GRC ARA (RISK REMEDIATION)

Understanding Remediation in Risk Management

Introduction to Remediation

• The video introduces the concept of remediation, focusing on how to remediate risks effectively.

• Remediation is defined as the removal of access or specific transaction codes (T-codes), but it involves more than just elimination; it requires a comprehensive thought process.

Creating and Analyzing Roles

• The speaker demonstrates creating a role named "YSSD sod risk" in an S4 HANA system, which includes permissions for creating sales orders and billing documents.

• A high-risk scenario is presented where one individual can create a sales order and process its billing, highlighting the importance of segregation of duties.

Synchronization with GRC System

• When creating new roles, synchronization with the Governance, Risk, and Compliance (GRC) system is necessary; this involves performing an incremental sync for repository objects.

• The speaker notes that user assignments require checking only if they are assigned to users rather than syncing all roles.

Timing for Remediation Activities

• Remediation activities typically occur during implementation projects or after system upgrades when new roles are created based on business process workshops.

• After upgrading systems, organizations must check which roles have been affected by changes and assess any associated risks.

Ongoing Risk Analysis

• Regular risk analysis should be conducted whenever new roles are assigned or existing ones modified post-upgrade to ensure compliance with security protocols.

• Some projects focus solely on remediation and mitigation, aiming for zero risk in their systems through thorough analysis and adjustments.

Performing Role-Level Risk Analysis

• The speaker prepares to conduct a role-level risk analysis for T-codes VA01 (create sales order) and VF01 (create billing document).

• Monthly or quarterly reports are generated to identify high-level risks associated with these actions; permission levels are emphasized over action levels during assessments.

Addressing High-Level Risks

• Upon identifying high-level risks from the analysis, one approach is to separate conflicting T-codes into different roles to maintain proper segregation of duties.

Understanding Role-Level Simulation for Risk Mitigation

Introduction to Role-Level Simulation

• The discussion begins with the importance of role-level simulation in assessing whether risks can be mitigated by removing specific T-codes from roles.

• A practical example is provided, where a user can check if removing a T-code (e.g., EF01) will mitigate risk within a development system.

Steps for Risk Assessment

• Users are instructed to check a box indicating that they want to simulate the removal of a T-code from a role, which helps determine if the associated risk is eliminated.

• It’s emphasized that while this method shows how to remediate risks, it may not always yield consistent results across different scenarios.

Business Considerations in Risk Management

• The speaker highlights the necessity of understanding business operations and tasks when considering risk mitigation strategies.

• An example involving SU01 and PFCG transactions illustrates potential conflicts where one user should not have access to both user maintenance and role maintenance functions.

Creating Roles and Managing Risks

• A new role named "security sod" is created as part of the demonstration, showcasing how certain T-codes are typically restricted in production environments.

• The discussion points out that allowing access to both SU01 and PFCG could lead to significant security risks, such as unauthorized role creation.

Detailed Analysis of Authorization Objects

• The speaker explains how authorization objects contribute to risk assessment, particularly focusing on activities linked with creating or editing users and roles.

• A detailed examination reveals which authorization objects are causing risks, emphasizing the need for careful management of these permissions.

Collaboration with Users for Effective Solutions

• Engaging with users or their managers is crucial; discussions help clarify necessary changes while addressing identified risks effectively.

• Suggestions include modifying access levels (e.g., providing display-only access instead of full edit rights), demonstrating an approach towards balancing functionality with security.

Finalizing Changes and Verifying Results

• After adjusting authorizations by removing unnecessary activities, users are encouraged to re-run simulations to confirm no violations occur post-adjustment.

• Successful execution without violations indicates effective risk management through thoughtful adjustments in authorization settings.

Role Management and Risk Mitigation in SAP

Understanding Role Changes and Risk Assessment

• The process begins with specifying the role name, system name, and identifying the risk associated with a particular process that needs to be deleted.

• In the SU01 transaction, users can modify permissions by selecting specific objects (e.g., S_USER_GRP) and entering relevant field names and values to assess potential risks.

• It is crucial to follow a remediation process that includes pre-approval from stakeholders before making any changes to roles or permissions.

• Stakeholders should be informed about identified risks and proposed solutions; their approval is necessary before proceeding with any modifications.

• Users must create tickets or follow organizational processes for documenting changes after stakeholder discussions.