Leverage T echnology: Turn Risk into Opportunity

Size: px

Start display at page:

Download "Leverage T echnology: Turn Risk into Opportunity"

Berniece Short
6 years ago
Views:

Give me a lever long enough and a fulcrum on

Self Service User Provisioning A Leader in

1 Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Enhance security, improve helpdesk productivity, reduces support costs, with Self Service User Provisioning A Leader in Risk Based Enterprise Controls Management Solutions Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics Webinar Feb 25, 2016 Adil Khan Managing Director Leverage T echnology: Turn Risk into Opportunity

2 Agenda Self Service User Provisioning in Oracle Introduction User Access Management Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 2

Proven Expertise FulcrumWay Insight Thought Leadership Co-Authored GRC

February 12 th Orlando: Oracle Role Based Security and Oracle Cloud

Webinar March 22 nd Procure to Pay Process Optimization with Controls

Appreciation Dinner Educational Webinar May 24 th Hire to Retire Controls

th, 2016 - San Francisco, CA LinkedIn FulcrumWay Risk, Compliance and Audit

3 Proven Expertise FulcrumWay Insight Thought Leadership Co-Authored GRC Book: First book on GRC for Oracle Applications FLOAUG Innovate 16 - February 12 th Orlando: Oracle Role Based Security and Oracle Cloud Educational Webinar February 25 rd Self Service User Provision Educational Webinar March 22 nd Procure to Pay Process Optimization with Controls Monitoring Collaborate 16 April 11 th, 2015 Las Vegas GRC Client Appreciation Dinner Educational Webinar May 24 th Hire to Retire Controls in Oracle Fusion HCM Oracle Open World Annual GRC Dinner on September 19 th, San Francisco, CA LinkedIn FulcrumWay Risk, Compliance and Audit Software Group International GRC Round Tables Sydney, London, Johannesburg, Dubai See events page for details Page 3

4 Successful Track Record Government Oil and Gas FulcrumWay Client Studies Financial Services Retail Communications Manufacturing Transportation Natural Resources Media/Entertainment Healthcare High Tech Life Sciences Page 4

5 Agenda Self Service User Provisioning in Oracle Introduction User Access Management Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 5

Access Management User Access Common Source of Internal Abuse A Top Focus for IT Audits Gartner survey: 44%

de-provisioning High risk of sabotage, theft, fraud PROTECTED Information Entitlement Creep Accumulated

deficiencies relate to user access control Rogue Accounts Fake accounts created by criminals Undetected

6 Access Management User Access Common Source of Internal Abuse A Top Focus for IT Audits Gartner survey: 44% of IT audit deficiencies are IAM-related #1 area requiring remedial action Orphan Accounts Poor de-provisioning High risk of sabotage, theft, fraud PROTECTED Information Entitlement Creep Accumulated privileges Potential toxic combinations Increased risk of fraud Ernst & Young: 7 of Top 10 control deficiencies relate to user access control Rogue Accounts Fake accounts created by criminals Undetected access and activity Data theft, fraud, and abuse Privileged Users Users with keys to kingdom Poor visibility due to shared accounts Page 6

Access Management Management Control Assessment Is ERP system access protected? Do we conform to access policy? Are we responding to risk Incidents?

7 Access Management Management Control Assessment Is ERP system access protected? Do we conform to access policy? Are we responding to risk Incidents? Compliance Checklist Inability to translate corporate governance into actionable IT policy Segregation of Duties Data Privacy policy Access Controls Testing or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing No ability to manage identity through a business lens Lack of transparency IT / Identity data not understood by the business Page 7

8 Agenda Self Service User Provisioning in Oracle Introduction User Access Management Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 8

9 Access Policy User Role Assignment Source: Fusion Applications - Role Based Security, Kiran Mundy, Nigel King, Oracle Fusion Page 9 9

10 Access Policy Components of access policy Source: Fusion Applications - Role Based Security, Kiran Mundy, Nigel King, Oracle Fusion Page 10 10

11 Access Policy Complicated Security Model High Risk of Access Control Deficiencies User Responsibility Evaluate User Access Test by User Test by Privilege Menu Manage Segregation of Duties Identify incompatible Privileges Predefined & Extensible SOD Rule Sets Function Form Page 11

12 Access Policy Root Cause Analysis is required for remediation! ERP Security Management is a permutation problem User: John Doe Responsibility: Payables Manager, US Menu: AP_Navigate_GUI12 What if we exclude Invoice Batches from AP_Invoices_Entry? Submenu: AP_Invoices_Entry Function: Invoice Batches SubMenu: AP_Invoices_Entry SubMenu: AP_Invoices_GUI12_G Menu: UK_AP_Navigate_GUI12 Responsibility: Payables Supervisor Menu: AX_Payables_User Responsibility: Payables User Page 12 User: Mike Jones Payables Users

13 Agenda Self Service User Provisioning in Oracle Introduction User Access Management Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 13

14 User Security Assignment Oracle EBS Access Provisioning Oracle EBS User User is assigned to the HR Record Menu has many functions / forms Active/Inactive User A Responsibility has many Menus and Sub-Menus Password Policy One or more responsibilities assigned to a User Page 14

15 Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 15

16 User Provisioning Process Process Hundreds of user add, change, deletes requests every day Inconsistent, ad-hoc and manual processes platform dependent Disparate provisioning tools and workflows Many human touch points: business managers, help desk, IT, etc Challenges No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk Current Challenges Page 16 Portal Help Desk Provisioning Paper form IT Admin

User Provisioning Process Self Service Access Management

and control Automate identity controls and business

and processes to underlying technology and technical users

17 User Provisioning Process Self Service Access Management Move from fragmented approaches to centralized visibility and control Automate identity controls and business processes A business-friendly layer linking business users and processes to underlying technology and technical users Actively measures and monitors risk associated with users and resources Page 17

18 User Provisioning Process Risk Based Approach to Access Management Regulatory Reporting Provisioning Life-cycle Business Tacking & Reporting Access Analytics Roles Management Provisioning Violation? Monitoring Risk & Model Workflow Directory for user provisioning process Self Service Actions Help Desk Security Policy Evaluation Page 18 Users

19 Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 19

20 Case Study Our Client A leading global supplier of drivetrain, mobility, braking and aftermarket solutions for commercial vehicle and industrial market With more than a 100-year legacy of providing innovative products to customers around the world Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor s reliance on ERP Access Controls Monitoring Solutions Roles Manager/Advanced Self Service A Leading Global Auto Manufacturer Improves User Access Management across multiple ERP instances Results: Reduce User provisioning time by identifying and eliminating 80% manual steps resulting in over $50,000 annual cost savings in Audit and Remediation Costs Created access policies to ensure compliance during user provisioning process. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP Access Approval time by identifying valid SOD conflicts before the Roles are assigned to Users. Page 20

21 Case Study User Provisioning Challenges Do the ERP Roles meet requirements for all users? Is access to sensitive data and functions protected? Do you maintain audit trail on ERP configuration controls? Does User provisioning prevent security policy violations? How do you detect Segregation of Duty policy violations? Can you prevent unauthorized Master Data changes? How do you monitor superuser activities? Do you obtain user access verification from managers, periodically? How do you ensure that terminated employees can t access ERP? Page 21

22 Case Study A Risk Based Approach to User Provisioning Employee/ Manager List Test Access Policy Add/ Update Role Application Access Rules Active Employee Users User Registration Request Roles Process Approval Request Add/ Update User Monitor Application Access Rules Manager AppSync iaccess Rules Manager Workflow AppSync Dashboard IS Security/ Audit/Compliance Network User List (AD) Requesters / Approvers Application Administrator IS Security Page 22

23 Role Design FulcrumWay Roles Manager Overview Page 23

24 Role Manager Discover User Activities and Improve Productivity Enhance security, improve helpdesk productivity, reduce support costs Analyze User Access Rights Design and Manager User Roles Configure Application Security Control Data Access Deploy Role Configuration Provision Roles to Users Grant Emergency Access (Fire Fighter ID) Certify User-Role Assignment Page 24

25 User Provisioning User Registration Page 25

26 User Provisioning User Registration Page 26

27 User Provisioning User Registration Page 27

28 User Provisioning User Registration Page 28

29 User Provisioning User Application Role Request Page 29

30 User Provisioning User Application Role Request Page 30

31 User Provisioning User Application Role Request Page 31

32 User Provisioning User Application Role Request Page 32

33 Risk Analytics Analyze ERP Risks with Analytics Use Adhoc Reporting to establish scope, analyze issues, remove false positives and exceptions Page 33

34 Role Design Select the Access Monitor Icon. Search and Browse through catalog of Roles for Oracle EBS R12 Then click on the Maintain Access Roles Tab Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start Page 34

35 Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 35

36 Q & A Leader in Risk Based Management Controls Visit Resources to get started with Security Assessment and Role Design Page 36

Learn to streamline User Provisioning process in Oracle Applications with workflows

Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Learn to streamline User Provisioning process in