Rapidly Reduce Segrega/on of Duty Viola/ons in Oracle EBS R12 Responsibili/es

Size: px

Start display at page:

Download "Rapidly Reduce Segrega/on of Duty Viola/ons in Oracle EBS R12 Responsibili/es"

Maximilian Johnson
5 years ago
Views:

1 Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Rapidly Reduce Segrega/on of Duty Viola/ons in Oracle EBS R12 Responsibili/es A Leader in Risk Based Enterprise Controls Management Solutions Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics Adil Khan Managing Director Leverage T echnology: Move Your Business Forward

2 Agenda Implement Effective Access Controls within your Oracle ERP System! Introductions! Top SOD Challenges in EBS R12! Overview of SOD Controls Assessment! Roles Design Techniques! Case Study! Q&A Copyright FulcrumWay Page 2

3 Agenda Implement Effective Access Controls within your Oracle ERP System! Introductions! Top SOD Challenges in EBS R12! Overview of SOD Controls Assessment! Roles Design Techniques! Case Study! Q&A Copyright FulcrumWay Page 3

4 FulcrumWay A Leader in Risk Based Controls Management! FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.! Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.! Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services! Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager! USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco! International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City Copyright FulcrumWay Page 4

5 Successful Track Record Government Oil and Gas FulcrumWay Clients Financial Services Retail Communications Manufacturing Transportation Natural Resources Media/Entertainment Healthcare High Tech Life Sciences Copyright FulcrumWay Page 5

Proven Expertise FulcrumWay Insight Thought Leadership!

6 Proven Expertise FulcrumWay Insight Thought Leadership! Co-Authored GRC Book: First book on GRC for Oracle Applications! Executive Round Tables GRC Solutions for Energy Industry, Houston, November 2012! OAUG GRC Solution Lab - April 7 th 11 th Denver: GRC Case Studies and Best Practices! IIA - Presentations - Top Five Reasons for Automating Application Controls! Collaborate 14 GRC Client Appreciation Dinner April 9 th, 2014 Las Vegas! Webcasts GRC Best Practices, Trends and Expert Insight! Oracle Open World Annual GRC Dinner on September 23 rd, 2014 W Hotel San Francisco! LinkedIn FulcrumWay Risk, Compliance and Audit Software Group! YouTube Podcasts FulcrumWay Instant Insight in 10 min or less Copyright FulcrumWay Page 6

Top Challenges Enforce Segregation of Duty Controls and Security Polices! We can not use Oracle seeded Responsibilities because of inherent SOD conflicts.

7 Top Challenges Enforce Segregation of Duty Controls and Security Polices! We can not use Oracle seeded Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues.! Which SOD Policies will mitigate the risk in our Oracle Responsibility Design?! How do we ensure that the activities of users granted super user Responsibilities have effective compensating control?! Why do have so many False Positives and how do we remove them from our analysis?! What is an effective approach to Design and Test Oracle Security Model before deployment?! When will be able to close all SOD incidents? Copyright FulcrumWay Page 7

User Test by Privilege Menu Manage Segregation of Duties Identify

8 Top Challenges Complicated Security Model High Risk of Segregation of Duties Issues User Responsibility Evaluate User Access Test by User Test by Privilege Menu Manage Segregation of Duties Identify incompatible Privileges Predefined & Extensible SOD Rule Sets Function Form

9 Top Challenges Key Factors Impacting SOD Violations! EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc: An average R12 customer has over 35,000 functions and 12,500 menus! Number and complexity of SOD Policies Range from 25 to 250! Number of Business Units and variation in Responsibilities across the business! Security Model RBAC, Single-Sign-On, OIM, etc! Number of Users and Responsibilities

10 Top Challenges Remediation in Oracle EBS is a Permutation Problem Root Cause Analysis is required for remediation! User: John Doe Responsibility: Payables Manager, US Menu: AP_Navigate_GUI12 What if we exclude Invoice Batches from AP_Invoices_Entry? Submenu: AP_Invoices_Entry Function: Invoice Batches SubMenu: AP_Invoices_Entry SubMenu: AP_Invoices_GUI12_G Menu: UK_AP_Navigate_GUI12 Responsibility: Payables Supervisor Menu: AX_Payables_User Responsibility: Payables User Copyright FulcrumWay User: Mike Jones Payables Users

11 Agenda Implement Effective Access Controls within your Oracle ERP System! Introductions! Top SOD Challenges in EBS R12! Overview of SOD Controls Assessment! Roles Design Techniques! Case Study! Q&A

12 Controls Assessment FulcrumWay Application Risk Assessment Best Practices Prepare Assessment Checklist Manage Exceptions Prepare Remediation Plan Select ERP Controls from FW Controls Catalogs Establish Test Environment Detect Control Violations Analyze Issues Confirm Findings Present Project Plan Implement ERP Advanced Controls Probe ERP Data FW Risk Advisor/ Client Lead FW Risk Advisor/ Client Lead/Control Owners Client Executive Sponsors FW/Client Project Team

Controls Assessment DataProbe Extracts the Security, Setup and Master Data Information DataProbe is a desktop u/lity for the client DBA/manager to provide the data

13 Controls Assessment DataProbe Extracts the Security, Setup and Master Data Information DataProbe is a desktop u/lity for the client DBA/manager to provide the data On average it takes our cleints less than an hour to install and extract the ERP security, setup and master data for submission to FulcrumWay risk advisory services

14 Controls Assessment Controls Catalog with over 1,000 Advance Controls Select SOD, Master Data, Setup, and Transac/on Controls Risk Assessment Detect control weaknesses across ERP system to iden/fy business process op/miza/on opportuni/es

Controls Assessment ERP Test Environment Consists of ERP Configurations and Data Objects Selected security, setup and data objects are included in the environment ERP Configura/on

15 Controls Assessment ERP Test Environment Consists of ERP Configurations and Data Objects Selected security, setup and data objects are included in the environment ERP Configura/on such as 3- way match in payable op/ons, master data such as Users, Responsibili/es, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks

16 Controls Assessment Advanced Analytics to Analyze ERP Risks Pre- built Risk Analy/cs. Risk Reports available for client review Risk Advisory identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report

17 Agenda Implement Effective Access Controls within your Oracle ERP System! Introductions! Top SOD Challenges in EBS R12! Overview of SOD Controls Assessment! Roles Design Techniques! Case Study! Q&A

18 Role Design FulcrumWay Roles Manager Overview Eliminate Root Cause of Access Control Violations in ERP:! Improve Segregation of Duty controls within mission critical applications! Reduce ERP implementation and upgrade costs with pre-configured roles! Lower ERP Total Cost of Ownership by assigning pre-approved Roles We enable ERP Administrators:! Select pre-configured ERP roles from a roles catalog! Update, Review and Approve Role design changes.! Identify SOD conflicts before the Roles are assigned to Users.

19 Role Design FulcrumWay Roles Manager Features! Role Manager is an ERP security design tool! Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies.! Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.! You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction.! Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles.! The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles.! Leverage FW DataProbe/Scripts to load current Roles! Secure Access from fulcrumway.com portal

20 Role Design Access to Roles Manager Sign- in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com Roles Manager is a component of the FulcrumWay Risk Remedia/on sovware services that is available instantly over a secure internet- connec/on.

21 Role Design Search and Browse through catalog of Roles for Oracle EBS R12 Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab Roles Manager contains hundreds of Oracle EBS Responsibili/es with SOD Controls Designed into the configura/on to give you a jump start

22 Role Design Access to Roles Manager Use a source role to create a new target role. View exis/ng SOD issues with the source role. Assign Reviewers and Approvers for the role Embed SOD Controls into Oracle Responsibili/es design by elimina/ng conflic/ng business ac/vi/es inherent in the EBS Responsibility configura/on

23 Role Design Access to Roles Manager Select/ Deselect business ac/vi/es to update Role configura/on automa/cally Reduce Role design /me and effort by selec/ng business ac/vi/es to drive the configura/on of Oracle Responsibili/es.

24 Role Design Access to Roles Manager Select/ Deselect Request Sets to update Role configura/on automa/cally Effec/ve SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submi^ng a request.

Role Design Access to Roles Manager Review and approve Roles using email no/fica/ons Reduce ERP

25 Role Design Access to Roles Manager Review and approve Roles using no/fica/ons Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure

26 Role Design Access to Roles Manager Access the link to approve or reject the new Role Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure

27 Role Design Access to Roles Manager Assign Applica/on Role Owner, Reviewer, Approver and Security Admin Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure

28 Agenda Reduce SOD Access Violations with Effective Roles Management Techniques.! Introduction! Top SOD Challenges in Oracle EBS! SOD Controls Assessment Overview! Role Design Techniques! Case Study! Q&A

29 Client case Our Client! Leader in the car and equipment rental businesses worldwide! Providing quality car rental service for over 90 years.! Over 30,000 employees Challenges! Replace mulaple legacy systems with one ERP soluaon! Improved SegregaAon of Duty controls within mission criacal applicaaons! Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model! Increase external auditor s reliance on ERP Access Controls Monitoring Solu/ons! GRC DataProbe! ERP Controls Catalog! ERP Roles Monitor Copyright FulcrumWay Global Car and Equipment Rental Company, Improves Employee Productivity Results:! Reduce ERP Role design, build, tesang and implementaaon Ame by 80% resulang in over $200,000 cost savings during ERP system implementaaon and global roll- out.! Created over 100 SegregaAon of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.! Lowered ERP Total Cost of Ownership by reducing SoD remediaaon Ame and costs by ensuring that all users a assigned only the pre- approved Roles! Improve SoD and Access Controls tesang Ame by providing auditors the access log reports showing all Update, Review and Approve Role design changes.! Accelerated ERP tesang and deploying Ame by idenafying SOD conflicts before the Roles are assigned to Users.

30 Agenda Reduce SOD Access Violations with Effective Roles Management Techniques! Introduction! Top SOD Challenges in Oracle EBS! SOD Controls Assessment Overview! Role Design Techniques! Case Study! Q&A

31 Summary and Q&A! Thank You! Join us on LinkedIn and Follow us on Twitter