Application Security Best Practices in an Oracle E- Business Suite Environment

Similar documents
Leverage T echnology: July 19 th, 2013 Adil Khan. Move Your Business Forward. Copyright. Fulcrum Information Technology, Inc.

OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG. August 2010

Oracle GRC Controls Suite Fundamentals Ver. 8.5/7.3.1/5.5.1

Value Set Values Maintenance Control Considerations

Leverage T echnology: Turn Risk into Opportunity

ERP IMPLEMENTATION RISK

MIS 5121: ERP Systems - Course Schedule

SOX 404 & IT Controls

What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

HIDDEN BENEFITS OF ORACLE GRC

INTRODUCTION IT AUDITING FOR NON-IT AUDITORS GOLDCAL LLC Danny M. Goldberg, Founder 1

Session Number Who Owns. Sarah Thompson, PwC Risk Assurance Director

SOX compliance through Role Design & SAP GRC Access Control The Omega Pharma case

Administration & Security Essentials

IT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu

Auditing Applications, Part 1

Data Management: Applying Data Analytics to a Continuous Controls Monitoring Solution

GRC300. SAP BusinessObjects Access Control Implementation and Configuration COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

GRC300. SAP Access Control Implementation and Configuration COURSE OUTLINE. Course Version: 16 Course Duration: 5 Day(s)

MIS 5121: ERP Systems - Course Schedule Spring 2016

Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation

Top 10 SAP audit and security risks

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations

<Insert Picture Here> Latest on Oracle Application Change Management Pack for Oracle E- Business Suite

File. Audit. City Auditor

AC 10.0 Pre-Implementation From Post-Installation to First Risk Analysis

REMOTE IT INFRASTRUCTURE MANAGEMENT SERVICES

Effective Change Management Strategies A Maintenance Strategy for

Mondi s journey through HFM upgrade. Milagros Sanchez Mondi Group

TABLE OF CONTENTS DOCUMENT HISTORY

Compiere ERP Starter Kit. Prepared by Tenth Planet

Regional Senior Internal Auditor

Stat Production Services for Oracle E-Business Suite (Onsite and Remote)

WELCOME! MICROSOFT DYNAMICS AX USER GROUP (AXUG)

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Optimizing the close cycle using nextgeneration account reconciliation best practices and tools

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

HFM, Planning and Essbase with a side of DRM:

CITY OF CORPUS CHRISTI

Upgrade or Re-Implement?

Auditor General s Office REVIEW OF THE CITY SAP COMPETENCY CENTRE APPENDIX 1. June 1, 2010

Segregation of Duties and Sensitive Access: Leveraging System-Enforced Controls BY LARRY CARTER

Florida Department of Highway Safety and Motor Vehicles Office of Inspector General

Databases to Oracle Exadata: The Saga Continues for Oracle Enterprise Manager Based Patching

Oracle Project Portfolio Management Cloud

Eric Anderson, City Manager. Scottie Nix, Internal Auditor

2-Step Process to Boost Business Productivity using Real-time Data Virtualization MDM

Oracle HCM Cloud: Talent Management

Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

Financial Services Cloud Administrator Guide

Epicor Cloud ERP Services Specification Single Tenant SaaS and Single Tenant Hosting Services (Updated July 31, 2017)

Navigating in ADP Workforce Now for Practitioners

This topic focuses on how to prepare a customer for support, and how to use the SAP support processes to solve your customer s problems.

Useful P6 EPPM Terms Security Configuration Process in P6 EPPM Defining Global Security Profiles in P6 EPPM... 19

Upgrading to Workforce Central 6.3

Seattle Public Schools The Office of Internal Audit

Certified Identity Governance Expert (CIGE) Overview & Curriculum

SAP Road Map for Governance, Risk, and Compliance Solutions

CAPABILITIES. Element LIMS. LABORATORY INFORMATION MANAGEMENT for Analytical Testing Laboratories

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No

What s New with Ellucian and the Transformation of Banner by Ellucian? Rick Skeel Director, Product Management Ellucian BUGMI September 2015

Next Generation Controls(NGC) Moving towards a Robust Control Framework. August Risk

3 Ways to Reduce the Costs of SOX compliance

Energy Future Holdings (EFH)

Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk

Oracle's new Tax Reporting Ledger - A wellkept

Auditing Open Source Applications by Using COBIT 4.1

CREATING A FRAUD RISK ASSESSMENT AND IMPLEMENTING A CONTINUOUS MONITORING PROGRAM

IBM Maximo Asset Management V7.6 Overview. December 12, Matt Logsdon

Oracle On-Demand An Implementer s Perspective

PRINCE2 - Quality Management Strategy

Continuous Compliance in SAP Environments

CloudSuite Corporate ebook

Integration Messaging Patterns & Best Practices Force.com

Enhanced Security. Management, Separation of Duties

PeopleSoft Treasury. Duration: 4 Days

Position Description. Job Summary: Campus Job Scope:

What is Continuous Integration. And how do I get there

COURSE LISTING. Courses Listed. with Business Intelligence (BI) SAP BI Platform Administration. 26 December 2017 (18:01 GMT)

STATE OF NORTH CAROLINA

Strategies for Monitoring Large Data Centers with Oracle Enterprise Manager. Ana McCollum Consulting Product Manager

HCM Project Planning SUN October 1, 2017

inoc for Cloud Based Agile Billing and Monetization Platform ATTENTION. ALWAYS.

Use Hyperion Workspace User's Guide

Administration & Security Essentials FOR MICROSOFT DYNAMICS AX 2012 R3

Auditing Standards and Practices Council

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Oracle Agile Product Lifecycle Management for Process

PI SERVER 2015 AND FUTURE DATA

2013 COSO Internal Control Framework Update. September 5, 2013

ISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to

Information Technology Services Procedures

OBIEE12c New Features for End-Users, Developers and Sys Admins

Writing an Audit Finding. Danny M. Goldberg Professional Development Practice Director

WasteMan 2G. Key Features. Newcastle Weighing Services Pty Ltd. Prepared by. Office: (02) Fax: (02)

Global Compliance Trends and Warning Letters

College of Engineering and Computer Science Dean's Office

Journal Approval Process

REPORT 2014/115 INTERNAL AUDIT DIVISION. Audit of information and communications technology management at the United Nations Office at Geneva

Transcription:

Application Security Best Practices in an Oracle E- Business Suite Environment

Introduction - Jeffrey T. Hare, CPA CISA CIA Founder of ERP Risk Advisors Written various white papers on Internal Controls and Security Best Practices Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both auditor and audited perspectives In Oracle applications space since 1997 both client and consultant perspectives Founder of Internal Controls Repository public domain repository Author: Book Oracle E-Business Suite Controls: Application Security Fundamentals Book: Auditing Oracle E-Business Suite: Common Issues

Why Good Role Design? Proper application security and role design forms the foundation of your internal controls environment. Poor role design during the implementation of ERP applications leads to excessive risk, Segregation of Duties issues, and audit findings. Integrity of control design - those performing controls do not have access to transactions basic Segregation of Duties

RESPONSIBILITIES / ROLE / ROLE DESIGN Based on principle of least privilege only what is necessary for the persons(s) to do their job tasks SOD conflict free Each role should only include the sensitive data needed to be viewed by those with the role Each role should only contain sensitive / high risk functions needed to be accessed (data entry, setups, SQL forms, etc.)

RESPONSIBILITIES / ROLE / ROLE DESIGN User Management shouldn t be used except in certain limited circumstances. Don t start with the assumption that UMX will be used. Design one core Responsibility per job role this would be a custom menu and custom request group that would be replicated across OUs You should not use standard menus in the development of custom menus for end users because of impact of Oracle patches on standard menus. AZN menus example. Use submenus in limited instances Don t use the big six IT responsibilities App Dev, Sys Admin, Sys Administration, Alert Manager, Functional Developer, Functional Administrator

RESPONSIBILITIES / ROLE / ROLE DESIGN Perform risk assessment to identify which setups should be subject to the change management process and which should be managed by end users. Access to setups for end users (transactional) and IT (foundational) should only be provided in a custom submenu, never use the standard setup submenus Limit access to setup menus in UAT environment to keep it clean. Proper risk analysis between old and new security when patching and ESPECIALLY during major upgrades.

RESPONSIBILITIES / ROLE / ROLE DESIGN Quality assurance process - Implementation of a trigger or log-based solution to develop audit history to provide complete system based audit trail, notifications for high risk areas, documentation of actual changes back to change management tickets Over elements that are subject to change control Users, Resps, Menus, Request Groups, Functions, Forms, Concurrent Programs, Executables, Objects, AME, Functional Configuration Changes, Forms / pages that allow SQL injection, Profile Options, Profile Option Values.

RESPONSIBILITIES / ROLE / ROLE DESIGN User provisioning request form detail functionality within each role / responsibility and be a part of security Change Management process. Implement SoD tool like CaoSys CS*Comply Perform Lookback Analysis where you have identified unauthorized access

RESPONSIBILITIES / ROLE / ROLE DESIGN Use a tool like CaoSys CS*Provisum to fully automate the provisioning process and provide access to Segregation of Duties conflicts and Sensitive Access risks as part of the provisioning process. Use prevent-mode and approval rules during the provisioning process to reduce introducing SoD conflicts and Sensitive Access risks Re-validate security on a quarterly basis (CaoSys CS*Provisum) Supervisor, Process Owner, Rules inscope for SOX.

Change management best practices Wrap Up, Q&A, Contact Information

Change management best practices Services and offerings VAR, Implementation Partner of CaoSys GRC software that competes with Oracle s GRC suite Covering over 1,000 SoD and Sensitive Access rules, nearly 3,000 functions, and nearly 1,500 high risk concurrent programs Application security design / redesign Audit support particularly for application security and application controls

Change management best practices Services and offerings Health check / assessments for IT or internal audit Pre-conference workshop at Collaborate 17 Internal controls and security training through MISTI 24-Apr-2017: New York 21-Aug-2017: Anaheim 09-Oct-2017: San Francisco

Change management best practices Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 E-mail: jhare@erpra.net Website: www.erpra.net LinkedIn: www.linkedin.com/in/jeffreythare Twitter: @jeffreythare

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback