Identify and monitoring multi-platform and cross-platform access control
-
Upload
alice-cantu -
Category
Software
-
view
76 -
download
1
Transcript of Identify and monitoring multi-platform and cross-platform access control
Leverage Technology:Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
IDandMonitoringMulti-PlatformandCross-PlatformAccessControl
JeffreyT.Hare,CPACISACIA
EduardoGaribaldi,DirectorofGlobalRiskAdvisory
www.fulcrumway.comPage 2Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay
FulcrumWay Clients Over 250 engagements
Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 4Copyright © FulcrumWay
FulcrumWay™ InsightGlobal Thought Leadership
Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Feb 17th – Self Service User Provisioning Educational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, AustraliaCollaborate 17 – April 2-6 Las Vegas GRC Open HouseOracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa
Proven Expertise
www.fulcrumway.comPage 5Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 6Copyright © FulcrumWay
Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks
Most organizations have multiple software applications to help run their business. Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective. Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and
multi-platform control risks and how organizations can mature their control environment through necessary manual controls, monitoring controls, and
access controls.
www.fulcrumway.comPage 7Copyright © FulcrumWay
Scenario 1: Multi-platform risks across Oracle E-Business Suite and Hyperion
Organization uses Oracle E-Business Suite for core applications and Hyperion for budgeting and consolidations
Scenario 1
www.fulcrumway.comPage 8Copyright © FulcrumWay
Risks Across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteUsing Journal Approval Workflow that now leverages AME. All ‘manual JEs’ are required to go through the journal approval workflow process
HyperionJEs can be entered and posted by anyoneManual controls of JEs (outside system)BudgetingConsolidations
Multi-platform
www.fulcrumway.comPage 9Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteSoD Conflicts:
Enter Journals vs Journal SourcesEnter Journals vs Journal Authorization LimitsEnter Journals vs Profile Option ValuesEnter Journals vs AME SetupsEnter Journals vs Accounting Setup Manager
HyperionSoD Conflicts
Enter Budgets vs Maintain Budget Approvers
Multi-platform
www.fulcrumway.comPage 10Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteSensitive Access Risks:
Journal SourcesJournal Authorization Limits Profile Option ValuesAME SetupsBudget SetupsJournal Import CorrectionAccounting Setup Manager
HyperionSensitive Access Risks:
Define BudgetBudget ApproversConsolidation SetupsEnter Journals
Multi-platform
www.fulcrumway.comPage 11Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteOperational Sensitive Access Risks:
Enter JournalsPost JournalsChart of Account maintenance (Flexfield Values)AutoPost
HyperionOperational Sensitive Access Risks:
None
Multi-platform
www.fulcrumway.comPage 12Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteOther Notes:
Further discussion on how Mass Allocations and Recurring Journals are handledAssumption is Journal Approval workflow is properly configured
HyperionOperational Sensitive Access Risks:
None
Multi-platform
www.fulcrumway.comPage 13Copyright © FulcrumWay
Scenario 2: Cross-platform risks across Oracle E-Business Suite and Oracle ERP Cloud
Organization uses Oracle E-Business Suite for core applications (less Requisitions) and Oracle ERP Cloud (Fusion) for Requisitions
Scenario 2
www.fulcrumway.comPage 14Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteActivities within EBS
Segregating JEs – Enter vs PostApproved Reqs are converted to POsPOs are updated manually since ERP Cloud doesn’t support PO updatesSuppliers i/f’d from ERP Cloud
Oracle ERP CloudActivities within ERP Cloud:
JEs not allowedApproved Requisitions are interfaced to EBSSuppliers are interfaced to EBS
Multi-platform
www.fulcrumway.comPage 15Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteSensitive Access Risks:
Suppliers (none s/b entered)AutoCreate DocsBuyersPurchase OrdersPO Setups – Document Types PO Approval SetupsPayables Options
Oracle ERP CloudSensitive Access Risks:
Suppliers Requisition Approval SetupRequisition Setups –Document Types
Multi-platform
www.fulcrumway.comPage 16Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteSoD Conflicts:
PO’s vs Enter Goods ReceiptsEnter Suppliers vs Enter PO’sPO’s vs PO OptionsSuppliers vs Payables OptionsPO’s vs Buyers
Oracle ERP CloudSoD Conflicts:
Requisitions vs Requisition Approval SetupEnter Suppliers vs Requisitions
Multi-platform
www.fulcrumway.comPage 17Copyright © FulcrumWay
Risks across Oracle E-Business Suite and Hyperion
Oracle E-Business SuiteCross Platform SoD Conflicts:
Enter PO’s(EBS)
Oracle ERP CloudCross Platform SoD Conflicts:
Enter Suppliers (Cloud)
Multi-platform
www.fulcrumway.comPage 18Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 19Copyright © FulcrumWay
Are you ready for the Segregation of Duties Audit?SoD Overview
www.fulcrumway.comPage 20Copyright © FulcrumWay
The Big PictureSafePaaS
MonitorPaaS
ProcessPaaS/DocumentPaaS Operations Management
RiskPaaSRiskLibrary KRIManagerPolicyManager
ProcessDefinition
Workflow BusinessRules
AuditManager AuditPlanner
ComplianceManager
MasterDataMonitor
Dat
aPro
be In
tegr
atio
n Se
rvic
es
RiskAssessments
AuditPaaS
TransactionMonitor AppConfigurationMonitor RulesRepository
AccessMonitor SODPolicyMonitor RolesManager
AccessPaaSiAccessPolicybasedprovisioning
IssueManager
SurveyManager
EnterpriseRiskManagement
ContinuousControlsMonitoring
FinancialGovernance AuditandComplianceAutomation
ITGovernance
www.fulcrumway.comPage 21Copyright © FulcrumWay
Multi-platform
www.fulcrumway.comPage 22Copyright © FulcrumWay
Responsibility
Form
Complicated Security ModelContains many overriding security attributes
Menu
Function
UserEvaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
SoD Overview
www.fulcrumway.comPage 23Copyright © FulcrumWay
Roles
Hyperion Security ModelHigh Risk of SOD Issues
Groups
Functions
User
Security Class
SoD OverviewEvaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
www.fulcrumway.comPage 24Copyright © FulcrumWay
Role
Page
PeopleSoft Security ModelHigh Risk of SOD Issues
Permission List
Menu
User Profile
Component
SoD OverviewEvaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
www.fulcrumway.comPage 25Copyright © FulcrumWay
JD Edwards Security ModelHigh Risk of SOD Issues
Evaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
Roles
Menu / Task
User
Form
Application
Versions
Report
Versions
SoD Overview
www.fulcrumway.comPage 26Copyright © FulcrumWay
Access/SOD Risk Based
DetectSOD/PolicyViolations
AnalyzeViolations
CorrectRole
Access
MonitorViolationIncidents
ApplicationSecurityModel
ApplicationSecurity
Snapshot
ExceptionsCorrect
UserAccess
App Control Owners/
IS SecurityIS Security/ Audit/Compliance
Control Owners/
IS Security
ApplicationTest
EnvironmentAccess AnalyticsRules Manager Action Workflow
Application Administrator
SOD Overview
Violations ManagerDataProbe ETL
Corrective Actions
Dashboard
ApplicationAccess Rules
Roles Manager
www.fulcrumway.comPage 27Copyright © FulcrumWay
SoD Rule Consists of Business Activities Made Up of FunctionsSoD Overview
www.fulcrumway.comPage 28Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 29Copyright © FulcrumWay
Validate Access Risks and Verify Security Model
UseDashboardsandReportFilterstoanalyzerisks
Identify SoD Rule violations and analyze issues using Violation Score Card. Drill down into Responsibility and User Violations by OU, and Module
SOD Analysis
www.fulcrumway.comPage 30Copyright © FulcrumWay
Violations by User and ResponsibilitySOD Analysis
ResponsibilitywithSODConflict
UserwithSODConflict
AccesstoSupplierForm
AccesstoInvoiceApprovalPage
www.fulcrumway.comPage 31Copyright © FulcrumWay
Responsibility ConfigurationSOD Analysis
www.fulcrumway.comPage 32Copyright © FulcrumWay
Download in Excel for further reviewSOD Analytics
www.fulcrumway.comPage 33Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 34Copyright © FulcrumWay
What Are False Positives ?Users and Responsibilities
InactiveUsers
ExpiredUsers
TerminatedEmployeesstillactiveinEBS
End-DatedUsers
End-DatedResponsibilityAssignments
MenuswithoutPrompts
Inherent False+
www.fulcrumway.comPage 35Copyright © FulcrumWay
WithoutGrantFlagusercannotaccesstheSub-
MenuorFunction
Menuwithoutpromptsdisablesusertoseeand
navigate
A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menudefines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted.
What Are False Positives ?Oracle Menus Inherent False+
www.fulcrumway.comPage 36Copyright © FulcrumWay
Ifyouspecifytheparameter
QUERY_ONLY=YES,theformopensinquery-onlymode.
Inherent False+ What Are False Positives ?Oracle Functions
www.fulcrumway.comPage 37Copyright © FulcrumWay
TheFormPersonalizationfeatureallowsyoutodeclarativelyalterthebehaviorofForms-basedscreens,includingchangingproperties,executingbuiltins,displayingmessages,andaddingmenuentries.
Inherent False+ What Are False Positives ?Oracle Form Personalization
www.fulcrumway.comPage 38Copyright © FulcrumWay
Aprofileisasetofchangeableoptionsthataffectthewayyourapplicationlooksandbehaves.Youcansetuserprofileoptionsatdifferentlevels:site,application,
responsibility,user,server,andorganization,dependingonhowtheprofileoptionsaredefined.
Inherent False+ What Are False Positives ?Oracle Profile Options
www.fulcrumway.comPage 39Copyright © FulcrumWay
Global False PositivesFalse+ Checklist
Filter False+
Form Extensions
TableAudit
ConditionalFunctionAccess
DataAccess
FunctionAccess
Read-OnlyAccess
FunctionLimits
Filter False+
MenuAccess
Menu /Sub-Menu/Grants/Prompts
Data/Function Access
Disabled OracleResponsibilityAccess
EnabledOracleResponsibilityAccess
Read-OnlyRBACAccess
RBAC(Role BasedAccessControl)
Filter False+
FunctionLimits
Ledger DataAccess
CustomForms/Pages
Ledger SetAccess
Multi-Org Access
IT SupportAccess
MenuGrant Flag
Filter False+
User AccesstoSub-Menu
Inactive Users
Privileged User(Interface,etc)
User ResponsibilityAccessInactive
User ResponsibilityAccessActive
UserAccess enabled
Form Customization
Filter False+
Data AccessGroup(SharedServices)
GL AccessLimit
OperatingUnitAccess
OraclesecurityProfile
www.fulcrumway.comPage 40Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 41Copyright © FulcrumWay
System Filters
False+Filters
DataSecurity
Read-Only
Custom
INVINV
UserOU
FormProfile
Role
Filters Type Conditions Results Excluded
Inactive User Global End-Date Users
Inactive Role Global End-Date Roles
Business Unit Global OrgName Organization
View Only Local Function Path Functions
DataSecurity Local Data Group Groups
Personalization Local Form/Page Forms
Approach
Role UserOU
www.fulcrumway.comPage 42Copyright © FulcrumWay
Remove Inherent False PositivesApproach
UserGlobalConditionstofilter“inherent”FalsePositiveslike:
InactiveUsersInactiveResponsibilities
Read-onlyAccess
www.fulcrumway.comPage 43Copyright © FulcrumWay
IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A
Agenda
www.fulcrumway.comPage 44Copyright © FulcrumWay
Fortune 500 Global Manufacturer Improves
Segregation of Duty Controls across multiple ERP instancesOurClient
Fortune500company,manufacturesanddistributescoatings,specialtymaterials,andglassproducts.BusinessRunsonmultipleOracleEBS,SAPsystemsOver40,000employeesworld-wide
ChallengesReplacemultiplelegacysystemswithoneERPsolutionImprovedSegregationofDutycontrolswithinmissioncriticalapplicationsMaintainconsistentERPsystemaccessrolesacrossthesubsidiariesleveragingthesharedservicesmodelIncreaseexternalauditor’srelianceonERPAccessControlsMonitoring
SolutionsSafePaaSAccessPolicyManagerSafePaaSiAccessUserProviosning
Results:ReduceERPSODRemediationtimebyidentifyingandeliminating80%FalsePositivesresultinginover$50,000annualcostsavingsinAuditandRemediationCostsCreatedover100SegregationofDutycompliantRolesbybusinesssegmentwithtwoweeksfromFulcrumWayRoleTemplateswithinthecontrolscatalog.LoweredERPTotalCostofOwnershipbyreducingSoDremediationtimeandcostsbyensuringthatallusersaassignedonlythepre-approvedRolesImproveSoDandAccessControlstestingtimebyprovidingauditorstheaccesslogreportsshowingallUpdate,ReviewandApproveRoledesignchanges.AcceleratedERPAccessApprovaltimebyidentifyingvalidSODconflictsbeforetheRolesareassignedtoUsers.
Case Study
www.fulcrumway.comPage 45Copyright © FulcrumWay
Sign-up for FREE 30 Days EvaluationQ & A
Register online to try out SafePaaS