Ajay Aggarwal
SAP Security & GRC Architect
C: 408.499.3605
E: sapsecurity@gmail.com
Professional Summary:
Former Virsa (GRC) founding employee
Speaker at Northern California ASUG Chapter for Technical Security
Upgrades & Audit Compliance
Unparalleled GRC and SOX compliance expert
o Implemented all GRC
versions
o Specialization in GRC 10.0
aka GRC 2010, V10.0
Served as the Architect/Project Manager for first Greenfield GRC 10 Global Ramp-Up SAP Customer
Single handedly spear-headed first world-wide implementation of HR
integration with GRC AC10 to leverage automated trigger use
Independently handled GRC10 end-end implementation
with zero resource assistance from the client, the implementation partner or
from SAP
Worked with SAP AGS Support to have completed code developed to enable the
non available functionality
o Expertise in working
with Audit and the business to drive out-of-the-box, innovative solutions
Led multiple SAP full lifecycles
implementations from blueprint through Post implementation phases (releases
3.1H- ECC6)
Conducted SAP Security
and GRC technical and process training for business organizations
Expertise in security
architecture on PI, BI, and Portal (and extensive knowledge in CRM, and HR)
Exceptional
communication
Outstanding leadership
and interpersonal skills
Professional Experience:
9/2011
– Current
Position: GRC Lead
Architect/Confugurator
Client: LA Unified School District
– (Education)
GRC
Implemented GRC AC10.0
o
Configured RAR - Risk Analysis & Remediation, RM - Access Role
Management, SPM - Super User Priv. Management, and CUP – Compliant User
Provisioning
o
Coded custom methods to support workflow functionality
o
Setup BRFP (PRF Plus), MSMP (Multi Stage Multi Path) and NWBC
configuration
Directed team meetings with business and security to gather information
required to remediate existing risks from previous SAP release
Liaised with the development team for product enhancements
and directed strategy for corrections
Exposed Earlywatch vulnerabilities
and led extensive cleanup
Security
Automated user and role builds using various automation
utilities like CATT, LSMW, Mercury QTP
Training
Managed team trainings on product benefits and usage
Transfer of knowledge to ensure independent handling of day of
day functions
5/2010 – Retainership
Position: SAP Security & GRC
Architect/Project Manager (Remote+Onsite)
Client: Boston University
– (Education)
GRC
Implemented and then upgraded GRC 5.3 to Access Control
AC10.0, leading as one of the foremost complex Ramp-Up implementations globally
o
1) Implemented AC10.0 RAR, CUP and SPM functionalities to support the
ongoing non SAP as-is processes and 2) merged them into the new would be
functionality leveraged
o
The only world-wide Ramp-up implementation to implement HR
trigger processes
Engineered blueprint and configuration with design documents (CDD's):
RAR, CUP & SPM
Gathered all requirements for Blueprinting and Implementation Approach/ Methodology
Identified requirements and steering implementation approach
Project Management
Formulated project plans for activities, resource allocation,
and timelines
Provided Project Management for GRC AC implementation by
writing up project plans and defining scopes and system specs along with
hardware sizing.
Security
Defined all Security Strategies from A-Z
Wrote Security Strategy document
o
Strategy details included a high level drill down to security parameter
settings and integration of SAP security with Information security etc
Built project team security roles for development systems
while working with functional, technical, validation and training teams
Visio drawings to provide the client Business Blue Print and
Process Design documents
Training
Provided security workshops for project team and functional
leads while addressing preliminary concerns of SOx, Security, Authorizations
and access concepts in the SAP world
03/2010 – 06 2010
Position: SAP Security Consultant
(Remote Position)
Client: Hewlett Packard
– (High Tech Client - Europe)
Security
Worked on production
support authorization issues, debugging and remediation per business and
project team needs
Worked in tandem with
SOx, Basis and Development teams to facilitate authorization changes per
approvals and extensively used Approva BizRights to assess issues of concern
Supported production support duties, build new and re-engineer existing
security roles based on client requirements
GRC
Administered all SAP systems connected to BizRights
for analyzing BizRights Insights and ensuring
compliancy system wide
Other
Worked with Lotus Notes, HP Open View (OVSD) and other applications to
enable support
10/2009 – 04 2010
Position: SAP GRC Architect
Client: Mentor Graphics
Corporation – (High Tech)
GRC
Worked to implement
Access Control 5.3: configuring, testing and training of the SAP GRC suite on a
four landscape environment consisting of Sandbox, Dev, QA and Production
Assisted basis identify
and apply SAP notes and support packs to ensure a successful rollout
Working with key stake
holders on requirement gathering and identification of business processes and
approvals steps to determine workflow requirements
Worked with HR to build
AC 5.3 triggers for auto de-provisioning and position changes within the org
Training
Trained business process
owners and approvers so they would understand GRC
Developed courseware ciriculum for end users,
approvers, and internal audit for product familiarization
03/2008 – 9/2009
Position: SAP Security and GRC Lead
Client: SanDisk Corporation
– (High tech)
Security
Management
Directed and defined all security deliverables for the Green
Field implementation
Managed and led a team
size of 12
o
Effectively distributed and delivered a sustainable and auditable
solution. The team consisted of members from the client ftes,
system integration team, project team and off-shore & regional support
Policy and Documentation
Provided inputs and
guidance around SOPs and prepared the security strategy document
Outlining guidelines and
policy standards
Analysis
Performed business
process analysis, blueprinting, security design, segregation of duties analysis
and work on requirement gathering, blueprinting and realization activities for
implementing various products namely PTP, PTF, OTC, BI-7.0, SRM-5.0, SCM-5.10,
PI-2004s, CRM-6.0 (2007), Solution Manager -4.0, FI-CO, GTS-2004s & GRC
5.2, 5.3 Access Control & Transport Connect
Produced gap analysis
o
Provide technical recommendations on design and architecture
improvements
CRM
Worked on design
inception for CRM ACE and aligned technical development around having CRM
configured for internal/external access
Development
Architect and integrate
SAP securely with other enterprise applications like IDM etc.
Standardized best practices got role
creation, conventions and procedures
Built a scalable derived
role structure to support regional access spread out to Europe and Asia
Secured SAP pre
delivered users like SAP*, DDIC etc to ensure system access is not compromised
Supporting technical
teams to assist conduct master data configurations and system/client settings
Maintained user
licenses/types, for annual reviews as required by SAP
Supported the project
team in the Development and QA environments for authorizations, config fixes, errors and OSS support
Helped design, build and
support of the various SAP boxes for sandbox, development, testing, training,
QA and production environments for functional, change, implementation and
testing teams
Training
Trained and brushed up
the security team on process automations specifically using HP QC, Mercury QTP,
LSMWs and CATT
Trained the security
team on SU24 standards and the use of expert mode
Provided core internal
security processes to create a security specific education and awareness
program to appropriate stakeholders
Conducted workshops with
project teams, business teams and tech teams to initiate and set expectations
and explain Security and its architecture and its integration with several
different ECC modules
GRC
Designed technical
landscapes and configured workflows for GRC Compliance Calibrator, Role Expert,
Access Enforcer and Firefighter 5.2
Further upgraded 5.2
suite to CUP, RAR and SPM 5.3
Created process flow
designs and approval workflow documents while weighing the pros and cons of
having and using different stages
Documented Configuration
Design and BBPs for configuring GRC Access Control 5.3/5.3
07/2008 – 8/2008
Position: SAP Security/GRC Lead (Remote)
Client: Smith & Nephew inc.
– (Pharmaceutical)
Security
Led all necessary
upgrade activities for migrating from 4.7 Enterprise to ECC6.0
Managed served as POI
for testing during a technical upgrade
Performed Security
change impact analysis
Maintained and modified
new objects, transactions and roles impacted while upgrading to ECC6.0
Supported client during
pre and post upgrade periods for authorizations and needed access
GRC
Reviewed basis/security
practices, SOPs and critical audit & compliance related issues
o
provided findings and recommendations on
remediation to plug gaps
Analyzed custom
transactions and program reports to ensure they mapped to the GRC functions and
were in line with standard rule sets and adjust necessary changes as needed
03/2008 – 4/2008
Position: SAP Security/GRC Consultant
- (Remote & Onsite)
Client: AES Corporation
– (Utilities)
Analyze existing Global
environment and recommend upgrades in GRC compliance areas
Assess clients
requirements and provide solution to remedy and comply with annual audit
Analyze and secure
custom transactions and programs to standardize security across all regions
Remap roles to new
composites based on Segregation of Duties and to optimize mitigation
Train customer resource
assigned to the project to handle the necessary maintenance activities
independently
Help team understand and
use simulation and other features beneficial for this standardization/ remediation
effort
Assist client in
understanding and leveraging features in available version in use and compare
with features in new releases
02/2008 – 02/2008
Position: SAP BI Consultant
Client: DIRECTV –
(Entertainment)
Upgrade and Migration of
SAP BW3.5 to BI 7.0 (2004s)
Conversion and
activation of custom objects to analysis authorizations
Provided upgrade
training to the client and conducted workshops for knowledge transfer
Provided upgrade
documentation with detailed insight on How Tos for the technical pieces
Involved in appropriate
profile mappings, role assignments and testing through the Bex analyzer
Troubleshoot clients
issues on new analysis authorizations and concepts around security
01/2008 – 01/2008
Position: SAP GRC Consultant
Client: Novartis/Chiron –
(Pharmaceutical)
Technical Upgrade and
Configuration of SAP GRC Compliance Calibrator 4.0 from version 3.0
Provided end user training
on CC4.0 usage and available reporting
Provided upgrade
documentation highlighting new features available after upgrade
Configured and tuned
Matrix 1 for running similar reports as client used prior to upgrade
05/2007 – 12/2007
Position: SAP Security/ DBA
Client: Genentech, Inc.-
(Pharmaceutical)
Implemented and
Configured SAP GRC Compliance Applications versions 5.2 such as the Access
Enforcer, Compliance Calibrator, Firefighter and maintained the former PWC/
Virsa SAFE CCXT tool
Review and performed
system analysis of existing environment by studying audit reports issued by the external
auditors and based on the audit findings defined the scope of project to target
the efficiencies identified
Gathered Information and
Customized Access Enforcer Workflows leveraging clients existing user creation
process
Assisted client
resolving Access Enforcer and Workflow configuration issues during POC
prototyping
Suggested alternatives
for SOD remediation during and after the Go Live for naming conventions, role
swaps for users with conflicts and configuration changes to keep track of
project progress
Defined critical
transactions to be used for Fire Fighter Access.
Configured system audit
reporting/ audit log
Create FAQs and How To
documents for SAP applications Firefighter, Compliance Calibrator, Role Expert,
and Access Enforcer
Experienced with
Netweaver for handling user maintenance through UME
Provided technical
Security support users on modules FI/CO, MM, PP, PM, SCM APO, SD, BI, WM, SRM
EBP 4.0, SM and XI
Handled all Security
issues related to authorizations and remediation around support and upgrades
Involved in BW3.5
upgrade conversion to BI7.0. Created analysis authorizations to comply with
existing BW security architecture and ensured all new objects and transaction
codes were migrated and applied to the production roles suitably
Maintained multi system,
multiple environment landscape through CUA configured on Solution Manager for
easier user provisioning and administration
Support continuous
improvement in existing and new environments by contributing to the problem
management process and ensuring execution of corrective actions assigned to the
team
Work with Maintenance
& Engineering and IT Security management regarding potential access
violations per US Security standards and best practices
Contribute to daily
Security monitoring of all SAP application environments and respond to Service
Center tickets for user administration in SAP production and non-production
environments within designated SLAs
Provide an insight on
process improvement to junior team members and groom internal FTEs to perform
and understand Security challenges
08/2006 – 05/2007
Position: mySAP Security, Identity Management Lead
Client: Toyota Motor Corporation
(TFS Division)- (Automobile Finance)
Supporting ECC6.0 mySAP ERP 2005
implementation on multiple landscapes on CUA with SAP Basis release 700, mySAP
CRM 2006 Wave -1(CRM 5.1 SP02), BI - Netweaver 2004s, PI/XI 700, Enterprise
Buyer Professional 5.0 (SRM EBP), FI - Asset Finance and leasing (AFL) &
Consumer and Mortgage Loans (CML)
Designing Security & SOX Compliance
Controls Strategy document in review of existing security policies and
procedures and put together a detailed Security Project Plan in MS Project
Conducting workshops with
Functional/Business team members on business requirements helping them
understand their deliverables from Security perspective. Review and approve FRS
& TDS documents for requested functional and technical enhancements specs
Building Business Roles and test user
ids for Business Analysts and power users in preparation for Realization phase
Train internal resources on day to day
Security Support tasks and impart strategies helping them understand and
minimize downtime impact
07/2006 – 02/2007
Position: Security & Controls Architect - (Remote & Onsite)
Client: Avanex Corporation (High
Tech/ Optic Fiber) – (High Tech)
Developed audit analysis insights and
observations worksheets for client on audit findings for Basis Security &
Business with internal auditors from Deloitte
Engaged in identifying compliance
shortfalls, their documentation and performing related technical fixes for R/3
modules FI, MM & SD in release 4.7/6.20.
Supporting the client to identify a
Segregation of Duties matrix suiting the business and performing runtime
analysis on the same to list internal violations
Providing the client key information on
Basis & Security issues and reworking on system & profile parameters to
help further secure their landscape
Help client understand their business
need and help draw a time-bound structured approach remediation process going
forward.
Assist client identify a SOX compliance
utility suiting their business and arrange vendor presentations to their
specifications
Extensively used audit reporting and
configured system parameters to enable system audit log for transactions SM19
and SM20.
Cleanup existing Roles to be compliant
with new Security Design
Redefine Organization Structure in
existing Roles to restrict end users to their respective areas
Provide remote development support and
be onsite for end user training as needed
05/2006 – 7/2006
Position: Sr. SOX/Security Architect
Client: Smith & Nephew Inc.
(Endoscopy Div.- Pharmaceutical)
Worked as a Sr. Security Architect on
Audit Remediation and providing client support on installation & user
training on Virsa Compliance Calibrator CC5.0 Configuration and Maintenance ,
Access Enforcer and Role Expert tools
Using Compliance Calibrator to test,
simulate and document security and SOD conflicts. Trained customer of the existing reports and functionality
contained within AE and CC
Helped mediate SAP support level issues
for reported bugs resolve issues
Configured background jobs for
Firefighter to extract historical reports from STAT and CDHDR tables
Scheduled and held remote WEBEX
conferences to review customer issues and provide end user and process owner
training
Simulate adding roles and/or
transactions to users to find SOD prior to adding authorization. Using VIRSA Risk Terminator, create
real-time analyst of possible conflicts when adding a transaction or authorization
objects to an existing role
Configured system profile parameters to
enable automatic audit logging through tcodes SM19 & SM20
Provide Compliance Calibrator custom
reports and SUIM reports to identify SOD conflicts
Redesigned Role Based Access Control
for MM, SD and FI modules in compliance to SOx.
Audit compliance and configuration of
incompatible combinations of business tasks in respect of SOx compliance on
existing Security roles and access
End user training on detailed report
generation techniques and table updates
Provide remote development support and
be onsite for end user training as needed
2/2006 – 4/2006
Position: Security Lead (Cap Gemini)
Client: Genentech Inc. (Pharmaceutical)
Worked as a Cap Gemini Consultant on
Phase 2 Blueprint activities for rolling out new modules.
Worked with business tracks on
requirement gathering for Blueprint preparing to transition into Realization
around June 2006.
Implemented CUA on large multiple
landscapes on Sandbox, Development, QA, and Integration Testing systems. Used
and trained client on CATT and LSMW to automate user management.
Provided technical support to power users on existing systems. New
modules like MM, PP, PM, SCM APO, FIN, SD, WM, SRM EBP being added.
Provided training and support being a part of the audit team & analyzing
SODs to comply with SOX/ Audit compliance using CCXT
Completed all required Safety and GMP/FDA compliance training courses
04/2004 –
1/2006
Client: Applied
Materials, Inc. (Semiconductor)
Worked on the 4.7
upgrade project as a Senior Security Analyst in tandem
with the upgrade teams from different areas. Designed and built custom
authorizations, roles and profiles in development for UAT in QAS based on
provided info from business
Worked with role
creation (PFCG) for building new composite, single & derived roles along
with conversions from profiles to roles and other issues related to upgrade
tasks in a CUA setup
Analyzed existing
program codes to validate authority checks for using in new role design. Used
tables to extract data for reporting and used custom reports for analysis.
Provided Post Go-Live
support to end users after having successfully gone live with SAP upgrade on 5th
Dec 05 globally.
Successfully went live
with SOx compliance globally on 12th Nov 04 on the previous project
as a Security Lead
Simultaneously working
on SOX compliance and maintenance of R/3 security on release 4.5b as a part of
the core SAP security team of Applied Global Services (AGS Division) supporting
over 2300 users globally
Experience on audit
issues for SOX compliance and for SOD access removal extensively using VIRSA as
an administrator
Worked on streamlining
and reclassification of user groups for easier addressal of issues and user
administration
As a part of the upgrade team, build/ review strategy to upgrade from
profiles based security to role-based security for the new ongoing 4.7 upgrade
project
Set up procedures to troubleshoot
R/3 security problems
Developed roles and
profiles for developers, basis, security, regional user administrators and
other teams. Using CATT & LSMW (client preferred) extensively to enhance
productivity and to automate large changes related to the upgrade and audit
Define procedures to
clean up of access from the production clients, review and remove unnecessary
additional access from users
Resolved audit issues of removing critical authorizations, profiles from
users, restrict sensitive table display/update access in production, remove
debug access from production, and restrict access to business or system sensitive
transactions. Monitored audit log via SM20
Impart training to group team members and management on security
architecture, design, arising security issues and resolution strategies
Successfully implemented SOx compliance and controls on time as scheduled
in Nov 2004
04/2003
– 03/2004
Position:
Sr. SAP Security Administrator
Project Assignment: Guidant Corporation
(Medical Devices)
Responsibilities:
Security Lead in R/3 upgrade from 4.5B to 4.7 (Enterprise)
Working on SAP R/3
Enterprise upgrade as a Security Lead for a Global implementation rolling out
to 23 countries, 171 sites worldwide
Defined upgrade
procedures and steps for Security Conversions from Profile to Roles based
Security
Identified major areas
of pitfalls and critical issues leading to serious Security and Audit concerns.
Worked on LAW (License Administration Workbench) to set up user types
for license usage and reporting to SAP
Assisted the management
in identifying insecure access to users resulting from inappropriate assignment
of Profiles and their Authorizations. Prepared & delivered presentations
showing real-time examples it's seriousness to Business & Audit managements
resulting in approval and sanctioning of a new project to soon revamp entire
Security
Extensively created and
used CATT scripts to automate processes for conversion activities and user
maintenance on the fly
Delivered technical
training sessions in Security to employees and helpdesk personnel to handle
user maintenance affectively and efficiently
Trained regular employees
made them self sufficient in day-to-day management of R/3 Security and user
administration tasks and procedures
Worked with the trainees
to ensure a successful migration of Security to the new release
Providing a 24x7
Production support to 2000 users in 171 sites globally
12/2002 – 03/2003
Position: Security Consultant - (Remote)
Project Assignment: MGM - (Entertainment)
Responsibilities:
Redesigning and implementing SAP R/3 Security in a 4.7 upgrade environment
remotely as a Virsa Systems employee
Working on
Role Definitions based on the inputs provided by the client and defining the
Role Matrix in MS Excel
Defining new
Roles redesigning the existing Definitions and building smaller meaningful
Roles based on concentration of job duties
Using SOD Matrix
and third party tools to determine conflicts and Segregation of Duties issues
in Role Definitions before building Roles
Creation of
Roles based on the inputs from the above Matrix and testing in respect to failure
or missing authorizations
08/2002– 12/2002
Responsibilities:
Contracting on a SAP R/3 upgrade project as a security consultant for
development, creation, testing and a successful implementation
Modifying
existing profiles and converting them to new roles using profile generator and
providing assistance for integration from version 3.0H to 4.6C
Assisting role
owners and functional teams on defining and testing new roles
Developing new
single and composite roles and conducting a positive and a negative testing on
4.6C version for team approval before transporting to Production
Providing User
Acceptance Testing as well as Training support to training and UAT teams
parallel to their testing
Handling all
user assignment and other issues related to user management
Documenting all development procedures, sensitive
objects, manual inputs and all other critical changes as per FDA regulations
and guidelines
01/2002– 08/2002
Responsibilities:
Providing remote SAP/R3 security support for Production and Development
systems.
Maintaining
and modifying existing SAP roles/Authorizations, Segregation of Duties
conflicts for Sensitive Transaction Access
Evaluated customers security requirement to fit into their
business needs
Troubleshoot R/3 security problem by using different scenarios such as system trace, parameter change, buffer reset, SU53,
and SU56 in order to find security related problems
Analyzed all business roles and mapped business roles to
transaction code according to business processes
Designed and developed Authorization List in MS Excel
database. Organized all job roles and associated transaction codes to expedite
implementation and improve accuracy
Analyzed, designed and developed development profile for
development system in order to reduce security risk during implementation phase
Held security workshop with Basis, functional and management
teams to educate them about security concept and importance of security in SAP
R/3 environment
Educated testing team about how to test security profiles
Documented procedure for different security process such as
creating table and program authorization group, adding transaction codes to
company menu, change user authorization request form, new user request form,
Security profile maintenance procedure etc.
As a core team member, gained knowledge on Security issues and problems
Provided Production Systems Support for all SAP Security related issues
Provided Ongoing Security Support for Non-Production SAP Systems