With nine campuses serving an area of nearly 900 square miles, the Los Angeles Community College District (LACCD) is the largest community college district in the US and one of the largest in the world. More than 13,000 employees in academic and non-academic positions serve the more than 140,000 full and part-time students who are enrolled in a typical semester. Because of its size in terms of both personnel and geography, LACCD is unique even among its fellow higher education districts, and its challenges around payroll are materially more complex.
The higher education sector has long had its share of unique payroll challenges, such as the differentiation between tenured and adjunct faculty, policies guiding student employment, diverse benefit packages, union versus non-union personnel, and public versus private sector status, just to name a few.
For most of its 27-year history, LACCD relied on homegrown legacy software to administer HR and finance as well as run other administrative tasks. But in 2002, when change requests from various departments were becoming increasingly difficult to program, and without any sustainable workarounds, the district decided it was time to update its software.
LACCD started with an implementation of SAP ERP Financials, and a few years later added SAP ERP Human Capital Management (SAP ERP HCM), including the payroll functionality. When it came to the transition, existing processes were so aligned with the legacy system that the move to SAP software wasn’t a seamless crossover.
“At the time, the HCM system was in a state of flux and was always changing because everyone was trying to adjust it to fit various business processes and figure out what the system actually did,” says LACCD’s SAP ERP Manager Andrew Duran, who joined the district in 2006.
Duran likens the situation of transitioning with a system that is already in production as trying to make changes to a flight path when the plane is already in the air. Simply swooping in and grounding the plane isn’t an option.
Doing the Homework and Turning It in on Time
Duran and his team quickly realized that taking the system offline was not an option, but that a strong governance, risk, and compliance (GRC) solution could help provide a process to manage master data changes if it could be implemented rapidly, control but not hinder access to the system, track changes to the system without degrading its performance, monitor master data issues, and provide audit control over changes in production. In short, there were two requirements: the solution must have robust features to create stability and deliver the capabilities quickly.
Without such a solution in place, well-intentioned LACCD system administrators had to navigate a change control process that allowed multiple users to make changes to the same SAP objects. If a change affected the system negatively, a lack of automated audit support made it extremely difficult to ascertain the origin or root cause of the system’s behavior. Additionally, the access request process was managed manually using a spreadsheet. Many updates were being made concurrently, and there was no standard for how requests were processed. There was confusion around why one request would be approved while a similar one denied. Additional issues arose because administrators were given access beyond what they actually needed, multiple emails requesting the same access were sent to anyone who might be able to provide that access, and requests for access might sit unopened in an inbox.
Each passing day only allowed the production environment to become more fragile due to necessary master data updates, and the team knew there was no time to lose. So, in addition to tighter control, LACCD needed a GRC tool that could accommodate a speedy implementation. With a newly implemented system requiring updates, Duran and his team could not afford to divert resources to a complex GRC implementation, to training, or to combat integration challenges. Finding a functionally robust GRC solution that was easy to implement was akin to a student finding a challenging and rewarding course that was also an easy A.
Crash Course in Control
Conducting a broad search with these almost contradictory requirements led LACCD to choose a GRC solution from SAP partner Security Weaver, specifically the Emergency Repair, Separations Enforcer, and Secure Provisioning modules. (For more information about the Security Weaver toolset, refer to the sidebar at the end of the article.)
“Security Weaver helped us to solve the business needs of managing oversight, audit controls, and then change management control. It tied all of those pieces together,” says Duran.
The first step to gaining oversight and control was to activate Emergency Repair, which gave LACCD a secure way to manage elevated privileges moving forward, and to grasp precisely how users were accessing the system. Soon after deployment, if a manager wants to change an employee’s start date, for example, the tool can provide not only the necessary incremental level of access, it can also record and log the access. While previously, it was difficult to discern where a change to the system originated, Emergency Repair guarantees that changes are tracked and available for review. Furthermore, to ensure proper oversight, Emergency Repair enables managers to easily compare access requests to what was actually done.
The other important functionality Emergency Repair affords is the ability to, as its name suggests, put in stopgap measures that allow for near-immediate access to be granted without violating compliance guidelines or audit requirements. Instead of personnel urgently pressing managers for additional authorization rights, they can use Emergency Repair to provide highly supervised access until more permanent access can be provisioned with Secure Provisioning, which enables automated, compliant user provisioning. This capability stops the headache managers get from having their time constantly fractured by urgent access requests. They no longer face the dilemma of either stopping what they are doing to approve or deny a request, or staying focused on what they are doing and consequently delaying others from getting their often mission-critical work done.
“When requests were submitted and approved by email, there could be as many as 30 people trying to do things at once, and there wasn’t an easy way to verify that what people really did was what they said they were going to do,” says Duran. “Emergency Repair now provides a cockpit from which to process and manage all of the changes going through the system, and it provides audit capability over those changes.”
With Emergency Repair helping to provide access oversight, LACCD was ready to implement the Secure Provisioning functionality and the Separations Enforcer functionality for segregation of duties and critical access monitoring and mitigation. These modules reinforce the stability and control initiated by Emergency Repair. Because Emergency Repair can automatically grant access based on predetermined approvals, it has reduced access requests and disruptions. In other words, since managers can now designate the potential authorizations users might need in extenuating circumstances, they can anticipate requests for access that might be part of a user’s responsibilities. With requests and disruptions diminished, Duran says that LACCD is now able to prepare to overhaul roles for security personnel. He also foresees extending the use of the Secure Provisioning module to expand the benefits of automated user provisioning.
According to Duran, a major benefit of Emergency Repair is the improvements it provides regarding the ongoing use of predetermined access or preapproved temporary access. “In the old system, a simple request for access would generate a flurry of emails; what access does the person need, why do they need it, and when do they need it?” he says. “Approvals are now largely predetermined, and there is complete visibility for every action. And in a case where access isn’t preapproved, Security Weaver automates the workflow, so the request proactively moves through the system and is traceable at every step.”
LACCD has also made significant and swift improvements to employee self-service capabilities by using the password reset functionality of Secure Provisioning. With access oversight, Duran moved ahead to tackle a user ID redesign project for all 13,000-plus employees and 15,500 assignments, some concurrent — prompting them at login to change their password to begin with a name string. Previously, a user was assigned a numeric code that was different based on the year someone was hired, making it difficult to remember. This modification significantly reduced the volume of requests from managers for easy changes to the system that employees hadn’t been able to make on their own without a lot of back-and-forth emails. According to Duran, LACCD noticed a significant drop of 60% in user password reset and “forgot my user ID” requests over time.
“At the end of the day, anytime you can make users’ experiences easier and more timely so they can focus on their job using technology — whether teaching students, scheduling classes, providing security, or managing resources — it is better,” Duran says. “The Security Weaver application plugged directly into our SAP system and is updated using the standard transport procedures, making the maintenance and transition simple because there was no need for dedicated hardware or additional training.”
A Final Grade
Functionality aside, speed to implementation was the other requirement for a GRC solution, and in that regard, Security Weaver did not disappoint. Duran says that the descriptions of an intuitive integration with SAP systems and the ability to use the tool without much training were indeed accurate.
“Usually, when you install an application, it can take weeks or months to get everything ready to go,” he says. “Security Weaver was productive in four hours. And, by that, I mean productive enough to start being utilized, where I could sign on and others could sign on and start working and testing the application.”
As would have been the case with any security project, LACCD employees were wary of a “Big Brother” looking over their shoulders at every move and were concerned that more security meant lower productivity. However, Duran says that users quickly came to understand the security tools were not only providing audit oversight and peace of mind for everyone who touches the system — not just upper management — they were also making access requests easier to manage and faster to provision.
“Most everyone I’ve spoken to appreciates having the internal checks and balances in place and having that additional level of comfort,” says Duran. “And that’s what it boils down to and is why you have a GRC product — to answer those security and audit questions. You want to see and manage what people are doing and provide oversight. And you can’t do it by hand with 30,000 accounts.”
If LACCD were taking a final exam on security today, it would pass with flying colors. Instead of flunking Change Requests 101, administrators now have simplified change control processes and a more stable environment. With root-cause analysis enabled, administrators can make changes with full oversight. With access requests being managed more easily and provisioned more quickly, it’s clear to see the “A” grade is well-deserved.