Reduce Access Risks While Decreasing Costs
Charlie Singh Sr. Manager, Compliance American Water
We are American Water Greater than 99 percent compliance rate meeting state and federal drinking water and wastewater standards
Treat and deliver more than 1 billion gallons of water a day
Manage and maintain more than 100 wastewater treatment plants
Invest approximately $900 million annually in our systems
Serve over 15 million people
Approx 7,000 employees
Serve 1,100 communities in 30 states
46,000 miles of pipeline
Approximately 89 percent of our operations are regulated utilities
First U.S. water utility named to the Dow Jones Sustainability North America Index 2
American Water Footprint – HQ in Voorhees, NJ
3
American Water’s Business - The Integrated Water Cycle
Our goal is to consistently provide customers with safe, high quality drinking water and reliable water and wastewater services
4
AW Business Transformation Project – SAP SCOPE Release 2 – EAM /CIS Go-live in Q2 and Q3, 2013
Release 1 Go-live August 1st, 2012
EAM
ERP Hire to Retire
Record to Report
Procure to Pay
Plan to Build
(HTR)
(RTR)
(PTP)
(PTB)
CIS Request to Complete
Order to Cash (OTC)
(RTC) • Organization Management
• Develop Plan & Budget
• Identify needs (Goods & Services)
• Develop Asset Strategy & Plan
• Plan Work
• Talent Management
• Develop & File Rates
• Source Supplier
• Initiate Work
• HR Service & Administration
• Close Subsidiary General Ledgers
• Optimize Investments & Budgets
• HR Operations & Support
• Consolidate Financial Statements • Report to Internal Parties • Report to External Parties • Support Close
• Purchase Goods & Services • Receive Goods & Services
• Manage Resources
• Pay Supplier
• Execute Work
• Manage Items • Classify Items • Move Material • Manage Inventory Accuracy
• Manage Work
• Receive Inquiry • Design/ Estimate/ Final Approval • Schedule Work • Assign Work • Execute Work
• Establish Customer Account • Collect Meter Reads • Edit and Pull Data for Billing • Billing • Post Charges
• Close Work
• Monitor Receivables
• Manage Complaints & Issues
• Credits & Collections
• Manage Supplier Returns • Vendor Managed Inventory
ECC, BI/BW, SRM, SAP Portal, Nakisa, SuccessFactors
CRM, KRONOS GIS, Click Mobile/Scheduling 5
Business Transformation (BT) Project Questions that had to be answered • How to embed proper security controls during the project
• How to utilize existing infrastructure and resources • How and where should the SOD rule set and mitigating controls reside… considering desire to avoid duplicate control repositories, documentation, and responses • How do we manage emergency access management (FireFighters) • How do we manage enterprise role management • How do we standardize and automate the user provisioning process • How do we ensure compliance and provide automated tools to evaluate security risk and mitigate exceptions • Future integration with IdM / IAM
6
SAP Access Control and SAP Process Control 10.0 A Clear Choice for BT Implementation SAP Access Control and SAP Process Control aligned with American Water’s Business Transformation strategic objectives by increasing cross-function accountability and standardization, increasing visibility across risk and compliance initiatives, along with reducing total cost of ownership. The result is an expanded ability to monitor strategic, financial, compliance, and operational risks and controls.
Current Future 7
SAP Access Control benefits to American Water Reduce access risk across SAP application modules Robust database of validated segregation of duties (SoD) rules Risk analysis of user access request and role definition Streamline compliance process Automated user access review and collaboration; Conduct user access and role recertification Ability to provide automated self-service user access request and approval Obtain real-time oversight Real time access risks analysis and reporting dashboards Emergency access privileges with integrated monitoring
SAP Process Control benefits to American Water Repository of SOX and non-SOX controls to support compliance and other regulatory activities Dynamic electronic catalog of controls Continuous monitoring of key controls Efficient audit process for external and internal audits Management and assignment of testing and mitigating controls Evaluate and manage organizational process and control changes through questionnaires and remediation plans Increase sustainability of processes and controls through policy life-cycle management
8
Benefits SAP Access Control and existing IAM integration was easy
9
Benefits Tie-in of SAP Access Control to existing IT Processes Control Frameworks
Policies and Procedures Password Management
Application Access Management User Provisioning
IT Access Management Process
New User Access
Emergency and Privileged Access Modify Existing Access
Terminate Existing Access
Emergency Access Provisioning
Emergency Access Monitoring and Review
Periodic User Recertification
Access Approval Preventative SoD Check
Role Management Create New Role
Modify Existing Role
Disable Existing Role
Periodic Role Recertification
Compliance and Monitoring Periodic Segregation of Duties Review
User Access Provisioning
Periodic Sensitive Access Review
Access Risk Analysis
Remediation
Business Role Management
Mitigating Controls
Emergency Access Management
10
Benefits - SAP Access Control and SAP Process Control integration with SAP was straightforward Plan / Analyze
Design
Build
04/01/2011
09/30/11
Internal Controls – SOD focus
SoD & SA Risk Definition
BT Security
BT Change Management
BT SMEs
Internal Controls - PC focus
ITS
Design SOD & SA Rules
Role Design Methodology
Business Role Definition
12/31/11
Build SOD Rules
GRC Reqs.
GRC AC Team
Deployment
Test
04/15/12
08/01/12 GRC AC Support
Build GRC (Risk Analysis, Role Management, Emergency Access Mgmt, User Provisioning)
Role SOD Check
Business Role SOD Check
Transaction to Role Mapping
Business Role Mapping
User SOD Remediation & Mitigation
User SOD Check
Build Business Roles
Build Master Roles
Go-Live
Assign Users To Roles
Role-User Mapping
User Training
Input to Role Definition , Controls Design, Job Design, SOD Remediation
Controls Definition
Controls Design
GRC Install
Controls Build
SAP Process Control Deployment, ARIS & Mitigation SoD Linkage, SOX Reporting
Provide Technical Support (GRC installation, Other key linkages) GRC Activity
Controls Activity
BT Activity
GRC Maintenance Strategy 11
11
Benefits of having implemented SAP Access Control and SAP Process Control in conjunction with BT Project Utilized same resources from SAP ERP go-live to gain efficiencies System Implementer; AW Subject Matter Experts; AW Security and Compliance teams
SAP Access Control and SAP Process Control run on same platform as SAP ECC Netweaver Platform Standard and ABAP Reports
AW reduced costs as workshops, meetings and compliance activity discussions included GRC topics along with the ERP scope. Requirements workshops Compliance meetings
Unified Master Data (SAP Access Control / SAP Process Control integration benefits) Common and shared organization hierarchy, process and sub-process definition Provides consistent data to enable analysis & reporting for access/controls management
Mitigation Control library hosted and shared from SAP Process Control Common controls repository and shared with SAP Access Control for SOD mitigation controls
External Audit’s review of GRC solutions occurred along with SAP pre-imp audit SOD rule set engine and SAP Configuration/Workflow review
12
Charlie Singh Sr. Manager - Compliance Email:
[email protected]
13