Steve Davis Business Development Directorjdescug.org/images/downloads/Knowledge/qsoftware.../ issues QSoftware team –very accessible and responsive Customer Focus: Majestic Realty

Security Risk Management Compliance Integrity

Steve Davis

Business Development Director

Improve your Audit & Business with the Right Security Model


If your job was at stake.....

Can you with certainty state thatusers of your JD Edwards system are locked out of the areas they should not be able to get to?

The BIG Question:


Agenda

Q Software: Who are we?

What are the Problems?

– Fraud & Compliance

– JD Edwards E1

Case Studies

Summary

Questions


The Oracle Security & Compliance People

270+ Customers


A selection of Q Software customers


Agenda




– JD Edwards E1

Case Studies

Summary

Questions


Fraud is a Worldwide Issue

South Africa: 62% companies suffered fraud

59% experienced bribery & corruption

Source: PwC 2009 crime survey

Australia: Fraud a persistent fact of life

- 25% of loses in excess of Au$ 1.5m

Source: PwC 2007 Crime survey

USA: 35% companies suffered “significant

economic crime”

- most likely cause is pressure due to economy

- increased opportunity is primary driver


UK: almost 50% admit to suffering fraud, almost

75% of larger (5,000+ employees)

- 33% of these suffered 100 incidents

Source: PwC 2009 fraud survey

Canada: 55% companies suffered fraud

- 83% asset misappropriation most common

- 38% detected by chance or by tip-off


Germany: 49% suffered economic crime- Identified crimes cost Euros 6 billion

Source: PwC 2007 fraud survey


Business Controls – Securing your System

The 21st Century Fraud – SoX and Compliance

Current financial turmoil– Additional responsibilities for existing staff

– Disgruntled employees

– New employees make mistakes

Inadequate controls

= Potential fraud

= Loss of more than cash


Auditors Recommend Roles Based Access Control

RBAC models been around for over 20 years

National Institute of Standards & Technology• March 2002

Simplified systems administrationEnhanced security & integritySimplified regulatory compliance Enhanced organisational productivity


What is SoD? (Segregation of Duties)

» Runs off with $1m

Jones & Jones Inc.

» A Manager sets up MB Inc.

as a supplier

» Accepts Purchase Invoices from MB Inc.

» Approves Invoices

» Processes for Payment

» Transfers the funds


Issues in JD Edwards E1

All Doors Open v All Doors Closed

• Menu Security is no Security

No Segregation of Duties

• Access to critical programs

35,000 Objects

• Complexity of Maintenance - forms, versions

Multiple roles / Sequence Manager

• Unexpected security authorities

• Changes lead to unexpected results

Application access is very complex

• Task Views

• FineCut

• FastPath

• Hidden & Associated Applications


Example of Hidden Applications

Associated

Applications


So, what do people do?

This is simplistic & results are inaccurate

This is a waste of time

This is a waste of money

F00950

SoD Rules


Why is this flawed?

Access to a program is not restricted to F00950

F00950

Menus

Task

Views

Exit

Security

Role

Sequencing


Agenda




– JD Edwards E1

Case Studies

Summary

Questions


UKs leading independent logistics company

Part of Bibby Line Group– Over 200 years old– HQ in Liverpool– Group revenue $1.7 bn

Bibby Distribution– Revenue $310 m – 70 locations in UK– 2m sq ft warehousing– 2,300 employees– 800 vehicles

Customer Focus: Bibby


Customer Focus: Bibby Background

Bibby Distribution has been growing

– Over the last 10 years

• Growth of 300%

– Organically

• New depots / New contracts

– By acquisition

• 8 businesses acquired


Customer Focus: Bibby Implementation Plan

CFO sponsored the project

Started April 2007

Core financials completed by Sept 2007• Sales / Purchase / General Ledger

• Sales Order Processing

• Fixed assets

• Procurement

Then the Depots

Tight timescales

No Oracle expertise


Customer Focus: Bibby – Importance of Security

Very complex depot relationships– 1:1, 1:Many, Many:1 relationships– Segregation of duties– Time / effort / costs to resolve– Audit

Had to perform substantive audits– Compliance audits not possible– Time-consuming (costly)


Customer Focus: Bibby – The Security Problem

They were advised E1 security would take at least 6 months

– Too long for project roll-out deadlines

– So went All Doors Open trying menu security

– Menu security = No security


Paul Cullingford – Chief Financial Officer


Customer Focus: Bibby – The Solutions

E1Config – Simplified All Doors Open All Doors Closed

• Reducing effort by 80%

– Enabled enforcement of SoD

• Enhancing compliance

– Reduces security maintenance effort

• By about 50%

– Minimises potential for errors

• Fewer posting errors

– Reduces reporting time & accuracy

• From days to minutes

– Quick & easy to prove security controls

• Reduces auditing effort


Customer Focus: Bibby Benefits

Year end process went smoothly

– Still smiling, fewer sick days

Month end processes much quicker

• More time available to manage rather than just do accounting

Easy to set up temp role changes i.e. For holidays

• No need for temp staff, security assured

New contracts set up much quicker

• New customers up and running sooner

Few posting errors

• As staff program / data access controlled correctly

Much simpler & smoother audits

• Auditors happy with first security audit

New acquisitions integrated & “secured” in days not months• Confident that users secure

& posting to correct ledgers


Customer Focus: Bibby – Key Comments

“we implemented security in a fraction of the time that had been estimated”.

“a good security model contributes to significant cost savings throughout our business.”


Customer Focus: Morbark

Founded in Winn, MI in 1957

– In blacksmith shop

1.5 million sq ft manufacturing

World-class manufacturer

– Heavy duty wood chipping & grinding equipment


Customer Focus: Morbark Background

Small work-force– Frequent need to change duties at short notice

Security time-consuming to manage– Frequent interruptions to IT staff

Increased risk of high cost errors Due to unfamiliarity with new role Need to simplify security management

– De-skill security management

Reduce risk of errors Effective SoD


Tina Rollings CPA


Customer Focus: Morbark Solution

E1Config

– Capture existing security

– Test for conflicts

– Manage SoD

– Simplify on-going security maintenance

E1SoD

– SoD model management

– SoD violations reporting


Customer Focus: Majestic Realty

Melissa PenfieldDirector of Business Systems



Headquarters: City of Industry (Greater LA Area)

Largest Private Commercial Developer

Vertically Integrated

– Acquire: Land Acquisition, Entitlement

– Develop: Commerce Construction Co.

– Manage: Majestic Management Co

Industrial, Office, Retail

Remote offices across US


Technology

EnterpriseOne 8.12 Tools 8.98.4

Financials, Project Costing, Real Estate

Blue Stack

97 User IDs, 23 Roles

200+ custom objects



Changing Economy

SoD Management

Auditing Requirements and Reporting

Eliminate Spreadsheets / Matrices

THEME = Streamline Business Processes to

Achieve Operational Efficiencies

Customer Focus: Majestic Realty – Q Software Drivers


= VERY low maintenance for I.T.

Reduces new role creation from days to hours

Easy upgrades

Support website for logging questions / issues

QSoftware team – very accessible and responsive

Customer Focus: Majestic Realty – Support & Maint


Agenda




– JD Edwards E1

Case Studies

Summary

Questions


QSoft Product Family

Quick Fix Accelerator

Security Build &

MaintainE1Config

Audit E1SoD

Compliance

Reporting erpAudit


Audit

SecurityQAudit

Find

& Fix

E1 Config

erpAudit

Two ways to Implement Security Control

Secure

& Comply

Accelerator

OR

QPlan


Implementing security in 3 simple steps

Step 1:

Automatically generate re-usable components.- From users, roles or task menus + fine cut

Step 2:

Automatically Include hidden & associated

programs.

- 1st level

Step 3:

Validate and build security.

- Auto check SoD policy

Extends benefits of

Roles Based Access

Control down to task

level components


Security & Compliance Issues

Volume 35,000 objects

300+ Security Parameters

Associated & Hidden

Applications

Solution Explorer

Multiple Roles

Segregation of Duties

Auditing


Security & Compliance Issues

Volume 35,000 objects

300+ Security Parameters

Associated & Hidden

Applications

Solution Explorer

Multiple Roles

Segregation of Duties

Auditing

- Resolved

New security in minutes

Changes in minutes

Reduces errors

Simplifies auditing

Improves performance


Solve Business Problems with ‘Good Security’

Audit Security – KNOW your status Map Security to Business Processes Build in SoD Make Security more Manageable

& Reduce Costs Consider Outsourcing

Security Management Compliance Management

& Reporting Bibby & Morbark & Majestic



Can you with certainty state thatusers of your JD Edwards system are locked out of the areas they should not be able to get to?

The BIG Question:


YES

You CAN!


White Papers:


The JDE Alliance: Here to help you ....


Agenda




– JD Edwards E1

Case Studies

Summary

Questions

Documents

Steve Davis Business Development Directorjdescug.org/images/downloads/Knowledge/qsoftware.../ issues QSoftware team –very accessible and responsive Customer Focus: Majestic Realty