SAP Security & GRC Analyst
The engagement will focus on implementing a unified GRC ruleset across ERP, IS-U, and BPC systems, addressing EY audit observations, and driving risk remediation and process standardization.
Job Description – SAP Security & GRC Analyst
Experience: Minimum 5 years of relevant SAP Security & GRC experience
Role Overview
The resource will support Tampa Electric’s SOX uplift initiative by enhancing SAP GRC Access Control design, implementing preventive SoD checks, and standardizing risk and mitigation processes across ERP, IS-U, and BPC systems. The role will focus on aligning security governance with audit recommendations and Emera CSF standards.
Key Responsibilities:
1. GRC Ruleset Review & EnhancementReview and align the SoD ruleset with leading practices, ensuring all SoD risks and underlying transaction codes are updated.Review and update permissions for newly introduced T-codes to align with the current security design.Upload the updated ruleset to SAP GRC and perform comprehensive testing.Establish a formal review and maintenance process for the SoD ruleset to ensure continuous compliance.
2. Risk and Access RemediationPerform a comprehensive risk assessment for the newly identified SoD risks, focusing on high-impact areas such as Accounts Payable and Procurement.Analyze and remediate inherent SoD risks at both role and user levels across ERP, IS-U, and BPC.Review and confirm that users with high-risk SoD access align with their job responsibilities.Identify and remove unused or obsolete T-codes from roles.Review and remediate display roles that contain unintended change access.Remediate conflicts in composite IS-U roles with high inherent risks and refine cross-system functions (e.g., converting CRM-linked functions to IS-U-only).
3. Mitigating Controls & GovernanceDefine, assign, and periodically review mitigating controls for SoD risks to ensure they are current and effective. Implement a structured periodic user-to-role mapping review process covering all SoD risk levels. Ensure preventive SoD checks are executed during user provisioning and simulate SoD at both role and user levels before deployment.
4. Continuous Monitoring & TrainingDevelop a sustainable SoD monitoring framework with defined review frequency and approval workflow.Conduct training sessions and awareness programs for Security, Compliance, and Business teams on the updated SoD framework and ruleset management.Support documentation and evidence collection for audit readiness and SOX compliance validation.
Required Skills:
Strong hands-on experience with SAP GRC Access Control 11.0, 12.0 (ARA, ARM, EAM, BRM modules), GRC Process Control 12.0.Very Good understanding of SAP Security architecture for ERP, IS-U, and BPC systems.Proven experience in SoD analysis, risk remediation, and mitigating control design.Working knowledge of SOX, NIST, and corporate cybersecurity frameworks.Strong analytical skills for troubleshooting authorization issues (SUIM, SU53, ST01).Excellent communication and documentation skills; able to collaborate with Audit, Compliance, Business and IT teams.
Preferred Qualifications:
SAP Certified Associate – GRC Access ControlPrior experience in regulated utilities or energy sector