SUMMARY:

Building on a strong background of over twenty years of SAP Security and GRC experience, I have been responsible for the design, development and implementation of a wide variety of SAP related projects. I have concentrated this experience in providing high quality SAP Security, GRC and Sarbanes - Oxley compliance for several fortune 500 companies as an independent computer consultant. I’m currently versed in SAP Security best practices, risk and controls, SOX, CSCO, GCC, HIPAA, GLBA, GDPR and PCI controls. I have been involved with seven successful implementations of SAP Security.

PROFESSIONAL EXPERIENCE:

Confidential

SAP Security Consultant

• Worked on E&Y’s on internal Mercury Project as a member of the MST Mercury GRC - Risk team.
• Project Lead for the R2.2 Production Cutover of E&Y’s Internal Mercury Project. Prepared all the Cutover plans and documents for the Cutover.
• Support Lead for the AW1 FDR2, FDR3 and PVT testing of E&Y’s AW1 Production Cutover for the Mercury Project.
• Traffic Cop supporting the Go-Live for E&Y’s AW1 US Production Cutover for over 60,000 users in the United States. The project is one of the most complex in the industry. It involves BI/BW, CRM, SRM, ALM, C4C, BOBJ, S2P, HCM, Solman with Charm, Gateway and GRC using Business Roles.
• Put together Powerpoint on using SAP’s UI Masking and UI Logging Tools. Created spreadsheets on what transactions/tables needed to be masked including HCM transactions/tables. Took the new GDPR requirements into consideration for both EU and US.
• Performed SOD checks for new transactions being added to roles and Business role changes using GRC 10.1.
• Created TDD’s for several role changes.
• Worked on cleaning up excessive access in transactions PA20/PA30/PA40/PR05.
• The client uses Service Now as it’s Helpdesk software.

Confidential

SAP Security Architect

• Worked with Business and Functional consultants to develop new roles for two new plants that were being added. Both plants went live successfully. Supported hypercare for both plants on site.
• This was done on a S4/HANA 1511 SAP system.
• Supported IT3, UAT and Regression testing of the new roles.
• Supported Development and Configuration teams in Dev, Quality and Production for S4 Hana and FIORI. I was the only SAP Security person on the project.
• Supported three other go lives at existing plants that were live already.
• Created new roles for two new Warehouse locations and they went live successfully.
• Created many spreadsheets for management to help with decisions.
• Supported the development of several tools being developed and worked through many issues in Production and other systems.
• Supported Development team on Solution Manager 7.2 Charm in Dev and Quality.
• Supported Development of GRC 10.1.
• Worked with Business on their very first SAP SOX external audit.
• Got rid of many SOX issues that were currently in the system.
• The client is using the Automotive bolt on with VMS.
• Created users, added roles to users and created roles and made changes to roles for Go-Lives and Support. Created derived roles for the new plants going live.
• Helped client determine best practices, because they were new to SAP, and needed to be SOX compliant by end of the year.
• Trained one employee in SAP Security.

Confidential

SAP Security Consultant

• Setup roles in Sandbox and Dev for Retail Lending SAP System.
• Setup roles in Sandbox and Dev for Banking Services SAP System.
• Setup roles in Sandbox and Dev for Banking Analyzer SAP System.
• Setup roles in Sandbox and Dev for CRM for the Retail Lending Project.
• Setup all the roles for all functions for the Solution Manager 7.2 system.
• Setup roles and system account for PI/PO for the Solution Manager 7.2 system.
• Setup roles in Development for POB (Process Object Builder)/POL (Process Object Layer) system.
• Worked with Configuration team to get Charm working on Solution Manager 7.2 and Fiori in Sandbox.
• Worked support tickets in ECC, BI/BW, BPC, MDM, Enterprise Portal, BOBJ, CRM, PI/PO, POB/POL, Netweaver Gateway, LRM (Liquidity Risk Management), GRC and Solution Manager.
• Worked with the Helpdesk software Service Now.
• Setup user accounts in all the systems and they were using SSO, CUA and GRC Access Management.
• Client is on S4/HANA.

Confidential

SAP Security Consultant/Lead

• Reviewed their roles in BW, GTS and Solution Manager for SOD concerns. Came up with violations and listed corrective actions that have been implemented.
• Completed a project on my own for ATP/eStock.
• Worked with a young SAP Security Team that had only been live with SAP for three months. I taught them best practices and setup Monthly checks to make sure they stayed compliant.
• Fixed several issues they had not been able to fix on their own using STAUTHTRACE.
• Created new roles for Developers for BW and GTS support that were SOD compliant.
• Created new Basis and Firecall roles for Solution Manager Basis Support that were SOD compliant so they could get rid of SAP ALL in production.
• Worked with Control Panel GRC Tool to create new Firecall roles and configuration for emergency access to production systems for BW and Solution Manager.
• Ran SOD analysis using Control Panel Risk Analysis tool.
• Worked with GRC 10 system to shut it down and run user usage analysis. Now using Control Panel.
• Worked in ECC, BW, GTS, Solution Manager, GRC 10.0, Control Panel and BOBJ. Used APM Tool for testing in test client.
• I supported old roles and then the new role design where a transaction could only be in one role and Enable roles were used to give Organization Level access.
• Used ticket tracking software call Service Now to track tickets and Change Requests.
• Worked with internal and external auditors for audit reviews.
• Their systems were setup for SSO and they were on S4/HANA.

Confidential

SAP Security Consultant

• Backfill for a company that is currently going to be outsourced.
• Handled their everyday SAP Security Support issues.
• I ran their Monthly Audit Reports for two systems.
• I gathered the data and completed the work for four different projects.

Confidential

SAP Security Consultant

• I worked with SAP Project Clean Team, which was re-designing all the roles for our ECC systems to a three role Job Based role scheme.
• I went through all the tickets and assigned them to the responsible team members as the Ticket Farmer.
• Handled the day-to-day Security requests for a large International Retail company with the Retail AFS module installed.
• Created User ID’s, Test ID’s, ran audit reports, created new roles and made role changes for a 4000 user ECC 6.0 system.
• I used the IDM provisioning tool for approximately one year before they switched to Access Management using IAM on GRC 10.1. The client also used CUA and just regular SU01 for provisioning while I was on the team.
• I used GRC 10.0 and 10.1 to run SOD checks on role and user changes and to also provision users.
• Supported and tested GRC 10.1 roll out of Fire Fighter for handling exceptional access requests.
• Supported and tested the GRC 10.1 roll out of Access Control User Provisioning. This involved creating new users via templates, separations, adding/removing roles, reset passwords, extending expire dates for contractors, check email notifications for role owners and check logs when failures occurred. This was for UAT testing and Regression testing for initial Go Live and for 10.1 upgrade from 10.0 and then again for Global role out.
• I kept up with problems using Google+ spreadsheet and attended weekly testing status meetings.
• I understand a lot of the configuration and parameters in GRC 10.1.
• I made the SAP Security role changes for the GRC 10.1 role out.
• Worked with Auditors in keeping the SAP systems SOD compliant.
• The systems supported included ECC, BW, CRM, SCM, HCM, MDM, Solution Manager, XI/PI, BOBJ, Portal, IDM, and GRC 10.0 and 10.1, Vistex, and AP Automation.
• The ECC and BI systems had two systems and landscapes, one for Retail and one for Wholesale that were different and had to be supported.
• I tested and trained IT users on how to use the Charm tool in Solution Manager.
• Completed several projects and assisted in the setup and testing of IDM, GRC, Charm and Global HCM with ESS/MSS roll outs. Had to work with end users to rename their accounts so that SAP accounts would match Active Directory/Network accounts
• The company utilizes CA Help Desk and Microsoft and Google+ software products.
• Worked in the following functional areas of SAP - FI/CO, SCM, MM, PP, SD, PS, PM, WM, HR.
• Analyzed authorization errors using authority checks (SU53), system trace (ST01) and STAUTHTRACE transactions.
• Worked with Portal security, User administration and UME.
• Setup new Retail Store accounts in there retail store SAP system along with the assignment of new staff members worldwide.
• Worked with functional consultants to analyze and design new roles.

Confidential

SAP Security/GRC Consultant

• FDA Validated Pharmaceutical environment.
• Took training to be approved for viewing Clinical trial data.
• Successful Go-live of the first North American company with Clinical studies using SAP.
• Had to restrict numerous security objects to blind roles where necessary. Created enabler roles to give back access to unblinded users. Worked with single, derived and composite roles.
• Worked with the Business role owners, Clinical Trials Group and the COE in creating and implementing the Security architecture of the project.
• Created multi-stage CUP approval Path so that clinical roles got approved by Clinical role Approver first. Customer is using GRC 5.3.
• Used Access Enforcer for Risk Analysis and provisioning of the roles.
• Gave out Fire Fighter accounts to approved users.
• Used ISM Helpdesk software. Utilized HP Quality Center for testing and defect tracking.
• Worked in the following functional areas of SAP - FI, CO, SCM, GTS, MM, PP, SD, WH.

Confidential

SAP Security/GRC Consultant

• Performed an SOD Remediation for an ECC 6.0 system with 1500 Users and 27000 roles.
• Held SOD/GRC workshops with the customer to determine an SOD matrix to use.
• Performed the SOD Remediation without an SOD tool using SAP Supplied tools in SUIM.
• Found most of the violations occurred in their IT and Super User roles.
• Worked with Internal Auditor to run reports for users having certain access.
• Held meetings with CFO, CIO, an Internal Auditors to present the results of my findings and possible solutions.

Confidential

SAP Security Consultant

• Provided SAP Security support to an end-user community of around 7000 users on 4.6C landscape.
• Worked to resolve SAP Security related tickets entered in Remedy Help Desk System.
• Followed a very strict Department of Defense user provisioning protocol.
• Used Virsa Compliance Calibrator to make sure that all new users were SOD/GRC compliant.
• Setup new Firefighter accounts and made changes to existing ones.
• Made role changes following a very strict D.O.D. Change Request protocol.
• Used HP Quality Center to setup testing for any role changes made.
• Managed Department change reports and Inactivity Reports.
• Worked with MM, PP, PM, PS, QA, FI, CO modules.

Confidential

SAP Security Architect

• Supported the testing phase and Go-Live of a new implementation of Vistex.
• Designed and created new roles and made changes to existing roles identified by testing.
• Created new User ID’s and test ID’s via CUA .
• Taught two of their employee’s SAP security concepts and I was thereTeam Lead that they took direction from.
• Used Solution Manager for documentation, Status reports, creating and handling of issues and for doing Transports. CUA is running in Solution Manager.
• The client is running ECC 6.0.
• Identified possible SOD problems with some of their roles. They have no SOD tool.
• Completed another successful Go-Live.

Confidential

SAP Security Architect

• Worked with the Functional Team to design and build new roles for the new plants that were going live. This included single, derived and composite roles.
• Used CATT scripts to create all the new users for the plant go-lives and to assign their roles.
• Took over their everyday user maintenance and role maintenance as they did not have a full time SAP Security employee.
• Client uses the Remedy Help Desk Software package.
• Got rid of old roles that had been created not using standard naming convention. This required building new master and derived roles and moving the users to the new roles.
• Researched GRC tools and helped with presentation.
• Took Auditors Security report and removed many SOD violations that the customer currently had in Production.
• Trained Basis Team members about GRC, being a private company they were currently not required to follow these procedures.
• Trained a new fulltime SAP Security person to take over the everyday security needs for the customer.
• The customer is currently on Version 4.7 Enterprise.
• Created and maintained roles in the following areas SD, FI/CO, WM, AM, SCM, MM, PM, PLM, PP, PS, QM, SCM, HCM.
• Made SU24 changes to promote better security practices.

Confidential

SAP Security Architect

• Built over 100 new and derived roles for new implementation of ECC 6.0.
• Worked in modules FI/CO, AP, AR, GL, PP, PM, PS, HR, AM, myAgri.
• Supported the IT team in Sandbox, Development, QA and Training.
• The customer has the myAgri Add-on installed.
• I trained two full time employees and they took direction from me as their Team Lead.

Confidential

SAP Security Architect

• Re-designed all their IT and Production Support roles and made them GRC compliant.
• Supported the re-design and testing of all their functional roles.
• Supported the upgrade to ECC 6.0 through Sandbox, Development, QA and Production upgrades.
• Worked with FI/CO, AP, AR, BW, CRM, GL, MM, SCM, HCM, WM, Solution Manager.
• The customer has the Retail Add-on installed.
• Worked on Production Support for ECC 6.0, BI 7.0 using Analysis.
• Worked with Structural Authorizations within HCM and BI.
• Supported Analysis authorizations using RSECADMIN.
• Supported Enterprise Portal CRM, APO.
• Eliminated SOD conflicts using SAP’s GRC Tool Virsa.
• Used eCATT scripts to make mass changes to users.

Confidential

SAP Security Compliance and GRC Consultant

• Worked on the IRM Security Compliance Team (GRC). The team was responsible for identifying SOD violations, both intra-role and role-to-role. Utilized Price Waterhouse’s GRC tool SAFE. SAFE was purchased by Virsa and then by SAP and it is now called GRC. It is similar to Compliance Calibrator.
• Performed remediation for two years working with the role owners in removing transactions and table access from many roles, as well as, removing thousands of roles from individual users to put them into compliance. If violations still existed, mitigating controls were put into place by the user’s controller to justify the violations.
• Ran numerous reports and created many spreadsheets using the SAFE tool. All the major functional areas were covered in this process SD, FI/CO, GL, MM, AM, PP, PS, SEM. Because of my work with the first remediation, was chosen to also perform the remediation and SOX compliance for the HR system.
• While not working on GRC, I worked with the SAP Security Team. Made changes to roles and to user’s access based on USD tickets that came into their queue. Was selected to make changes to their X-roles which are utilized in all their systems like BW, APO, CRM, SCEM and HCM. These roles had to be kept in sync on over 100 different clients. Confidential has a huge SAP landscape consisting of over 100 different SAP systems and close to 100000 users. The client is running versions 4.7 and some 4.6 systems and one of their systems, SCEM, is on 5.0. They are also the largest user of CUA.
• Maintained the HR Security Inbox which consisted of assigning the roles and org units specified in the tickets. Created new org units and assigned different portal roles as needed. Structural Authorizations were being utilized in HCM and BI Worked on My-IP tickets which dealt with Employee and Manager Self Service.

FLOWERS FOODS

SAP Security/GRC Consultant

• Worked for a major Food Industry company in Thomasville, GA. Documented their existing profiles and created a spreadsheet where each profiles transactional capability could be looked up. Built another spreadsheet that contained all the Segregation of Duty transactions contained within each user’s profiles. Added another column to the spreadsheet that showed all the possible Segregation of Duty violations that were contained in each user’s profiles.
• Reviewed Price Waterhouse/Coopers (PWC) audit results. Determined from previous work, and from PWC’s audit, that one profile was causing a large number of the violations. It contained all functional area access. Created and tested a display only profile that was given to many of these users. Gathered from these users the requirements needed to either build new profiles or added new transactions to their existing access to take care of their none display needs in production. This helped to get Flowers Foods closer to achieving Sarbanes-Oxley compliance (GRC). Used the results from PWC’s ACE Tool to actually create a spreadsheet of the Segregation of Duties transactions that a user had actualy performed in the last six months.
• Reviewed several GRC tools that would help them go to a role based environment when they upgraded to 4.7 next year. Created a spreadsheet that contained the software packages capabilities along with Pros and Cons for each software package reviewed. Was able to get into a 4.7 Enterprise test system and see how their current profiles and activity groups looked as well as review the standard set of roles supplied in 4.7. Presented them with three different plans to move to a role based environment by their 4.7 upgrade, one manual and two using a different software package.

Confidential

SAP Security Consultant

• Worked for a major Food Industry company in Buffalo, NY.
• Built new activity groups using derived profiles and made the necessary organizational level and authorization adjustments. The activity groups were created for a new Procurement roll-out on a SAP 4.5B system.
• Created lots of user ID’s in QA and Production systems.
• Added new activity groups to users already in production.
• Researched OSS notes for security problems they were having.
• Transported newly created and modified profiles into production.
• Worked with the testers in QA to take care of any problems that arose from the new profiles.

Confidential

SAP Basis Consultant

• Worked for a major Department of Defense company that was upgrading from 3.1H to SAP Version 4.6C with IS-AD Industry Solution. The client was also experiencing very poor performance. Assisted in the upgrading of both Oracle and SAP on a test system that was successfully upgraded.
• Utilized the profile generator to modify the existing role based profiles to work with the new release after the upgrade.
• Fixed their performance problems that were database related.
• Performed the everyday duties such as security, transports, researched and applied OSS notes, applied LCP’s, performance monitoring and tuning.
• Trained their new employees on the duties they were expected to be able to perform.

Confidential

SAP Basis Consultant

• Worked on a project that was being outsourced to another consulting firm.
• Wrote over thirty documents describing the various responsibilities of the outsourcing firm including in-depth documents concerning security administration. The client was using security templates that had to be explained thoroughly so that the outsourcing security consultants could administer it properly.
• Performed the duties that were expected of the new outsourcing company. These duties included security, transports, performance monitoring, archiving, handling system problems and issues, training new employees of the outsourcing firm. The platform was 3.1H running Informix on Sun equipment.
• Worked remotely for seven months performing archiving during the nights and on weekends.

Confidential

SAP Basis Consultant

• Involved in the deployment of three implementations of SAP for a major Department of Defense company. One implementation was with SAP version 3.1I. The last two implementations utilized SAP version 3.1H with the IS-AD Solution. The system platform utilized was IBM RISC 6000 AIX machines running the Oracle database.
• Major focus was delivering the security requirements for the roles and responsibilities provided by the functional teams. Utilized the Profile Generator to create over 200 activity groups.
• Set up over 1000 users with the proper activity groups. Set up the profiles for the configuration and development teams. Wrote the security strategy documents and procedures manuals. SAP modules included HR, SD, FI/CO, MM, PM, PS, QA, WM. Assisted company auditors in developing audit procedures for SAP for enterprise rollout. Trained their employees how to use Profile Generator.
• Handled day-to-day security problems and modifications.
• Assisted in several installs of SAP 3.1H and 3.1I, upgraded 3.1H to the IS-AD solution. Performed CTS, client copies, system copies, applied LCP’s, backups, researched notes on OSS, applied numerous OSS repairs, added printers to SAP and the print queues needed in AIX, performed Oracle DBA duties using SAPDBA. Provided off-hour support until the clients SAP team was able to handle 24/7 coverage.
• Performed a complete implementation of HR security.
• Was utilized as the SAP Basic Team Lead. Worked together with clients Team Lead in applying LCP’s, OSS notes, installing new SAP kernels and making sure that SAP was Y2K compliant.
• Because of the small Basis team, was utilized in all areas of SAP Basis at one time or another.

Confidential

SAP Basis Consultant

• Main responsibility was SAP security, this included adding new user accounts and setting up SAP role based Security profiles for production rollout and maintaining profiles and authorizations. Involved in the security strategy and documentation of the enterprise wide SAP implementation. Created role based security profiles for the SD, FI/CO, MM, PM and HR modules. Trained three full time employees in SAP security. Created new profiles for two different implementations.
• Performed a complete implementation of HR security.
• First member of the consulting team. Had to wear many hats and come up to speed very quickly. Performed System Administration for a HP and a HP 0. The team was also responsible for the deployment of TCP/IP and the SAPGUI interface on Windows 3.1, WFW and Windows NT workstations. Involved in the Proof of Concept testing and evaluation of all the software packages needed for the system wide connectivity and rollout of SAP. Supported over twenty different instances of SAP version 3.0F.
• Performed Correction and Transport (CTS), repairs to SAP code, performance monitoring, Oracle upgrades, backup/recovery, added network printers, some ABAP/4 programming, installed Hot packages and researched SAP problems in OSS.
• Duty Manager for one week every month. During this time, was responsible for handling or directing the resolution of SAP system problems on all systems, including two production systems, and was on call, 24/7, during this time.
• On the initial Steering Committee on SAP until it went enterprise wide. Received an award recognizing accomplishments as the best customer support person in all the Utility Group.