Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Learn to streamline User Provisioning process in Oracle Applications with workflows A Leader in Risk Based Enterprise Controls Management Solutions Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics Monthly Educational Webinar Series Adil Khan, Managing Director Feb 16, 2017 Leverage Technology: Turn Risk into Opportunity
Agenda Streamline User Provision in Oracle Apps Introduction User Provisioning Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 2
Agenda Streamline User Provision in Oracle Apps Introduction User Provisioning Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 3
Proven Expertise FulcrumWay Insight Global Thought Leadership Oracle Cloud London Feb 1-2 GRC Round Table, London, UK Educational Webinar Mar 23 rd Controls Monitoring Continuous Oracle Cloud Australia March GRC Round Table, Sydney, Australia Collaborate 17 April 2-6 Las Vegas GRC Open House Educational Webinar April 20 th Internal Audit Management with Advanced Control Analytics Oracle Open World October 1-5 Mascone West, San Francisco, CA Gitex October 8-12 GRC Round Table, Dubai UAE Oracle UK Users Group December GRC Round Table, Birmingham, UK Oracle Connect Africa October GRC Round Table, South Africa Page 4
Successful Track Record Government Oil and Gas FulcrumWay Client Studies Financial Services Retail Communications Manufacturing Transportation Natural Resources Media/Entertainment Healthcare High Tech Life Sciences Page 5
Agenda Streamline User Provision in Oracle Apps Introduction User Provisioning Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 6
User Provisioning Process Process Hundreds of user add, change, deletes requests every day Inconsistent, ad-hoc and manual processes platform dependent Disparate provisioning tools and workflows Many human touch points: business managers, help desk, IT, etc Challenges No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk Current Challenges Page 7 Portal Email Help Desk Provisioning Paper form IT Admin
User Provisioning Process User Access Common Source of Internal Abuse A Top Focus for IT Audits Gartner survey: 44% of IT audit deficiencies are IAM-related #1 area requiring remedial action Orphan Accounts Poor de-provisioning High risk of sabotage, theft, fraud PROTECTED Information Entitlement Creep Accumulated privileges Potential toxic combinations Increased risk of fraud Ernst & Young: 7 of Top 10 control deficiencies relate to user access control Rogue Accounts Fake accounts created by criminals Undetected access and activity Data theft, fraud, and abuse Privileged Users Users with keys to kingdom Poor visibility due to shared accounts Page 8
Agenda Streamline User Provision in Oracle Apps Introduction User Provisioning Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 9
Access Policy Role Definition Privliges Page 10 10
Access Policy Components of access policy Source: Fusion Applications - Role Based Security, Kiran Mundy, Nigel King, Oracle Fusion Page 11 11
Access Policy Complicated Security Model High Risk of Access Control Deficiencies User Responsibility Evaluate User Access Test by User Test by Privilege Menu Manage Segregation of Duties Identify incompatible Privileges Predefined & Extensible SOD Rule Sets Function Form Page 12
Access Policy Management Control Assessment q Is ERP system access protected? q Do we conform to access policy? q Are we responding to risk Incidents? Compliance Checklist Inability to translate corporate governance into actionable IT policy Segregation of Duties Data Privacy policy Access Controls Testing Email or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing No ability to manage identity through a business lens Lack of transparency IT / Identity data not understood by the business Page 13
Agenda Streamline User Provision in Oracle Apps Introduction User Provisioning Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 14
User Security Assignment Oracle EBS Access Provisioning Oracle EBS User User is assigned to the HR Record Menu has many functions / forms Active/Inactive User A Responsibility has many Menus and Sub-Menus Password Policy One or more responsibilities assigned to a User Page 15
User Security Assignment Access Policy Violations are costly to remediate after provisioning Root Cause Analysis is required for remediation! User: John Doe Responsibility: Payables Manager, US Menu: AP_Navigate_GUI12 What if we exclude Invoice Batches from AP_Invoices_Entry? Submenu: AP_Invoices_Entry Function: Invoice Batches SubMenu: AP_Invoices_Entry SubMenu: AP_Invoices_GUI12_G Menu: UK_AP_Navigate_GUI12 Responsibility: Payables Supervisor Menu: AX_Payables_User Responsibility: Payables User Page 16 User: Mike Jones Payables Users
Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 17
Page 18
User Provisioning Process Risk Based Approach to Access Management Regulatory Reporting Provisioning Life-cycle Business Tacking & Reporting Access Analytics Roles Management Provisioning Violation? Monitoring Risk & Model Workflow Directory for user provisioning process Self Service Actions Help Desk Security Policy Evaluation Page 19 Users
User Provisioning Process Self Service Access Management Move from fragmented approaches to centralized visibility and control Automate identity controls and business processes A business-friendly layer linking business users and processes to underlying technology and technical users Actively measures and monitors risk associated with users and resources Page 20
Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 21
Case Study Our Client A leading global supplier of drivetrain, mobility, braking and aftermarket solutions for commercial vehicle and industrial market With more than a 100-year legacy of providing innovative products to customers around the world Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor s reliance on ERP Access Controls Monitoring Solutions Roles Manager/Advanced Self Service A Leading Global Auto Manufacturer Improves User Access Management across multiple ERP instances Results: Reduce User provisioning time by identifying and eliminating 80% manual steps resulting in over $50,000 annual cost savings in Audit and Remediation Costs Created access policies to ensure compliance during user provisioning process. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP Access Approval time by identifying valid SOD conflicts before the Roles are assigned to Users. Page 22
Case Study User Provisioning Challenges Do the ERP Roles meet requirements for all users? Is access to sensitive data and functions protected? Do you maintain audit trail on ERP configuration controls? Does User provisioning prevent security policy violations? How do you detect Segregation of Duty policy violations? Can you prevent unauthorized Master Data changes? How do you monitor superuser activities? Do you obtain user access verification from managers, periodically? How do you ensure that terminated employees can t access ERP? Page 23
iaccess A Risk Based Approach to User Provisioning Employee/ Manager List Test Access Policy Add/ Update Role Application Access Rules Active Employee Users User Registration Request Roles Process Approval Request Add/ Update User Monitor Application Access Rules Manager DataProbe ETL iaccess Rules Manager Workflow DataProbe ETL Dashboard IS Security/ Audit/Compliance Network User List (AD) Requesters / Approvers Application Administrator IS Security Page 24
Case Study Discover User Activities and Improve Productivity Enhance security, improve helpdesk productivity, reduce support costs Analyze User Access Rights Design and Manager User Roles Configure Application Security Control Data Access Deploy Role Configuration Provision Roles to Users Grant Emergency Access (Fire Fighter ID) Certify User-Role Assignment Page 25
SOD Rules SafePaaS Capabilities Can be developed or deployed from FulcrumWay s Controls Catalogue Page 26
User Provisioning User Registration Page 27
User Provisioning User Registration Page 28
User Provisioning User Registration Page 29
User Provisioning User Registration Page 30
User Provisioning User Application Role Request Page 31
User Provisioning User Application Role Request Page 32
User Provisioning User Application Role Request Page 33
User Provisioning User Application Role Request Page 34
Risk Analytics Analyze ERP Risks with Analytics Use Adhoc Reporting to establish scope, analyze issues, remove false positives and exceptions Page 35
Roles Redesign SafePaaS Capabilities Page 36
Agenda Self Service User Provisioning in Oracle Introduction Identity Governance Overview Access Policy Compliance Oracle User Security Assignment Self Service User Provisioning Process Case Study Q&A Page 37
Q & A Sign-up for FREE 14 Days Evaluation Register online to try out SafePaaS Page 38