JDE & Peoplesoft 3 _ Marc Weintraub _ PeopleSoft Roadmap.pdf
JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf
-
Upload
insync2011 -
Category
Documents
-
view
480 -
download
1
Transcript of JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf
• The most comprehensive Oracle applications & technology content under one roof • The most comprehensive Oracle applications & technology content under one roof
Security Implica/ons when Upgrading JD Edwards
Mike Ward Managing Director
• The most comprehensive Oracle applications & technology content under one roof
Have pity on the homeland.....
• The most comprehensive Oracle applications & technology content under one roof
Agenda Q So;ware creden/als
Security considera/ons when upgrading JD Edwards E1
Security issues in JD Edwards E1
Planning for security as part of the upgrade
How effec/ve security can help to pay for the upgrade project
• The most comprehensive Oracle applications & technology content under one roof
The Oracle Security & Compliance People
270+ Customers
• The most comprehensive Oracle applications & technology content under one roof
Agenda Q So;ware creden/als
Security considera/ons when upgrading JD Edwards E1
Security issues in JD Edwards E1
Planning for security as part of the upgrade
How effec/ve security can help to pay for the upgrade project
• The most comprehensive Oracle applications & technology content under one roof
Why Upgrade?
• MigraAng from World to E1 ? • Moving from blue stack to red stack ? • Support consideraAons ? • Moving to newer standards based IT ? • Moving to higher performance h/w & s/w plaKorm ?
• ConsolidaAng instances of JDE ? • New FuncAonality ?
• The most comprehensive Oracle applications & technology content under one roof
Issues with Instance ConsolidaAon? Instance refers to the unique set of JD Edwards EnterpriseOne data which includes
transacAonal data, control tables and system data
• 7
Increased Maintenance
Cost MulAple data
centers
MulAple ERP
versions
Improper controls
Highly Customised Environment
Duplicate architecture
Disparate processes
WARNING SIGNS
• The most comprehensive Oracle applications & technology content under one roof
Upgrade consideraAons – FuncAonal Changes
New Func/onality
Business Processes
Alignment of Controls
Risks
1,000+ Enhancements Industry Modules
Custom Programs
& Improvements
Maximise Staff Effectiveness Affects Roles / Responsibilities
Fraud & IP Theft Share Price
Loss of Business Inability to do job
• The most comprehensive Oracle applications & technology content under one roof
Security & Upgrades
Scope Creep • Ex-‐employees sAll have access • Changes to business processes • OrganisaAonal & process changes • Upgrades.........
Task 3
Time
Risk
Task 1 Task 1
Task 2 Task 2
Task 3
Task 4
• The most comprehensive Oracle applications & technology content under one roof
Fraud will never happen to You
• 75% of fraud is due to ineffecAve internal controls, split between – Lack of controls 38% – Over riding controls 19% – Lack of management review 18%
• 80% of businesses modify controls a^er Fraud AssociaAon of CerAfied Fraud Examiners
• The most comprehensive Oracle applications & technology content under one roof
South Africa: 62% companies suffered fraud 59% experienced bribery &
corruption Source: PwC 2009 crime survey
Australia: 40% suffered economic crime Source: PwC 2009 Crime survey
Canada: 55% companies suffered fraud - 83% - asset misappropriation most common - 38% detected by chance or by tip-off Source: PwC 2009 crime survey
It doesn’t happen here....... UK: almost 50% admit to suffering fraud almost 75% of larger (5,000+ employees)
- 33% of these suffered 100 incidents Source: PwC 2009 fraud survey
Germany: 61% large businesses suffered crime - Average 8 incidents per business - Average cost of crime cost 4.2 million Euros
Source: PwC 2009 fraud survey
USA: 35% companies suffered “significant economic crime”
- most likely cause is pressure due to economy - increased opportunity is primary driver Source: PwC 2009 crime survey
New Zealand: 42% suffered economic crime - average cost $491,000 - increasingly by middle / senior management Source: PwC 2009 Crime survey
• The most comprehensive Oracle applications & technology content under one roof
SegregaAon of DuAes (SoD)
Runs off with $1m
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
• The most comprehensive Oracle applications & technology content under one roof
• VP in Finance Department • July – December 2010 • Stole $19m “Defendant bought a Masera3, 6 Proper3es,
and a $½m entertainment system” “Excessive Access Rights”
• The most comprehensive Oracle applications & technology content under one roof
Deloife – Auditor Survey
• 3 Most Common Frauds – MisappropriaAon of Assets – 31% – Improper Expenditures – 22% – Procurement Fraud – 16%
• 63% companies say vulnerability has increased • 83% UK companies had suffered fraud
• The most comprehensive Oracle applications & technology content under one roof
Agenda Q So;ware creden/als
Security considera/ons when upgrading JD Edwards E1
Security issues in JD Edwards E1
Planning for security as part of the upgrade
How effec/ve security can pay for the upgrade project
• The most comprehensive Oracle applications & technology content under one roof
Issues in JD Edwards E1 § All Doors Open v All Doors Closed
• Menu Security is no Security • No SegregaAon of DuAes
• Access to criAcal programs • 30+ security types, 300 opAons • 35,000 Objects
• Complexity of Maintenance -‐ forms, versions • MulAple roles / Sequence Manager
• Unexpected security authoriAes • Changes lead to unexpected results
• ApplicaAon access is very complex • Task Views • FineCut • FastPath • Hidden & Associated Applica/ons
• The most comprehensive Oracle applications & technology content under one roof
Issues in JD Edwards E1 § All Doors Open v All Doors Closed
• Menu Security is no Security • No SegregaAon of DuAes
• Access to criAcal programs • 30+ security types, 300 opAons • 35,000 Objects
• Complexity of Maintenance -‐ forms, versions • MulAple roles / Sequence Manager
• Unexpected security authoriAes • Changes lead to unexpected results
• ApplicaAon access is very complex • Task Views • FineCut • FastPath • Hidden & Associated Applica/ons
• The most comprehensive Oracle applications & technology content under one roof
Agenda Q So;ware creden/als
Security considera/ons when upgrading JD Edwards E1
Security issues in JD Edwards E1
Planning for security as part of the upgrade
How effec/ve security can help to pay for the upgrade project
• The most comprehensive Oracle applications & technology content under one roof
Auditors Recommend Roles Based Access Control
• NaAve in 8.10 upwards • EssenAal to retain this funcAonality • Why .....
§ Simplified systems administraAon § Enhanced security & integrity § Simplified regulatory compliance § Enhanced organisaAonal producAvity
• The most comprehensive Oracle applications & technology content under one roof
Security Planning
• Upgrading is a good Ame to review security – Has it kept pace with organisaAonal changes? – Are you suffering from “security creep”? – Who can access criAcal programs? – What is your security policy?
• All Doors Closed – Grant back access – Roles Based Access Control “Only way to ensure a fully auditable system”
– But need to build a maintainable model “Sustainable Compliance”
• The most comprehensive Oracle applications & technology content under one roof
Security Planning
• Security must not be an a^erthought – It should be planned in – Should match business processes
• EffecAve SoD policy is a must – Prevent Fraud – Auditor requirement – Adds value
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
Added Value
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
Added Value
Evaluate Tools
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
Added Value
Evaluate Tools
Take Advice
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
Added Value
Evaluate Tools
Take Advice
Risk Management
Plan
• The most comprehensive Oracle applications & technology content under one roof
Upgrading: Security plan checklist
InformaAon Gathering
Audit Security
Added Value
Evaluate Tools
Take Advice
Risk Management
Plan
Integrate Security
• The most comprehensive Oracle applications & technology content under one roof
Agenda Q So;ware creden/als
Security considera/ons when upgrading JD Edwards E1
Security issues in JD Edwards E1
Planning for security as part of the upgrade
How effec/ve security can help to pay for the upgrade project
• The most comprehensive Oracle applications & technology content under one roof
The Dangers and Costs: The Alinean ROI Report
Typical Threats Avg. Risk of Breaches per
Year (per 1,000 users)
Avg. IT Staff Hours per Breach
Avg. Business & Collateral
Damage per Breach
Virus / Worms / Trojans 2 4 hours per infected
asset $24,000 Denial of Service 2 serious incidents 32 hours per system $122,000
Data Destruction / Damage 1 120 hours $350,000
Physical Theft Disclosure
25% employees leave with
assets 2 hours
$5,000 Information Theft
and Disclosure 1 180 hours $250,000 Policy Violation 30 2 hours $20,000
Errant User Behaviour 15 2 hours
$20,000
• The most comprehensive Oracle applications & technology content under one roof
PROBLEM POSSIBLE IMPACT
Poor SoD Control Fail audit Cost of compensating controls? Cost of remedial action? Cost of fraud? Cost of errors?
Failed audit Incremental cost of Audit trying to get necessary data? Impact on business of failed audit? i.e. share price, lost orders Cost of compensating controls? Cost of remedial action? Cost of fraud? Potential each quarter from shareholder litigation? Potential regulatory fines?
Security / SOX deadline
Impact of missing deadline. Impact on other projects if SOX late Cost of overtime / additional internal resources to achieve deadline? Cost of external resources to help achieve deadline
Unauthorised Access / Ineffective Security
Cost of security incidents? (CSI 2009 survey states average per incident cost exceeds $230k )
Incremental audit costs tracking posting / reconciliation errors (Ciber states that best way to reduce reconciliation errors to implement better security)
Impact Analysis (Cost of InacAon)
• The most comprehensive Oracle applications & technology content under one roof
Return On Security Investment (ROSI) • Return On Investment (ROI)
– Money earned or saved v Money Invested – QuanAtaAve
• Return On Security Investment (ROSI) – Includes risk reducAon – Includes QualitaAve – Insurance
• Auditors place value in accounts for risk
• The most comprehensive Oracle applications & technology content under one roof
Adding Value to the Upgrade
• Establish value in strong Security • Maybe use RoSI? • Build in SoD & Compliance ReporAng • Cost of inacAon? • Audit to reduce Risk
• The most comprehensive Oracle applications & technology content under one roof
Summary • Functional upgrades will impact business processes
– Upgrading requires security restructure
• Technical upgrades may enable security standardisation
• JDE security has pitfalls for the unwary • Ineffective security can prove costly
– Fraud is on the increase – More regulations to comply with – High non-compliance costs
• Effective security can assist in paying for upgrade – Reduce opportunity for fraud – Reduce non-compliance costs
• The most comprehensive Oracle applications & technology content under one roof
Q Product Family
Quick Fix Accelerator
Security Build & Maintain E1Config
Audit E1SoD
Compliance Reporting erpAudit
• The most comprehensive Oracle applications & technology content under one roof
Q – Secure & Comply
• ADC in a few days • 80% saving in Security Management • Integrated SoD • Extensive Access ReporAng • MulAple Roles retained & Improved • Audit Security – tool to convince Management
• Upgrade tools
• The most comprehensive Oracle applications & technology content under one roof
Cameron has it all under control
• The most comprehensive Oracle applications & technology content under one roof
Ques/ons?