ConocoPhillips Co. is an American multinational energy corporation headquartered in Houston, Texas. It is the worlds largest independent oil and natural gas exploration and production company, with $88 billion in total assets as of March 2017. It has 11,600 employees and operations in 17 countries to find and produce oil and natural gas. Information systems are an important tool for managing exploration and production operations, fostering collaboration across functions and business units, recruiting and developing highly talented scientists and engineers, managing risks, and making sound investments. ConocoPhillips has a large and complex network of global users requiring access to its systems. Consequently, managing access control for the companys information systems is very challenging and the enterprise must work especially hard to meet governance, risk, and compliance (GRC) requirements such as access control and segregation of duties (SoD). (Review the discussion of both of these topics in Chapter 8). In 2009, ConocoPhillips began using SAP Access Control for this purpose. Access Control is a SAP product for streamlining the process of managing and validating user access to applications and data. SAP Access Control works with SAP and non-SAP applications, including SAP Finance, SAP Sales & Distribution, and Oracle software tools. It automates user access assignments and can automatically review user access and role authorizations and detect and remediate risk violations. The software supports policies regarding the segregation of duties so that people dont have conflicting activities or rights. SAP has made many improvements to the software, including greater stability and customization features. ConocoPhillips has continuously implemented new releases of the application, the most recent being the upgrade from version 10.0 to 10.1. Every time SAP upgraded the software, certain things that were working previously were affected in moving to the latest release. It might take months to get all processes back to the way ConocoPhillips expected them to run. The latest upgrade to SAP Access Control required a year-long stabilization project. Throughout this upgrade project and stabilization, SAP and ConocoPhillips worked to keep lines of communication open. ConocoPhillips works closely with SAP and receives a direct line to SAP experts. In turn, the company provides SAP with ideas and suggestions for improving future releases of Access Control. By collaborating with SAP experts and experimenting with different approaches, ConocoPhillips was able to configure the system to suit the enterprises exact needs. ConocoPhillips improved its ability to schedule necessary jobs, enable emergency access management, and evaluate SoD risks. SAP Access Control 10.1 had a new capability for customizing user interfaces, which was one of the main selling points for ConocoPhillips to move to this new release. In configuring the user interface, the company removed data fields it didnt use and showed users only what they actually needed to see. ConocoPhillips also added more additional help features. The resulting user interface made it significantly easier for end users to submit or process requests. The project also increased system usability by minimizing workflows. ConocoPhillips GRC Administrator Trevor Wyatt tried to keep workflows at a controllable number, both to streamline the project as well to make the system solution easier to use. Although other organizations might set up SAP Access Control with hundreds of workflows, ConocoPhillips only has a handful. According to Wyatt, the more workflows you have, the harder it is to troubleshoot and the more things could go wrong. Having simpler workflows for end users means less risk. Instead of taking months to obtain approvals, it takes minutes. Keeping workflows simple minimizes complexity, which causes risk in the workflow. ConocoPhillips was highly attentive to the needs of the end users throughout the entire upgrade and stabilization project and thereafter. The company provides users with job aids, hands-on training, and in-class training, depending on their needs. Wyatt also believes continuous training is very important, especially when users dont have a background in the technology. ConocoPhillips tries to train and train again. By training thoroughly, ConocoPhillips was able to get thousands of users accustomed to the functionality the newly configured SAP Access Control 10.1 offered with few complaints. Once fully implemented, SAP Access Control 10.1 has working seamlessly at ConocoPhillips, with very few workflow issues. The access control solution is heavily scrutinized by both internal and external auditors to ensure its working properly. Due to that scrutiny and the success of the SAP Access Control upgrade, theres less work that has to be done during audit season. As SAP Access Control became more stable, auditors have more confidence in the system and dont have to dig as deep. Additionally, auditors can pull information directly from the system instead of having to request that information from the companys GRC team. This saves time and streamlines processes for both auditors and GRC professionals. After such a careful process of removing issues from the system and configuring it in the way thats best for the business, ConocoPhillips is reaping the benefits of very trustworthy access control processes. It doesnt have to second-guess the system, and has full confidence that it is performing exactly as expected.

1. How important was this project for ConocoPhillips? Why?

2. What project management techniques described in this chapter were used to implement the new version of SAP Access Control.

3. Why was the project so successful? What managements, organization, and technology issues were addressed?

2. Aboboyaa, a successful SME with a focus on IT consulting and software development services, is in a difficult situation. Their IT infrastructure is in a state of disorder due to rapid development and expansion. The IT landscape is chaotic as a result of a number of issues:

Aboboyaa runs legacy systems as well as new cloud-based solutions, resulting in a disjointed IT environment. However, as the company grew, it did so without a cohesive IT infrastructure strategy, resulting in a jumble of servers, storage devices, and networking equipment with no central coordination. Furthermore, the present infrastructure lacks sufficient documentation, making troubleshooting and maintenance difficult. Furthermore, obsolete security methods have paved the path for security breaches, heightening data security worries. As a result, employee complaints about sluggish network speeds and system downtime are common, lowering productivity.

Aboboyaa. has enlisted the aid of a group of bright network and system administration students who are now pursuing infrastructure management in order to address these difficulties. Their goal is to revitalize the struggling IT infrastructure at Aboboyaa using their expertise in infrastructure planning, strategic development, infrastructure as code (IAC), and infrastructure as a stack.

3. A small to medium-sized enterprise (SME) specializing in e-commerce provides a web platform where clients make purchases and sensitive personal and financial data is processed. In order to maintain robust security and regulatory compliance, the SME has implemented a thorough logging and auditing system. This system meticulously records all user interactions, including consumer orders and employee access, ensuring data confidentiality, integrity, and availability.. This SME prioritizes the administration of privileged accounts in order to prevent unauthorized access and mitigate data breach risks. To control access to important systems and databases, a privileged account management system is rigorously implemented. A small set of IT administrators is given access to privileged accounts, and each access event is meticulously logged and audited. This method allows for the quick identification, investigation, and resolution of any suspicious actions, lowering the potential risks associated with insider threats and external attacks.. Furthermore, the SME reviews log and audit data on a regular basis, providing reports that assess compliance with industry norms and regulations. This not only strengthens the SME's security posture, but also demonstrates its unshakable commitment to data protection and regulatory compliance, comforting consumers and stakeholders. To successfully fight evolving security threats and maintain a solid security posture, the SME participates in regular discussions and enhancements to the logging, auditing, and privileged account management systems. Question 1: How does the SME ensure the security of sensitive data in its e-commerce operations? Question 2: What steps does the SME take to manage privileged accounts and reduce the risk of data breaches? Question 3: How does the SME leverage log and audit data to demonstrate regulatory compliance and commitment to data protection? Question 4: Why is it crucial for the SME to continually discuss and improve its logging, auditing, and privileged account management systems? Question 5: In what ways does the SME's approach to data security benefit both its internal operations and its relationships with customers and stakeholders?