9.) GRC ARA(ACCESS RISK ANALYSIS) Part 1
Access Risk Analysis: Understanding Its Importance
Introduction to Access Risk Analysis
- The video introduces the concept of access risk analysis, explaining its usefulness and benefits.
- The term "risk" is defined as the potential for something wrong to happen, particularly in the context of SAP systems.
Types of Access Risks in SAP
- In SAP, access risks are categorized into three types:
- SOD (Segregation of Duties) risk
- Critical action risk
- Critical permission risk
Segregation of Duties (SOD) Risk
- SOD refers to separating access based on job profiles to prevent unauthorized actions.
- An example illustrates that if a person has both vendor master data access and payment approval rights, they could create fake vendors and approve payments, leading to financial loss.
- Another example highlights that a user with sales order creation access should not also have billing document creation rights for the same order, as this could facilitate fraud.
Critical Action and Permission Risks
- Critical actions in SAP refer to T codes that can significantly impact system security; examples include BP (Business Partner), SU01 (User Maintenance), and PFCG (Role Maintenance).
- Users typically do not have unrestricted access to critical T codes like SU01 or PFCG due to their potential for misuse.
- Critical permissions involve authorization objects that allow significant control over system functions; improper assignment can lead to serious security breaches.
Conclusion on Access Risks
- The discussion emphasizes the importance of understanding various critical permissions within SAP systems, encouraging viewers to research further on authorization objects and their implications.
Understanding Risk Levels in SAP
Overview of Risk Levels Configuration
- The configuration of risk levels in SAP can be found under SPRO, specifically in the Governance, Risk and Compliance section within Access Control.
- There are four predefined risk levels: Low (0), Medium (1), High (2), and Critical (3). Custom risk levels can also be added as needed.
Detailed Explanation of Risk Levels
Low Risk
- Low risk is exemplified by access to create sales orders using transaction code VA01 and modify customer data with BP or XD02.
- While a user can create sales orders and change customer information, this may lead to minor miscommunications but does not result in financial loss.
- Such risks involve minor mistakes that can be corrected later without significant impact on operations.
Medium Risk
- Medium risk arises when a user has access to both VA01 for creating sales orders and VK1 for pricing conditions.
- This combination allows users to potentially apply unauthorized discounts, which could reduce organizational revenue.
- Proper approval workflows can mitigate these risks, ensuring that discount rates are validated before application.
High Risk
- High-risk scenarios directly affect an organization's financial standing. For instance, having access to ME21N for purchase orders alongside BP and F110 enables fraudulent activities like creating fake customers.
- Such actions could lead to unauthorized payments being processed, significantly impacting the organization’s finances.
Critical Risk
- Critical risks also pose potential financial losses but may include more severe actions than high-risk scenarios. These require careful monitoring due to their potential impact on the organization.
Mitigation Strategies for Risks
Remediation vs. Mitigation
- To address identified risks, two primary strategies are employed: remediation and mitigation.
- Remediation involves removing access from users who have excessive permissions; for example, revoking VK1 access from a user who already has VA01 access prevents misuse of discount approvals.
Understanding Access Control and Risk Management
Role Assignment and Access Control
- Person A is assigned access to VA01 for creating sales orders, while VK11 access will be reassigned to someone responsible for approving discount rates.
- There is a concern about having only one person handling VK11, which poses a risk due to lack of redundancy in the role.
Mitigation Controls Explained
- Mitigation controls are necessary when risks are identified; for instance, sales orders created in VA01 should require approval before finalization.
- Workflows must be implemented so that any created sales order or discount rate goes through an approval process to prevent fraud.
- Security personnel need to create control IDs in GRC (Governance, Risk Management, and Compliance) systems to monitor these mitigation controls effectively.
Understanding Mitigation vs. Remediation
- Mitigation involves accepting certain risks while actively monitoring them; it’s about balancing access with oversight.
- The speaker emphasizes the importance of understanding both remediation (fixing issues post-factum) and mitigation (preventing issues proactively).
Importance of Rule Sets in Risk Management
- Rule sets are crucial as they define the framework within which risks are assessed; a well-defined rule set ensures compliance and minimizes fraud.
- A rule set consists of collections of rules generated for various risks, ensuring that all potential vulnerabilities are addressed systematically.
Functions and Permissions Within Rule Sets
- Risks can arise from single functions or combinations thereof; critical actions often stem from specific T codes like SU01.
- Functions represent combinations of actions and permissions; it's essential not just to assign T codes but also appropriate permissions during risk analysis.
Conclusion on Access Risk Analysis
- The discussion wraps up with a promise of further insights into access risk analysis in future videos, highlighting ongoing learning opportunities related to security management.