

en la asignación de roles o

usuarios para la prevención

de violaciones

Definición de controles para

mitigar las violaciones y tener

visibilidad de la eficiencia del

controles

Automatización, análisis del riesgo en tiempo real


Modelado de roles colaborativo y escalable, soportando

usuarios técnicos y de negocio.Beneficios principales

Proceso de colaboración

entre los dueños del

negocio y la gente técnica.

Optimización y

administración de roles.

Reducción de la

redundancia

Definición de roles bajo un gobierno corporativo

Dueño del Rol

Seguridad

Entienden los

requerimiento

s de negocio

Entiende los

requerimientos técnicos

Workflow

Configurable

Aprobador


Estandariza el flujo de trabajo, flexibilidad en la solicitud de acceso y

personalización de vistas , simplificando el proceso de aprovisionamientoPrincipales Beneficios

Workfows de negocios que

ayudan a reducir las

tareas manuales y

optimizan el proceso de

petición de acceso

Aprovechar los recursos

existentes para la

administración de flujo de

trabajo y la configuración

Facilidad y rapidez en la

petición de roles

autoservicios

Optimización del acceso a los usuarios

SAP

Business Suite

Other SAP

Applications

Heterogeneous

Environment

HR Systems

SAP HR

PeopleSoft HR

Other

IDM Systems

SAP IDM

Novell IDM

Other

Other

AC Direct Entry

Help Desk

More…

Petición

Análisis del

riesgoAprobación

Aprovisionamiento

Automático

RECURSO WORKFLOW CONFIGURABLE RESULTADO

Mitigación

Excepción

workflow

SAP

Mobility


Los desafios continuan…

When it comes to Segregation of Duties (SoD),

“staying clean” requires significant effort to

mitigate violations:

Primarily manual controls and an inability to

manage by exception

Lack of visibility into true financial exposure

Governing access and SoD only for ERP is no

longer acceptable:

Applications not written in the ABAP programming

language require the same approach

Cloud-based applications like those from Ariba,

an SAP company, and others

Non-SAP applications like Oracle Hyperion and

Microsoft Dynamics


Introducing SAP Access Violation Management by Greenlight TechnologiesManage user access based on business impact

SAP Access ControlAccess risk analysis,

user access management,

emergency access management,

and business role management

Real-Time, Cross-Enterprise ControlDiscovery, aggregation, correlation, and normalization

Accelerated MitigationAutomated mitigating controls;

exception-based notifications;

and user-, role-, and risk-modeling

ReportingSimulationEmbedded

governance, risk, and complianceRules and analytics Workflow

Financial Exposure of Access RiskBottom-line dollar value

Cloud and

software as a serviceBusiness

applications

Core SAP

software

Legacy and custom

solutions

Other instances of

SAP ERP


Reprioritize your mitigating control efforts

Before

Prioritize efforts based on processes

with the highest number of SoD issues

identified

After

Prioritize efforts based on processes

with highest amount of financial exposure due

to executed SoD violations


SAP Access Violation ManagementCustomer example 1

Large Global Oil and Gas Customer

Knew it had an SoD issue with users who could maintain customer master data and process sales orders, but

did not know the extent of the problem.

Paid for a remote engagement, in which SAP Access Violation management identified that over 6 months, 47

users had maintained customer data and processed sales orders for those same customers with a total value

of over €150 million.


SAP Access Violation ManagementCustomer example 2

Large U.S. Utility Customer

Knew it had an SoD issue with users who could submit purchase orders and enter goods receipts, but believed

it was used very rarely and only on an emergency basis.

Went live with SAP Access Violation Management and identified that one user violated this risk for over

$US2.8 million in a single month.

Where the dollar values are this high, accepting the risk and applying a mitigating control may

not be enough – change must be driven within the business.

Riesgos de fraude interno /

externo


SAP Fraud ManagementAchieve effective and efficient fraud management

Monitor key performance

indicators and create

management reports

Manage alert

workload with

efficient evaluation,

qualification and

remediation of fraud

Execute mass and real-

time detection and stop

suspicious business

transactions

Define fraud

detection

strategy through

simulation and

calibration

Analyze fraud

patterns and define

detection rules and

models


Uses individual weight factors and thresholds

Fraud detection strategyDefine detection strategies based on fine granular criteria

Key Benefits

Align to new fraud

patterns and adapt quickly

to changing fraud

behaviours

Reduced effort from

users to set up and

calibrate fraud detection

strategies

Lighter or no need for IT

involvement


Real-time simulation and calibration of fraud detection strategies

Simulation and calibration

Key Benefits

Transparent, real time

information on the impacts

of new /changed strategies

No misinterpretations of

fraud behaviours thanks to

comprehensive ranges of

sample data

Reduced false positives

and streamlined fraud

detection


Key Benefits

Track fraud as early as

possible before transactions

are further processed

Improve the efficacy of the

fraud team and increase ROI

of the fraud detection system

Faster fraud processing to

avoid blocking a transaction

longer than needed

Early identification of

potential fraud situation

enables business users to

gather more data for their

investigation

Real-time alerting and option to hold suspicious transactions

in business systems to avoid damages

Fully integrated bi-directional fraud processingAdvanced alert management


Comprehensive alert managementLeverage advanced inquiry and analysis features

Key Benefits

Improved accuracy of

fraud detection with

reduced false positives

and negative detections

Availability of

comprehensive and up-

to-date information in

investigation avoids

double work

Increase investigation

ROI by focusing on high

score / high value cases

Full insight into all relevant information at the fingertip

Enable existing rules and

build additional


Enable detection rules Pre-delivered content : Examples for Cross Industry – Public Sector and Insurance have own set of rules

Conflicts of interest

Compliance

Vendor &

Service Provider

Payments

Customer

Accounting

Purchasing

Invoices

Travel Expenses

Irregularities in purchase orders

Smurfing on outgoing payments (split invoices)

Customer located in high risk country

Frequent changes in the master data of a vendor

Irregularities in payments to vendors

Vendor located in high-risk country

High-value keyword search

Address screening

Accounting documents posted on exceptional dates

Bank account and Address in different countries

Irregularities in invoices

Irregularities in Travel Expenses

Foreign Corrupt Practices ActAnti Bribery Act

List Screening (e.g. PEP lists)

*Additional results are being delivered within planned service packs


Pattern analysisPattern analysis - embedded or highly integrated in SAP HANA

Big Data Predictive AnalyticsText Search and Mining

Terabytes analyzed at

the speed of thought

Compress large data

sets into memory

Integrate insights from

Hadoop analysis

Unleash the potential

of Big Data

Intuitively design and

visualize complex

predictive models

Bring predictive

analytics to everyone in

the business

Native full text search

Graphical search

modeling

UI toolkit

10101010101

01000101001

10010110110


Combining the power of different approachesSAP Fraud Management covers the full spectrum of fraud detection

Known fraud

behaviors

Unusual

behaviors

Similar, but

different from

known behaviors

Unknown

fraud

behaviors

Known

patterns

Unknown /complex

patterns

Rules Predictive

algorithms

Hybrid combination of

rules and predictive algorithms (pattern analysis) to

detect fraud

Gracias!

Contact information:

Bruce Romney

[email protected]


No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,

zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390

Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter,

System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and

Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and/or

other countries.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

© 2015 SAP AG. All rights reserved.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,

World Wide Web Consortium, Massachusetts Institute of Technology.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork, and other SAP products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks of SAP AG in

Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects

products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of Business Objects Software Ltd. Business

Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other

Sybase products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP

company.

All other product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document

may be reproduced, copied, or transmitted in any form or for any purpose without

the express prior written permission of SAP AG.


© 2015 SAP AG. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu

welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche

schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation

enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte

können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft, Windows, Excel, Outlook, und PowerPoint sind eingetragene Marken der

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,

zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390

Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter,

System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,

Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli und

Informix sind Marken oder eingetragene Marken der IBM Corporation.

Linux ist eine eingetragene Marke von Linus Torvalds in den USA und anderen

Ländern.

Adobe, das Adobe-Logo, Acrobat, PostScript und Reader sind Marken oder

eingetragene Marken von Adobe Systems Incorporated in den USA und/oder

anderen Ländern.

Oracle und Java sind eingetragene Marken von Oracle und/oder ihrer

Tochtergesellschaften.

UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame und

MultiWin sind Marken oder eingetragene Marken von Citrix Systems, Inc.

HTML, XML, XHTML und W3C sind Marken oder eingetragene Marken des W3C®,

World Wide Web Consortium, Massachusetts Institute of Technology.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork und weitere im Text erwähnte SAP-Produkte und -

Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene

Marken der SAP AG in Deutschland und anderen Ländern.

Business Objects und das Business-Objects-Logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius und andere im Text

erwähnte Business-Objects-Produkte und Dienstleistungen sowie die

entsprechenden Logos sind Marken oder eingetragene Marken der Business

Objects Software Ltd. Business Objects ist ein Unternehmen der SAP AG.

Sybase und Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere und weitere

im Text erwähnte Sybase-Produkte und -Dienstleistungen sowie die

entsprechenden Logos sind Marken oder eingetragene Marken der Sybase Inc.

Sybase ist ein Unternehmen der SAP AG.

Alle anderen Namen von Produkten und Dienstleistungen sind Marken der

jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu

Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Die in dieser Publikation enthaltene Information ist Eigentum der SAP. Weitergabe

und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem

Zweck und in welcher Form auch immer, nur mit ausdrücklicher schriftlicher

Genehmigung durch SAP AG gestattet.