Embed Size (px)
Citation preview
REMINDER
Check in on the COLLABORATE mobile app
Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities
Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay
Responsibility templates from a catalog of pre-configured ERP roles. Workflow to update, review as well as approve role design changes. Roles management techniques to improve Design
Session ID#: 15042
Agenda
■ Introduction ■ Top SOD Challenges in Oracle EBS ■ SOD Controls Assessment Overview ■ Role Design Techniques ■ Case Study ■ Q&A
Introduction
This is a subtitle or bulleted list
◼ Over 20 years of experience in enterprise business systems
◼ Currently serves on the board of the Oracle Applications Users Group Governance, Risk and Compliance Group (OAUG-GRCSIG)
◼ Successfully designed and implemented internal controls management systems for more than 15 global companies listed on NYSE and NASDAQ
◼ Previously served as a board member and Chief Executive Officer of ALTM - a public company listed on the NASDAQ
◼ Expertise: Streamlining and automating Governance Risk and Compliance processes based on industry standards such as ERM-COSO and CoBIT
◼ Co-Authored GRC Book: First book on GRC for Oracle Applications
◼ Presented: Open World, OAUG as well as others and will be presenting at IIA/ISACA GRC 2014
◼ Provides Webcasts – GRC Best Practices, Trends and Expert Insight
◼ Created an Organization: which serves over 200 Oracle companies
FulcrumWay: Adil Khan –Managing Director and GRC Consultant
FulcrumWay: A leader in Risk Based Enterprise Controls Management ™
FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise, Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services such as Segregation of Duties.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services and Hosting for Oracle GRC applications.
Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls Catalog. Data Management Tools: Rules Repository, DataProbe™ adaptors and Data Hub.
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago, Singapore
Top Segregation of Duties Challenges on Oracle E-Business Suite R12
This is a subtitle or bulleted list
◼ We can not use Oracle “seeded” Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues.
◼ Which SOD Policies will mitigate the risk in our Oracle Responsibility Design?
◼ How do we ensure that the activities of users granted “super user” Responsibilities have effective compensating control?
◼ Why do have so many False Positives and how do we remove them from our analysis?
◼ What is an effective approach to Design and Test Oracle Security Model before deployment?
◼ When will be able to close all SOD incidents?
What have we learned from Oracle EBS Customers
Access Management Challenges
ERP Roles need significant changes
to meet requirements
User provisioning does not prevent control violations
Super User activity in not monitored
Periodic user Certification is not
reliable
Segregation of Duty controls are
deficient
Access to sensitive data is not protected
No audit trail on ERP configuration
controls
Can not prevent unauthorized Master Data
changes
Terminated employees have
access to ERP
Responsibility
Form
Menu
Function
User Evaluate User Access • Test by User • Test by Privilege
Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
Complicated Security Model High Risk of Segregation of Duties Issues
◼ EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc: ◼ An average R12 customer has over 35,000 functions and 12,500 menus
◼ Number and complexity of SOD Policies ◼ Range from 25 to 250
◼ Number of Business Units and variation in Responsibilities
across the business
◼ Security Model – RBAC, Single-Sign-On, OIM, etc
◼ Number of Users and Responsibilities
Key Factors impacting SOD violations
User: John Doe
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_Entry Function: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables User Menu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility: Payables User
What if we exclude ‘Invoice Batches’ from
AP_Invoices_Entry?
Complete visibility into the remediation impact!
Remediation in Oracle EBS is a permutation problem
SOD Controls Assessment Overview
This is a subtitle or bulleted list
Select ERP Controls from FW Controls
Catalogs
Detect Control
Violations
Analyze Issues
Confirm Findings
Present Project
Plan
Implement ERP
Advanced Controls
Prepare
Assessment Checklist
Probe ERP Data
Manage Exceptions
Prepare Remediation
Plan
FW Risk Advisor/Client Lead/Control
Owners
FW Risk Advisor/Client Lead
Client Executive Sponsors
FW/Client Project Team
Establish Test
Environment
FulcrumWay Application Controls Management Best Practices
DataProbe™ extracts the security, setup and master data information
DataProbe™ extracts the security, setup and master data information
ERP Test environment consists of ERP configurations and data objects
Advanced Analytics to analyze ERP Risks
Mitigate and Control Risks
Controls Assessment GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with pre-delivered controls library
• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
Enforce Proper Segregation of Duties in Applications
Controls Assessment GRC Manager
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Prevent Suspicious
Transactions
Enforces Transaction
Controls Investigate
Incidents Transaction
Analysis
• Identify anomalies missed by traditional audit and controls
• Apply Advanced Forensic and Pattern Analysis
• Continuous Monitoring of Controls and Transactions
Define Transaction
Controls
Detection Prevention
Test integrity of transactions and controls across business processes
SOD & Access
Role Design Techniques
This is a subtitle or bulleted list
FulcrumWay Roles Manager Overview:
Eliminate Root Cause of Access Control Violations in ERP: ◼ Improve Segregation of Duty controls within mission critical
applications ◼ Reduce ERP implementation and upgrade costs with pre-configured
roles ◼ Lower ERP Total Cost of Ownership by assigning pre-approved roles We enable ERP Administrators: ◼ Select pre-configured ERP roles from a roles catalog ◼ Update, Review, and Approve Role design changes ◼ Identify SOD Conflicts before the Roles are assigned to Users
■ Role Manager is an ERP security design tool ■ Contains a pre-configured catalog of roles which comply with
segregation of duty (SOD) policies. ■ Roles by ERP module and typical access requirements for those
modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.
■ You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction.
■ Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles.
■ The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles.
■ Leverage FW DataProbe™/Scripts to load current Roles Secure Access from fulcrumway.com portal
FulcrumWay Roles Manager Features
Access to Roles Manager
Search and Browse through catalog of Roles for Oracle EBS R12
Access to Roles Manager
Access to Roles Manager
Access to Roles Manager
Access to Roles Manager
Access to Roles Manager
Access to Roles Manager
Case Study: Reduce SOD Access Violations with effective roles management techniques
This is a subtitle or bulleted list
FulcrumWay Roles Manager Overview:
■ Leader in the car and equipment rental businesses worldwide
■ Providing quality car rental service for over 90 years
■ Over 30,000 employees
Our Client
■ Replace multiple legacy systems with one ERP solution
■ Improved Segregation of Duty controls within mission critical applications
■ Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model
■ Increase external auditor’s reliance on ERP Access Controls Monitoring
Challenges
■ Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out.
■ Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.
■ Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre- approved Roles
■ Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes.
■ Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users.
Results
■ GRC DataProbe™ ■ ERP Controls Catalog ■ ERP Roles Monitor
Solutions
Q & A
This is a subtitle or bulleted list
Summary and Q&A
Please complete the session evaluation We appreciate your feedback and insight
You may complete the session evaluation either on paper or online via the mobile app
