SUMMARY:

• Confidential is Certified CISA and GRC/Security consultant having I - 140 Approved over 12 yrs. of exp. In Information technology including 9+ yrs. Of exp.
• In SAP GRC/Security involved in all the phases of project lifecycle.
• He has worked upon various industries including Utilities, Oil & Gas, Manufacturing and ID.
• Confidential has played various roles as GRC solution Architect, Security/GRC and controls Lead, Onsite Co-ordinator and project management in various geography including USA/India.
• Implemented 10 end to GRC implementation project including all phases of project planning to hyper care. 5 Process control and 2 risk Management project.
• Have done various SAP Security project including implementation and support for ECC/S4HANA/Fiori security.
• Performed SAP Security related task such as Security Audits, SOX (Sarbanes Oxley) Compliance, User maintenance, Activity group/Role maintenance using profile generator (PFCG), Upgrade from various versions, Production support
• Provided Continuous control monitoring automated solutions for various customer on finance, NERC-CIP Regulation.
• Hands on experience on Greenlight RCM (Regulatory compliance Management) and Greenlight RESQ
• Implemented 4 end to end GRC Access control implementation. 2 GRC Access control 10.1 and 2 Access controls 10.0.
• Implemented 3 end to end implementation in GRC Process Control 10.1
• 2 implementations on SAP GRC Risk Management and customization (risk Aggregation/Heat Map)
• One end to end Migration from GRC Access control 4.0 to 10.0 for module Access Risk Analysis (ARA) and Emergency Access management(EAM)
• Good understanding on Fraud Management and attended Fraud Management workshop conducted by SAP Education.
• Provided SAP GRC expert services to Max attention and Enterprise customers for their smooth go-live.
• In depth exp. On GRC MSMP/BRF customization using custom development.
• GRC 10.0 Access/process control integration with external applications like Remedy/eDMRM/IBM Tivoli through custom development.
• Trainings for Core Team and End User for multiple customers on SAP GRC
• Setup Role based security through (Profile Generator (PFCG)) for R/3 ECC 6.0/7.x, on various modules.
• Proficient in troubleshooting and handling user issues by using SU53,tracing(ST01) and user information system (SUIM),locking and unlocking users, running reports in Excel sheets and monitoring users having access to some specific controls.
• Designing Process Controls for SAP implementations
• Conducting process and financial audits in SAP environment, Testing of controls designed to achieve SOX compliance
• Extensively worked with strategy management related to SAP business processes, transactions, Segregation of Duties (SOD) within SAP implementations, VIRSA Risk Assessment Tool (VRAT) for Sarbanes-Oxley (SOX) compliance. Good understanding of SOD /Security Assessment / SAP Authorization / Roles and SOX
• Hands on Experience on HPALM/HPQC for test plan/test labs.

TECHNICAL SKILLS:

Primary Skills: SAP Security - ECC, S4 Hana, Fiori, BI, Solution Manager, UCON SAP GRC- Access Control, Process control and Risk Management, Greenlight integration

ERP Packages: SAP -4.6c, ECC-4.7, ECC-5.0, ECC-6.0, SAP - SCM 7.0

Operating Systems: Microsoft Windows (all), DOS, Database Oracle9i

ERP Applications: SAP-Production Planning, Advance Planner & Optimizer (APO)

Platform/Technologies: ABAP, JAVA, SAP R/3

Data Bases: Oracle 8.0, SQL server, DB2

SAP Systems: ECC 6.0, SAP Net weaver 7.02, 7.40

SAP Objects : User Exits, Badi, Data dictionary, Lock objects, Modularization, ABAP WebDynpro, Debugging Job scheduling, BAPI, RFC, ABAP SAP Technical Skills SAP WebDynpro ABAP, FPM, ABAP OOPS, Enterprise Portal.

SAP Functional: SAP GRC Access Control 5.3/10.0/10.1 , GRC Process control 10.0/10.1, Risk Management 10.0/10.1, SAP Security, Role Design, SOX.

Operating Systems: Windows 2000/NT, XP, Red Hat Linux

Languages: ABAP, Java objects, File handling

PROFESSIONAL EXPERIENCE:

Confidential, Allentown, PA

SAP GRC, Security and Controls Lead

Technical Skills: SAP Security - S4 HANA, Fiori, Hana Studio, Solution Manager, UCON, RFC, SAP GRC Access control, BI/BW

Responsibilities:

• Conduct requirement gathering workshops with stake holders for SAP GRC Access control an Security
• Service now to GRC integration approach and implementation
• Design Blue print documents
• Responsible for defining SAP Security role design matrix for all system landscape
• Responsible for designing and developing SAP ITGC controls
• Design customized rule book for S4 HANA and Fiori
• Developing ITGC controls for IT and security including User Access Management, System Management and change controls
• Responsible to define stratagey for Role design, SOD review and update, GRC solution, UAT and cutover
• Responsible for compliance activities which includes co-ordination with internal and external auditors
• Prepared checklist for internal audit
• SOD rule book review with business owner, including S4 hand and Fiori
• Define strategy for end user which includes material preparation, tools preparation, co-ordination with change Management to conduct trainings

Confidential, Los Angeles, CA

SAP GRC Lead

Technical Skills: SAP ECC, UCON, Solution Manager, SAP GRC - Access control, process control and Risk Management

Responsibilities:

• Requirement Gathering, Blue print document preparation
• Interaction with various Confidential SOX business team and NERC-CIP regulation.
• Implementation and support for Risk Management and Risk aggregation/heat Map. Custom fields
• BW reporting for Access control and process control
• Designing of Business rules, Data source to Design and configure Automated rules(Continuous control monitoring) for e.g. NERC-CIP Revocation using BEX query, Criminal report(Same user should not do park and post for the same document type) using ABAP query, Configuration.
• Automated rule designing through BRF+ and through custom program development.
• Configuring/maintain master data like Organization/Process/sub-process and its entity role assignment, Assessments(Test control effectiveness, Sign-off), Multiple regulatory compliance
• Integration of Process control with eDMRM, Greenlight RCM(Regulatory compliance management system)
• Process control Security design, Workflow configuration (Reminders and escalation)
• Performed post installation activities
• Master data configuration like Organization/Process/Sub process/control/Regulation/Roles etc.
• Implementing SOX/NERC-CIP control and automated control using SAP Query and BEX query
• Confidential Security admin activity like role design, implementing roles and authorization for on boarding and off boarding process, user/role provisioning, security issue troubleshooting
• Maintain Confidential ECMS tool for compliance and integrating it with GRC Process controls
• Implementing position based request through SAP GRC, HR trigger, Qualification checks
• ARQ implementation for SAP as well as non-SAP system using Greenlight RTDS.
• Custom rule book design, BRF+ Configuration.
• Supporting ECC security, CRM security, BI security roles and maintain them based on position.
• Create and maintain test cases/test labs in HPQC
• Working on Greenlight RESQ and Greenlight RCM

Confidential

Lead Consultant

Responsibilities:

• Requirement Gathering, Blue print document preparation
• Performed post installation activities.
• Master data configuration like Organization/Process/Subprocess/control/Regulation/Roles etc.
• Implanted 5 Automated controls as part of POC and Confidential bought license on looking at POC
• Preparing functional and Technical Specification document for custom requirements.
• Discussion with Business users to finalize the PC master/transactional data to be monitored.

Confidential

Lead Consultant

Responsibilities:

• Requirement Gathering, Blue print document preparation
• Performed post installation activities.
• Master data configuration like Organization/Process/Subprocess/control/Regulation/Roles etc.
• Implemented second level authorization in GRC process control 10.1
• Preparing functional and Technical Specification document for custom requirements.
• Identify various disclosures/surveys/policies at Confidential and configured them. Assessment/sign-off/replacement feature also implemented.

Confidential

Lead Consultant

Responsibilities:

• Create Project Plan for GRC AC 10.0
• Highlighting the GRC AC features to the Core team
• Analysis of customer requirements and providing workable solutions in GRC AC
• Final Business Blueprint of the TO BE process in the GRC Access Controls scenario for all the four components CUP, ERM, RAR & SPM
• Post installation activities for GRC
• Custom Development - Mass Request creation through csv file
• ARQ workflow Configuration using custom development so Standard workflow and custom workflow work together by following different paths
• Presentations on best practices GRC access control
• SAP note implementation and Performing manual steps as suggested by Notes - if applicable
• PGLS Support

Environment: GRC Access Control 10.0(ARA, BRM, SPM, ARQ), SAP Net weaver 7.02, 7.40, ABAP OOPS, ABAP Webdynpro, Oil & GAS

Confidential

Lead Consultant

Responsibilities:

• Creating Project Plan and get sign-off
• Conducted complete GRC AC suit training/workshops before start of the project for various participants from IT, business, and audit and compliance team including training for the core team.
• Analysis of Customer’s ‘As Is’ process and designing ‘To Be’ workable solutions in GRC AC for e.g. Approval workflow, Mitigation Process, Fire Fighting activities, Role creation/Modification process etc.
• Implementing Remediation view in ARA and Simplified Access Request in ARM
• Defining System specific Mitigation control
• Preparation of Blue Print document based on the Business needs providing detailed To Be process.
• SOD Rule book discussion with Confidential and created custom rule book as well based on customer feedback
• Post-installation activities, Implementation, Testing and transporting Objects from GRC Dev to GRC Production
• Role Level/ User Level Risk analysis and based on that given role designing recommendation
• User/Role remediation based on SOD/SOX violations. Worked with customer’s internal audit team for user/role conflicts removal in SAP ECC.
• Determined critical activities during Customer discussion and configure them in GRC Emergency Access Management (EAM).
• Preparing training Manuals/ end user manuals/ configuration documents for Access control
• Worked closely with the internal Audit team, Basis, Finance team
• Performed Sarbanes Oxley 404
• Identification of Key Controls, Risk SOD issues
• PGLS Support

Environment: GRC Access Control 10.0(ARA, BRM, SPM/EAM, CUP/ARQ), SAP Net weaver 7.02, 7.40, ABAP OOPS, ABAP Webdynpro, ECC, Security Audit, SOD Review and User Review

Confidential

Lead Consultant

Responsibilities:

• Confidential has its own developed provisioning tool (ZICE ARMS) in ABAP to assign roles to user in ECC which was not considering SOD/SOX violations during approval process, logs were maintained.
• Did Custom development to integrated ZICE ARMS with ARA to facilitate ZICE ARMS to view violation at each stage of approval which enables Approver to become more responsible.
• Custom development to create parallel request in ARQ while a request created in ZICE ARMS, send violation report to ZICE ARMS, Customization of the report based on Confidential requirement. Removal of false positive cases in SOD/SOX violation report for e.g. if there is no risk at Permission level then it should not show action level risk also.
• Custom Development at ZICE ARMS to maintain audit logs
• Custom development to send an email notification to ZICE ARMS approvers. Custom Initiator/Agent development.
• Conducted four days of dedicated training for GRC Access Controls, covering all the four sub-modules including configuration to the core team.
• End user training across locations for using various functionalities of GRC AC
• To deliver the GRC Access Controls solution for the new ECC 7.40 Server
• Post installation activities for GRC
• Ensuring product functionalities are operating as desired and based on requirement
• Provide post go-live support

Environment: GRC Access Control 10.1(ARA, BRM, SPM/EAM, CUP/ARQ), SAP Net weaver 7.02, 7.40, ABAP OOPS, ABAP Webdynpro, ECC, Security Audit, SOD Review and User Review, Oil& GAS

Confidential

Lead Consultant

Responsibilities:

• Walk through Confidential ’s 5.3 system and identifying master data, workflow which needs to be taken care in GRC AC 10.1
• Sharing pre-installation, security guide, sizing recommendation guides with Basis and help them into downloading GRCFND A package in GRC box
• Also guided them to download and install GRCPINW and GRCPIERP component in GRC plug-in system i.e. ECC. Portal component GRCPOR installation and portal role designing for GRC.
• First installed GRC Access control 10.0 on 731.Migrated master data and workflow configuration for ARA,BRM,EAM
• Performed intensive testing with Confidential core to team to make sure Migration is done successfully.
• Upgraded NetWeaver 731 to740 and GRC upgrade from 10.0 to 10.1.
• Performed post-installation activities for AC 10.0 and 10.1
• Importing ECC roles to GRC system configured various synch jobs to pull data into GRC system.
• Standard SOD rule book review with Confidential Business process owners and finalizing the rules which needs to be configured including custom rules. Handling Z transactions also into rule book.
• User/Role level risk analysis having SOD violation and share the results with corresponding Business process for e.g. FI risk with finance team or MM risks MM team etc.
• Initiated User/Role remediation for few samples and guided Confidential core team how they can perform this activity in long run.
• Conducted complete GRC AC 10.1 suit training before start of the project for various participants from IT, business, and audit and compliance team including training for the core team.
• End user training across locations for using various functionalities of GRC AC
• Preparing Business Blue Print (BBP) document based on requirements considering workable solutions in GRC
• Ensuring product functionalities are operating as desired and based on Confidential requirements
• Provide post go-live support

Environment: GRC Access Control 10.1(ARA, BRM, SPM/EAM, CUP/ARQ), SAP Net weaver 7.02, 7.40, ABAP OOPS, ABAP Webdynpro, ECC, Security Audit, SOD Review and User Review, Oil& GAS

Confidential

Lead Consultant

Responsibilities:

• Initiated GRC Process control 3.0 system backup and identified master data which needs to be taken care in new system
• Upgraded GRC 3.0 system which includes Netweaver upgrade 731 and then to 740. GRCFND A upgrade from 3.0 to 10.0 and then 10.0 to 10.1
• Performed Post upgrade activities from 3.0 to 10.0 and then 10.0 to 10.1
• Performed post installation activities.
• Master data configuration like Organization/Process/Subprocess/control/Regulation/Roles etc.
• Implemented second level authorization in GRC process control 10.1
• Configured 10 standard automated control using configuration sub-scenario like credit check.
• Preparing functional and Technical Specification document for custom requirements.
• Developed 3 custom automated control for Continuous Control monitoring (CCM) using sub-scenario Programmed. Workflow configuration for CCM and designing remediation plan.
• Identify various disclosures/surveys/policies at Confidential and configured them. Assessment/sign-off/replacement feature also implemented.
• Planner activity was automated - custom program developed which allows a user to upload an excel file having data in predefined format and plan would be created in PC automatically.
• Position based user determination - Custom program developed to identify which user are transferred from the list of process owner/sub-process owner, and replacement happens automatically. So Manual reassignment is not required.
• Custom Development - To find list of process owners/sub-process owner/control owner based on Organization
• Conducted complete GRC PC 10.1 suit training before start of the project for various participants from IT, business, and audit and compliance team including training the core team.
• End user training across locations for using various functionalities of GRC PC 10.1
• Preparing Business Blue Print (BBP) document based on requirements considering workable solutions in GRC
• Ensuring product functionalities are operating as desired and based on Confidential requirements
• Provide post go-live support

Environment: GRC Process control 3.0/10.0/10.1 , SAP Net weaver 7.02, 7.40, ABAP OOPS, ABAP Webdynpro, ECC, Security Audit, SOD Review and User Review, Oil& GAS, Planner Automation, Automatic assignment of users to roles when transfer happens in organization

Confidential

Lead Consultant

Responsibilities:

• Performed SU24/SU25 activities
• Role Designing activity
• Segregation of Roles based on Business process like FI/MM/SD etc. and sharing list with the business
• Identifying roles which has t-codes being obsolete by SAP and should be modified according to new t-code suggested by SAP
• Identifying roles where Tcodes are maintained manually instead of adding them through expert mode. Sharing that with the business.
• Identifying Z tcode created by Confidential but not maintained in customer tables like USOBT C and USOBX C
• Creating custom t-code using SU20/SU21
• Custom development - As Confidential has directly added tcode manually, so whenever user tries to modify role using expert mode, roles get corrupted so to prevent that custom program developed.
• Recommending best practices to design a role
• Role Modification to remove SOD/SOX violations from them.
• Identification active/inactive roles, T-code without any t-code, roles with no authorization or roles which are not assigned to any user.

Environment: ECC 7.40, Role Designing, SOD Review

Confidential

Lead Consultant

Responsibilities:

• Conducted complete GRC AC suit training/workshops before start of the project for various participants from IT, business, and audit and compliance team including training for the core team.
• Analysis of Customer’s ‘As Is’ process and designing ‘To Be’ workable solutions in GRC AC for e.g. Approval workflow, Mitigation Process, Fire Fighting activities, Role creation/Modification process etc.
• SOD Rule book discussion with Confidential and created custom rule book as well based on customer feedback
• Post-installation activities, Implementation, Testing and transporting Objects from GRC Dev to GRC Production
• Role Level/ User Level Risk analysis and based on that given role designing recommendation
• User/Role remediation based on SOD/SOX violations. Worked with customer’s internal audit team for user/role conflicts removal in SAP ECC.
• MSMP Workflow configuration, BRF Plus Configuration
• Emergency access management implementation for performing critical activities in ECC module wise
• Custom Development - Multiple time email reminder to user if role assignment needs to be extended
• Custom Development - ARQ role search screen, search criteria customized so only field related to business can be used for search criteria
• Custom development to determine Manager Information based on customer business logic
• Access request form customization, ARM Approver request customization
• Preparing training Manuals/ end user manuals/ configuration documents for Access control
• Performed SU24/SU25 activities
• Role Designing activity using BRM
• Resolving issues in PGLS phase

Environment: GRC Access Control 10.0 implementation (ARA, BRM, SPM/EAM, ARQ/CUP),ABAP oops, ABAP WebDynpro

Confidential

Lead Consultant

Responsibilities:

• SAP GRC Process controls 10.0 installations with the help of basis team.
• Process control Post-installation configuration, Workflow configuration, BC sets activation
• SICF service activation
• Determination Org structure to be defined in the Process control
• Master data identification and configuration in GRC process control system - Organization/Business Process/ Business Sub- Process/Control
• Configuration/Implementation of Surveys/Policy/Ad-hoc issues
• Standard control activation - Continuous control Monitoring(CCM)
• Creating Process control test data and integration testing
• Resolving customer reported issues related to Process control

Environment: GRC Process control, ABAP, ABAP Dictionary, ABAP OOPS, ABAP WebDynpro

Confidential

Lead Developer/Tester

Responsibilities:

• SAP GRC Access control 10.1 User Acceptance Testing (UAT).
• Creating test scripts for Testing
• Functional testing of various featured introduced in 10.1
• Simplified Access Request configuration and testing
• Configuring Remediation view configuration/testing in ARA
• Advanced Role search criteria testing
• Integration Access control and Process control for the risk defined in PC and mitigate them in AC
• Reported and resolved issue raised during UAT phase

Environment: GRC Access control 10.1, ABAP, ABAP Dictionary, ABAP OOPS, ABAP Webdynpro

Confidential

Lead Consultant

Responsibilities:

• MSMP custom initiator and Agent Development to meet Confidential requirement.
• Confidential wanted to determine different approvals based on the requestors position/Band in the organization
• Solution designing for workflow
• MSMP Configuration and activation, Detour, Escape path configuration
• Approver stage level setting, Notification settings, Custom Email notification for various approval in GRC access control Done
• Auto Provisioning Setting, CUA Configuration, Service level agreement configured
• Password Self Service, User Access Review(UAR) and Segregation of Duties Review(SOD Review) implemented
• NWBC Launchpad customization based on customer requirement
• SAP Delivered GRC Role customization and documenting role/responsibility Matrix
• Coding and testing the custom initiator and custom Agent
• Blue print document preparation
• End user manual preparation
• PGLS Support

Environment: GRC Access control, ABAP, ABAP Dictionary, ABAP OOPS, ABAP WebDynpro, OIL & GAS