
B S Gupta
- SAP Security and Virsa / GRC Principal Consultant
- New York City, NY
- Member Since May 09, 2023

B S Gupta
· Have 18+ years of extensive experience as a SAP Security Architect & GRC Access Controls SME in many SAP Implementations ranging from Manufacturing, High Tech, FDA, Chemicals, Utilities, Food, Public Sector, IS Retail, IS Media & Insurance Clients.
· Over 7+ years Business experience in HR, SD, MM, WM, PP & FI modules.
· Security implementation in R/3,BW,HR,ESS,SEM,APO & Workplace environment.
· Experienced with Portal Security and worked with LDAPs, Multiple LDAPS, AD for User authentication. Experienced with UME for User, Role creation and maintenance.
· Experience with Identity Manager (IDM), RBE, TC, Insite & other tools.
· Designed & developed the complete SAP GRC and Security implementation strategy and Security Project Plans for many global implementations, upgrades and conversions from CCXT SAFE to GRC AC 5.2, AE.net to GRC CUP, Upgrade from GRC 5.3 to AC10.1.
· Successfully Implemented GRC AC10.1 and 10.0 at multiple clients.
· Security Upgrades from 3.1H to 4.5B, 3.1H to 4.6C and 4.5B to 4.7 and ECC6.0.
· Experienced with multiple SAP Security Role Redesign and Remediation projects.
· Implemented security at program, report, table and user exit level.
· Experienced with Internal Controls, Audit Remediation and SOX compliance issues.
· Expertise with all versions of SAP GRC AC Suite of products from AC 10.1 to oldest version. (Virsa Compliance Calibrator CC2.0, CC3.0, CC4.0 and NetWeaver CC 5.1 , 5.2 and 5.3, Role Expert 4.0 & NetWeaver RE5.3, Risk terminator, Fire Fighter & Access Enforcer .net & AE 5.3, GRC AC10, CCXT aka PWC SAFE, Bindview, AIS etc.
· Implemented Virsa/GRC Access Controls at over 50 clients.
· Experienced in SAP GRC Access Controls Suite upgrades, training partners/clients.
· SAP System Administration, with expertise in Security, Compliance, Remediation, Redesign and Implementing methodology for Detective and Preventative Controls.
· Facilitate the customization of SOD Rule sets that meet unique Internal and External stakeholder’s requirements which are specific to a client or strategic business needs.
· Conducted workshops for the Business Teams and Data Owners to communicate organization’s security and compliance methodology and the role development process.
· Extensive experience with SAP Release 3.1H to ECC 6.0 functionality, Roles, Derived Roles, Composite Roles, Responsibilities, Value Roles, etc.
· Designed/ developed security roles for IS-CD, HR, SD, MM, FI, PP, BW, APO, SEM, GTS, SRM, CRM, XI, SM & Basis module in SAP R/3 releases from 3.1H to ECC 6.0.
· Provide Best Practices for Security and helped define and implement Best Practices for SAP America for GRC Access Controls Suite 5.2.
· Documentation of all Security Procedures & Training the security administrators.
· Presenter & speaker for Security and GRC at GRC, ASUG and SAPHIRE.
· Excellent interpersonal and communication skills.
.
· SAP R/3 Architecture. Developed SAP GRC courses and certification tests.
· SAP BC 940 Security and Auditing and ADM 940 SAP Authorization Concept
· SAP GRC/Virsa Audit Tools (CC4.0, CC5.1, CC 5.2, RAR 5.3, RE 4.0, 5.x, Access Enforcer .net and netweaver 5.x, Fire Fighter 3.0, 4.0 and 5.3 & Risk Terminator).
· INSITE, TransportConnect(SAP Change Management Tool)
Professional Experience
SAP Security and Virsa/GRC Principal Consultant 12/01/2006 to Present
Designed & implemented SAP Security & SAP GRC Access Control Suite 3.0, 4.0, 5.1, 5.2, 5.3, and GRC AC 10.0, GRC 10.1 (All versions) for GRC ARA Access Risk Analysis (aka Compliance Calibrator), ARM Access Request Management (aka Access Enforcer), EAM Emergency Access Management (aka Fire Fighter) & BRM Business Role Management (aka Role Expert) for clients. Work with Auditors as a SAP Security & Audit SME. Conduct trainings sessions for SAP Security & how to prepare for a SAP Audit.
Note: Have GRC AC 10 in house for supporting customers on older SAP versions.
In 2006 after leaving SAP, clients where I have been consulting in chronological order are:
· SC Johnson (Feb 2015 to Dec 2015)
Lead the effort for SAP Security Remediation and Role Redesign including conversion from APPROVA to SAP GRC AC 10.1 for this large consumer manufacturing company based in Racine Wisconsin. Achievements included addressed and resolved Audit Deficiencies such as:
1. Updated APPROVA SoD Rule books with Sensitive TCodes and Remediation of Sensitive Tcodes from End Users in Production.
2. Collaborate with the ABAP Development team and identify/Classify and remediate the Custom Sensitive TCodes.
3. Lead Consultant for Project Jumanji to Redesign and build SoD free Security Roles for the SAP Landscape (ECC, SRM, CRM, BIW, PLM)
4. Conversion from APPROVA to SAP GRC10.1 Access Controls included the SoD Rules Conversion, reviewing the SAP delivered Rules with Internal Audit and update as required. Implemented ARA and EAM modules across the SAP landscape. Prepared Training materials and KT to the Run teams.
5. Developed IT Roles for DEV and PRD environments.
Regular updates/challenges discussed with PM and project sponsors. Recommended and implemented alternate solutions to keep project on track.
· NRG Energy (ISU) (Aug 2014 to Jan 2015)
Represented SAP America as a Principal Security & GRC AC10.1 consultant for this large Utilities Company in Houston Texas. This is a new GRC AC 10.1 implementation for ARA, EAM and ARM. The scope of the project included Implementing Custom Rules and remediation of ALL Custom Critical and High SoD and Sensitive Risks. NRG Energy has a Corporate SAP implementation and also acquired Reliant Energy and Edison Mission. Both of these companies were also SAP customers. The challenge was to come up with a Global GRC Design and move the entire NRG Energy Inc. to a Single GRC solution. Met with Key Stake holders, Project Sponsors, Business and IT team members as required to successfully implement the project. Validated the Custom Rule sets and identified many challenges with them. Worked extensively with NRG external Auditors and validated that the mistakes in the SOD Ruleset were resolved to client satisfaction. Configured the GRC landscape and prepared technical design, configuration documents. Successfully tested the functionality, in DEV and QA before moving to Production. Setup and Rolled out EAM to the entire NRG team. Prepared Training Documents and provided Training and KT sessions as required. Worked with Basis to complete the installation and schedule all relevant Background Jobs in DEV, QA and Production, Trouble shoot errors encountered during the project and identified the root cause and provided solutions. Created the Mitigation Controls Library and enabled appropriate workflows for ARA and EAM. Had a successful Go Live in December 01 2014.
Reviewed NRG Energy systems and prepared a list of recommendations for implementing Best Practices with regards to SAP Security and GRC Access Controls.
Provided recommendations to Internal Controls and helped NRG finalize their GRC Operational procedures and prepared a detailed document for the same. Prepared detailed weekly reports for NRG Management to show the remediation progress. Prepared detailed SoW for the SAP future roadmap at NRG for SAP Security and GRC Access Controls.
· The Clorox Company (Oct 2013 to July 2014)
SAP Security and GRC AC10 SME for this large Manufacturer of Food, Chemical and Consumer Product’s SoD remediation project for Clorox Atlas SAP System for their LATAM Users. The SAP system for 12 International countries was connected to GRC 10 ARA. Build Custom Rule set, Identified Single and Composite Roles for remediation after running Baseline GRC Report. Meet with Internal Audit and Business teams for planning, approvals/decisions to keep the project on track.. Created the Business Unit and Mitigation Controls Library for the International Users. My responsibilities also extended to help with the Burt’s Bees SAP implementation and Integration project. Responsibilities included SAP Security Role build, User mapping, Cutover, Go Live and Hyper care. Also reviewed Clorox systems and prepared a list of recommendations for implementing Best Practices with regards to SAP Security and GRC Access Controls. Reviewed the GRC AC setup and identified the areas to activate for better usage of the tool such as enabling the Critical Actions and Critical Permissions, Activation of Alerts, Identifying Custom transactions for review by client to identify the ones to be included in the GRC Rule set. Extracted data from SAP Tables and presented the same to management to help plan and implement tighter Security as per SAP Best Practices. Also designed and built SoD Free Single and Composite Roles for the LATAM Users.
· Maple Leaf Foods (Phase2 SoD) (Mar 2013 to Dec 2013)
SAP GRC AC10 and GRC AC 5.3 SME for this large Food Company with HQ in Toronto. After a successful SoD Remediation earlier for Phase 1 for Critical Risks the client started their Project for SoD Remediation Phase 2 initiative with a Dual mandate to further reduce the Critical SoD violations and address High Risks for a group of 1500 users and remove access to GRC sensitive Tcodes that had not been used over a period of six months after validating actual usage with the help of a newly implemented tool TCode Analyzer for SoD Remediation. The second mandate was to address a second group of companywide managers approx. 1500 users by redesigning and rolling out new Security Roles for the entire organization but only rolling out actual access to these identified managers for Phase 2. All other users tol be addressed in a future project Phase 3. Responsibilities included validating the approach, preparing initial timeline estimates and initial project plans, validate all existing Roles in system, preparing the design for build of new Roles, Finalize design, work with Business for Role Sign Offs, Build, Test and Transport Roles for IT and UAT Testing.
Prepare for Cutover activities such as Data Load files for identified Users, including business signoffs, GRC SoD simulations for Role and Users for Pilot Users and End users for the 3 Waves of Go Lives. Resolved issues as per industry best practices and client guidelines. Iterative clean- up of SoD violations and Access as appropriate. Prepared raw data for senior management scheduled Progress reports. Provided Hyper care and Post Go Live support for all the releases. GRC SME responsible for changes to GRC systems as earlier administrators had left the organization. Prepared documents and cheat sheets as required for KT to support team.
· Canadian Pacific Railways (Dec 2012 toAug 2013)
SAP Security and GRC AC10 SME for this large Railways HQ in Calgary.. The client has a big initiative to Redesign their overall security and implement HR Position based security. As such all Roles are also being redesigned and rebuilt. Client has Virsa CC 4.0 which shall be decommissioned once GRC 10 AC is up and live in November 2013. Job responsibilities include to prepare the GRC AC 10 project plan, Design, Planning, Realization, Go-Live and Post Go-Live tasks for ARA and EAM components. To Implement GRC on DEV, QA and PRD landscape and connect to ECC, BI, CRM, SRM, SCM and TM (Transportation Management) in the backend using GRC Plugins. Configuration completed in the DEV environments and currently resolving issues related with system performance and table sizing. Defined and implemented Cross System Rules between ECC and CRM, SRM systems. Provided access to Security team to GRC DEV system to simulate and identify SoD Risk during the Role build. Created cheat sheets for clients document repository. Configured and setup EAM and went live in July with the same. Online workshops with business streams for GRC awareness and readiness. Review of over 2000 Z Custom T-Codes to identify the ones to be added to the SoD Rule Set. Customize rule sets to remove false positives, and prepared testing scenarios, etc. and configured workflow. Successful Go Live and Hyper care achieved for GRC ARA in August. Provided KT, tips and tricks for on-going maintenance to the support team.
· Maple Leaf Foods (PHASE 1 SoD Remediation) ( Sept 2012 to Dec 2012)
SAP GRC AC SME for this large Food Company with HQ in Toronto. The client has GRCAC 5.3 It was implemented 3 years ago but were not using the solution regularly. External Audit had identified 21 Critical Risks which had to be remediated from all impacted Users before the year end and Mitigation Controls was truly the last option to be considered. My responsibilities for this very challenging project was to ensure/validate that GRC was setup correct as per Industry Best Practices. Ensure that the SoD Rule Sets were accurate. I also maintained/modified and updated the SoD Rules (for ex Updated: Document Types, Movement Types, etc. so as to eliminate any False Positives) to ensure that accurate numbers were being reported for the project and to the leadership. Worked closely with the Security and Compliance Director and recommended approaches on remediation for all the Critical Risks, which included Approach for User Access Modification, Security Role Modification, and putting a proper procedure to prevent risks for creeping in after the remediation was complete.
Reviewed the GRC AC tools which the client has and recommended/introduced the usage of unused functionality such as Risk Analysis for Reference Users, Action Usage Reports, Periodic Sync of GRC Rules Library, Risk Terminator and implement best practices for Emergency Access optimized usage. Responsibilities also included setting up Cross System Rules and provide technical consultation and services for migrating from their old leased GRC 32 bit Servers to a new 64 Bit landscape with virtual splitting of Application and Database for improved system performance. Team -lead for the GRC AC10 pilot implementation.
· Pacific Bio Sciences (October 2012 to Ongoing) SAP Security and GRC AC10 SME for this new FDA SAP implementation. Provided advisory consulting for Blueprint, Design, and Build of Security Roles as per SAP Best Practices. Prepared the complete SAP Security Architecture and periodically reviewed that the security deliverables were on track on par with the overall SAP implementation. Designed the naming conventions for the Roles, Users, Security Jobs, Custom Auth. Groups, User Groups and security transports. Build SoD free Roles using GRC AC 10 ARA. Retained by client for providing remote advisory consulting and ensuring that Users/Roles remain SOD free and remediated for 2014.
· H&E Equipment (Heavy Equipment Leasing) (Apr 2012 to Mid Sept 2012)
SAP GRC AC10 Architect and Lead Consultant Responsible for the Design, Planning, Realization, Go-Live and Post Go-Live tasks for this GRC AC 10 Implementation known as “Project Keystone” for ARA, EAM and ARM. Implemented GRC on DEV, QA and PRD landscape and connected to the ECC and relevant Backend Plugin systems. Unit Tested, Troubleshoot and Implement and held meetings for the customer to demonstrate and explain the functionality. Configured the QA Server and had work sessions with Management, Business, IT Teams, Audit and Security to provide SME and Best Practices for successfully implementing GRC AC 10 and ensuring maximum value for the efforts put into this project. Prepared Testing Scenarios, Cheat Sheets and Templates for EAM, ARA and ARM Workflow. Documented all the activities and prepared Training Materials. Planned and executed detailed Unit Testing in DEV, Integration Testing in QA. Prepared Test Cases and Requirements gathering Templates, demo the GRC solutions to Management and Project Team members. Lead the QA GRC 10 Integration Testing. Had a Successful Go-Live in August 2012 and encountered very few issues during hyper-care support.
· Advanced Energy (Energy Company) (Dec 2011 to Mar 2012)
SAP Security and GRC consultant. Client was preparing for an year-end audit, and my role was to provide GRC 5.3 to help with any challenges they had with the reporting, remediation, rule sets, best practices and also training my counter-part as the client had lost their in-house GRC person. All work was done remotely and was one-on-one working sessions and issues identified, trouble shooting, resolution & training is being done real-time. All identified issues have been resolved with no open issues.
· Rockwell Collins (Aerospace and Defense). (Aug 2011 to Dec 2011)
SAP Security Architect and Lead Consultant. A Global Implementation with over 20,000 Users having ECC, LMS(HR), BI7.0, CRM7.0, Portals and GRC10.0. Upgraded GRC 5.3 to GRC 10.0 for ARA (Analyze Risk Analysis) and EAM (Emergency Access Management). Validated the data accuracy after the upgrade.
Prepared the upgrade project plan. Demoed the new solution and the trained the GRC Administrators on the use and navigation for GRC 10. The GRC 10 project had a successful technical Go-Live in December 2011.Parallel responsibilities also included providing consulting for Security team. Responsible for Security setup for new Change Management tools like CDMC, reviewing and applying SAP Security Critical Patches for all the landscapes. Reviewing current security processes such as User Renames, Consistency in Org Levels for Derived Roles, Improvements in maintaining SU24, optimizing the Test User Id process, Introduced the usage of reference users, etc. Identify areas for improvements/optimization and implement best practices where possible. KT and extensive train for the new SAP Security team members.
· Rockwell Automation (Industrial Automation Co.) (Nov 2009 to July 2011) SAP Security GRC Architect & Lead consultant. Responsible for the Analysis/Remediation and conversion to Trusted RFC destinations for the entire SAP Landscape. Identified potential Risks/Issues. Developed a RFC strategy document based on Industry Best Practices which included processes to Remediate Identified Challenges and to Support new RFC’s on an ongoing basis along with continuous monitoring to identify any security breaches. Developed a Project Plan to Remediate the RFC issues across the SAP Landscape which consists of ECC, CRM, SRM, SNC, GTS, BI, XI, Sol Man and GRC Access Controls 5.3 with approx 40,000 users. Identified and demo to RA of weakness identified for hacking into SAP Production. Identified solution and did a successful POC. Next did a Successful Pilot with the SRM and GTS system. Currently Rolling out solution to the entire SAP Landscape one system at a time due to the criticality and sensitivity of the RFC setup.
SME for Rockwell Automation’s upgrade from Virsa CC 4.0 and FF 3.0 to GRC AC 5.3 RAR and SPM. Provide technical and Business expertise for GRC and Security. Carried out a feasibility study on advantages of upgrading to GRC 10.
· Briggs and Stratton (Machinery Manufacturing Company). SAP Security SME and GRC Lead Architect and Technical SME for this high Visibility Upgrade Project from Virsa CC 4.0 and FF 3.0 to GRC Access Controls 5.3 RAR and SPM across a ECC and BI landscape with approx 2000 users.. The client had a custom CC SOD Rule set with over 9000 Risk Ids and hundreds of Mitigation Controls. Earlier client was checking SOD only at Transaction Code Level thus had a lot of false positives.. Reviewed their GRC and Security and advised how to resolve their challenges. Regular meetings with Key Stake Holders, Audit, Business and IT Teams helped to discuss and implement the SAP GRC Recommended Best Practice for Access Controls. Evaluated Briggs existing Rule set and identified the true applicable customizations and updated the SAP GRC Global Rule set with the same. Guided the Security team with their SAP Role redesign approach with the GRC upgraded suite. Trained IT/Business & relevant documentation and KT.
· Paramount Pictures (Entertainment Industry) Security/GRC Architect and Compliance consultant for Paramount’s overall GRC AC 5.3 Blueprint, Design, Architecture and Implementation for their 4.6c, 4.7 and ECC 6.0 systems. Advised IT and Internal Audit on Best Practices for GRC AC and helped implement the same. Developed a Road map for managing ongoing compliance and support of the GRC landscape. Implemented GRC RAR and SPM on a DEV and QA landscape. KT sessions for Business, IT & Audit on how the use of GRC AC 5.3.
· Applied Materials (Semi Conductor) SAP Security Architect responsible for Configuration of AMAT’s overall GRC implementation covering their existing 5.0 version and upgrade to GRC AC 5.3 version for over 16000 users. Design the overall detailed project plan, Implemented and improvised the plan as per challenges and requirements and successfully went live with BT Phase 1 for ECC6.0, SRM, GTS, BI, MDM etc. for over 16000users. Advised the AMAT Controls team on Best Practices for implementing GRC AC suite.
· PETRONAS Malaysia Joint POC with SAP for GRC AC5.3 suite for a SAP 4.0b and 4.5b systems. Implemented Custom developed SAP certified GRC RTA and continue to provide ongoing support for the same on SAP Marketplace.
· Data Domain (Semi Conductor) Implemented GRC Suite 5.2 and Complete Security Redesign/Remediation to resolve their existing SODs and prepare for their AUDIT.
· GENENTECH (Pharmaceutical _ San Francisco) After a successful POC earlier in 2007 Genentech awarded the complete GRC upgrade from CCXT old PWC SAFE tool to the new SAP GRC AC 5.2 suite. The client has Sandbox, DEV, QA, IT and PRD and has SAP 4.7, EBP, BW, APO, XI and Solution Manager. My role: Architect and SME, also manage the GRC team. Work closely with the Genentech Security and Basis teams to define their Security and GRC implementation and remediation methodology.
· Grant Thornton (One of the largest Audit Firms in US) – Partnered with Grant Thornton and I represented GT as the SAP Security and Audit SME and help GT prepare for an SAP audit of one of their large client LAUSD who have over 70,000 users. Tasks accomplished were data extracts, SoD Analysis at User and Role Level, Reviewing overall Security Design and identifying the audit deficiencies.
· Grant Thornton – Prepared training material and conducted onsite Boot Camp training for several GT Auditors on Auditing ERP systems with focus on SAP, Deep dive sessions into SAP Security, Net Weaver, Portals and SoD.
· Varian Medial Systems (Milpitas and Palo Alto) Project Manager for the first GRC conversion from .NET to GRC Access Controls Suite 5.2 & then upgrade to AC5 5..3
· SAP GRC (Palo Alto) Project Manager for developing Adapters (RTA) for SAP GRC Access Control Suite 5.1, 5.2, These adapters help customers on older versions of SAP 4.6b, 4.5b, 4.0b, 3.1i to connect real time to the Access Controls Suite.
· Novellus (Global Semi Conductor Company - San Jose) Implemented CC 5.1, RE 5.1, FF 3.0. This was an upgrade from a Virsa CC 4.0, RE 3.0 and FF 3.0.
· ALTERA (Global Semi Conductor – San Jose) SAP Security and GRC Architect for this brand new SAP implementation. Implemented ECC6.0, SRM, CRM, GTS, BI7.0, XI, SM. Implemented CC 5.1, RE 5.1, AE 5.1, FF 3.0
· GENENTECH 2007 Ist Quarter (Pharmaceutical – San Francisco) Did a successful POC conversion from old PWC/Virsa SAFE to SAP GRC CC 5.1, AE 5.1, FF 3.0
· CREDENCE (Semi Conductor – Milpitas) Upgraded from CC 4.0 to CC 5.1, Risk Terminator and FF 3.0. Remediated the Security Roles. Helped define and implement Best Practices for GRC Access Controls. SAP featured a worldwide press release to acknowledge the same.
· AMGEN (Pharmaceutical – Fremont) SAP Security Architect and CC 4.0 implementation and Role remediation.
· DISNEY (Publication and Entertainment) POC for implementing GRC CC 5.2 and AE 5.2 with respect to Disney’s customized provisioning tool.
Ø Provide senior level expertise, training, guidance, hands on workshops at client engagements for Security and GRC Architecture, implementation, remediation, performance and reporting.
Ø Provide on-site Customer Implementation, Training & Customization for SAP GRC Access Control Products and tie it back to SAP Security Remediation
Ø Conduct Training and knowledge transfer sessions for the Senior management, Internal Audit, Business Analysts, SAP Security Team members and the compliance team members at the client site for SAP GRC products implemented.
Ø Preached and expertly implemented the SAP GRC/Virsa SOD Methodology at all clients.
Ø Design & maintained the client’s Best Practice documentation wrt SoD & Critical Access.
Provide best practices, analysis approaches & GRC /Virsa practical “tips & tricks”.
SAP GRC Inc. formerly known as VIRSA SYSTEMS INC., Fremont CA
Security & Controls Consultant 04/23/1999 – 11/17/2006
(Over 7+ years with SAP/Virsa Systems)
Worked as a SAP SECURITY Risk and Controls consultant for SAP GRC Inc. (formerly known as Virsa Systems Inc.), for their numerous clients (IBM, Good Year, Levis, PWC, D&T, Rail America, SAIC, Citrix, Avocent, Burger King, Meadwest Waco, Rohm & Haas, Amgen, Rockwell Automation, Tivo, AOL, GE, etc.), implementing Compliance Calibrator, Risk Terminator, Role Expert, Fire Fighter and Access Enforcer.
· Provide senior level expertise, training and guidance in client engagements for implementation, remediation, performance and reporting.
· Provide on-site Customer Implementation, Training & Customization for Virsa products.
· Conduct Train the Trainer course for SAP GRC consultants and Partners (D&T, PWC, Protiviti, etc.). Official trainer for SAP GRC courses.
· Preached and expertly implemented the SAP GRC/Virsa SOD Methodology.
· Design/Maintain Virsa’s Best Practice documentation regarding SoD and Critical Access.
· Provide best practices, analysis approaches and SAP/Virsa practical “tips & tricks”.
A few Customers where I have implemented SAP Security are DUPONT, International Paper, IBM Global Services (for Avaya), Great-West Life & Annuity Insurance Company, Micron Technology Inc., Health Net Inc., Ablestik Labs. & Eastman Kodak.
DUPONT SAP SOX/Audit Security Consultant (April 2003 – Jan. 2005)
· SOX and Audit Security Consultant with the DSAP ART group (Dupont SAP Audit Remediation Team) for DUPONT, a global chemical manufacturing company.
· Provided technical advise for the remediation of the existing profiles and Roles on the 4.0b and 4.6c environments.
· Performed global audit and remediation to secure Dupont’s SAP R/3 4.0B, 4.6C, BW, and APO systems, and to make the environment Sarbanes-Oxley compliant.
· Security re-architecture resolved SOD, implement proper security controls & procedures.
· Work with business process owners to develop mitigating controls to resolve SOD issues that could not be removed from roles.
· Perform SOD analysis and resolution. Work with business process owners to develop internal controls strategies for Sarbanes-Oxley compliance project.
· Complete redesign and revamp of security profiles and presently converting them into Roles and created their Org. specific Responsibilities & Derived Roles.
· Define and develop security policies and procedures.
· Audit Remediation tasks includes checking security in Activity groups for access to critical transactions, critical objects, critical authorizations, checked & resolved SODs.
· Perform global transition and production support for the new security architecture rollout. Approx. 14,000 users mapped and converted to their new work Roles.
· Recommend best practices for naming conventions, role design, handling user ids (batch user ids, test user ids etc.) and overall user administration.
International Paper SAP Security Consultant (August 2002 – March 2003)
· Provided technical security consultation for this Security Upgrade from 4.5b to 4.6d for Project SSUE using Best Practices and Uniform procedures.
· Complete redesign and revamp of security for 16 SAP modules and new dimension products (BW, APO).
· Planned, designed and executed the upgrade from 45.b manual profiles and activity groups to 4.6d Roles based security for SSUE upgrade/Role conversion project.
· Evaluated approximately 20,000 profiles to be replaced. Designed, build and tested new model roles and derived roles and identified new transactions and authorization objects for the 4.6d environment.
· Developed Naming convention for Test User ids, Batch User id and procedures for handling OSS User requests.
· Developed procedures for resolving access requests for Integration testing, Pilot User Testing, go live and post go live PRD access.
· Resolve Audit issues like restricting debug access, and access to critical and sensitive transactions, programs and tables, etc. in Production.
IBM Global Services SAP Security Consultant (April 2002 – July 2002)
· Lead SAP SECURITY Consultant with IBM Global Services for their client AVAYA Communications a large manufacturing company.
· Leading the Security effort for Project PGT2 for this 3.1H to 4.6C upgrade for R/3 modules (FI/CO, MM, SD, PP, PM, HR & ESS), & supporting 20,000 users globally.
· Complete redesign and revamp of Security, for the R/3 modules & new dimension products (BW, APO & SEM).
· Planned, designed & executed the upgrade from 3.1H Manual Profiles & Act. Groups to 4.6C Roles & Position based security for PGT2 upgrade/conversion project.
· Developed Naming Conventions for Business & Technical roles. Designed procedures for handling important Security and Audit issues like creating of custom authorization objects, authority groups for programs and tables, restricting access to SAP_ALL in Production, etc.
· Implemented Security Best Practices & identified bottle necks/manual processes and corrected/automated the same for easier Ongoing maintenance, e.g. Sync of User tables, maintaining SU24 for custom transaction and auth. Objects.
Great-West Life Insurance SAP Security Architect (Feb. 2002 – April 2002)
· Worked for SAP America as SAP SECURITY ARCHITECT for their client Great-West Life & Annuity Insurance Company an Insurance provider, on release 4.6C (FI, CO, CM, IS-CD and HR) and lead the Security effort for this Industry Specific Insurance module, which had over 8000 users.
· Developed and designed the complete Security implementation strategy and project plan which included Naming Conventions (for Roles, Profiles, Authorization Objects, Authorization Groups, etc.), Role Development, Testing, Ongoing maintenance process, Role Change management process etc.
· Major achievements include addressing and resolving the special security needs for IS-CD module, as CD module has no security within.
· Developed procedures to troubleshoot R/3 problems.
· Developed Role definition process & development strategy. Organized security workshops & follow on work sessions with Functional team leads & Role Owners.
· Developed a Role Management Tool in Excel.
· Setup Security Development using Best Practices & Uniform Procedure e.g. demonstrated the efficient use of Profile Generator, customization of authorization checks, etc.
· Developed procedures for critical access requests for Integration testing, go live and post go live PRD access.
· Designed and developed Roles for Configurators, Developers, Basis, Security and other team members for R/3, HR and ESS users.
· Customized Profile Generator and setup the related security system parameters.
· Led an effort along with the Audit team for developing Segregation of Duties Matrix.
· Documented security policies & procedures, held extensive sessions with security admins.
MICRON TECHNOLOGY INC. SAP Security Consultant (09/18/2000 – Dec. 2001)
· SAP SECURITY consultant for MICRON TECHNOLOGY INC. a Semi Conductor Manufacturer, on release 4.5b (FI, CO, PP, MM & SD), 4.6C (HR) & BW release 2.0B & was part of the Core SAP Security team supporting 14000 users globally.
· Production support for FI, MM, SD, PP, HR and BW modules. Responsibilities included troubleshooting production security issues, Setup Security for new projects based on the addition of new Plants, Shipping Points, other ORG values and new Personnel areas, Info types for HR Security.
· Developed a strategy to upgrade from profiles based security to Role Based security.
· Experienced in HR with Structural Authorizations, PD rules, PD profiles, Activity Groups, proxy authorizations and managers desktop security.
· Set up procedures to Troubleshoot R/3 security problems.
· Developed Roles for Configurators, Developers, Basis, Security, Workflow, DBA, Regional User Administrators and other teams.
· Defined procedures to clean up of Temporary access from the Production clients, review and remove additional access from Users which was given for Go-Live.