Rapidly(Reduce(Segrega/on(of(Duty(Viola/ons(in(Oracle…dc.communities.oaug.org/multisites/dc/media/Documents/... ·...

Leverage T echnology: Move Your Business Forward™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

Rapidly Reduce Segrega/on of Duty Viola/ons in Oracle EBS R12 Responsibili/es

Adil Khan

Managing Director

www.fulcrumway.com Copyright © FulcrumWay

!   Introductions !   Top SOD Challenges in EBS R12 !   Overview of SOD Controls Assessment !   Roles Design Techniques !   Case Study !   Q&A

Agenda Implement Effective Access Controls within

your Oracle ERP System


A Leader in Risk Based Controls Management™

! FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.

! Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.

! Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services

! Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager

! USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco

! International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City

FulcrumWay


FulcrumWay Clients Successful Track Record

Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural Resources

Manufacturing

Retail

High Tech Media/Entertainment Life Sciences


FulcrumWay™ Insight Thought Leadership

! Co-Authored GRC Book: First book on GRC for Oracle Applications

! Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012

! OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices

! IIA - Presentations - Top Five Reasons for Automating Application Controls

! Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas

! Webcasts – GRC Best Practices, Trends and Expert Insight

! Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco

! LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group

! YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less

Proven Expertise


Enforce Segregation of Duty Controls and Security Polices

!   We can not use Oracle “seeded” Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues.

!   Which SOD Policies will mitigate the risk in our Oracle Responsibility Design? !   How do we ensure that the activities of users granted “super user”

Responsibilities have effective compensating control? !   Why do have so many False Positives and how do we remove them from our

analysis? !   What is an effective approach to Design and Test Oracle Security Model before

deployment? !   When will be able to close all SOD incidents?

Top Challenges


Responsibility

Form

Complicated Security Model High Risk of Segregation of Duties Issues

Menu

Function

User Evaluate User Access •  Test by User •  Test by Privilege

Manage Segregation of Duties •  Identify incompatible Privileges •  Predefined & Extensible SOD Rule Sets

Top Challenges


Key Factors Impacting SOD Violations Top Challenges

!   EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc:

–  An average R12 customer has over 35,000 functions and 12,500 menus

!   Number and complexity of SOD Policies –  Range from 25 to 250

!   Number of Business Units and variation in Responsibilities across the business

!   Security Model – RBAC, Single-Sign-On, OIM, etc !   Number of Users and Responsibilities


User: John Doe

Responsibility: Payables Manager, US

Menu: AP_Navigate_GUI12

Submenu: AP_Invoices_Entry Function: Invoice Batches

User: Mike Jones Payables Users

Responsibility: Payables Supervisor

Responsibility: Payables User Menu: UK_AP_Navigate_GUI12

SubMenu: AP_Invoices_Entry

SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User

Responsibility: Payables Supervisor

Responsibility: Payables Manager, US

Responsibility: Payables User

What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?

Root Cause Analysis is required for remediation!

Top Challenges Remediation in Oracle EBS is a Permutation Problem


Select ERP

Controls from FW Controls

Catalogs

Detect Control

Violations

Analyze Issues

Confirm Findings

Present Project

Plan

Implement ERP

Advanced Controls

Prepare

Assessment Checklist

Probe ERP Data

Manage Exceptions

Prepare Remediation

Plan

FW Risk Advisor/Client Lead/Control

Owners FW Risk Advisor/

Client Lead

Client Executive Sponsors

FW/Client Project Team

Establish Test

Environment

FulcrumWay Application Risk Assessment Best Practices

Controls Assessment


DataProbe™ Extracts the Security, Setup and Master Data Information

Controls Assessment

DataProbe™ is a desktop u/lity for the client DBA/manager to provide the data

On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services


Controls Catalog with over 1,000 Advance Controls

Select SOD, Master Data, Setup, and Transac/on Controls Risk Assessment

Detect control weaknesses across ERP system to iden/fy business process op/miza/on opportuni/es

Controls Assessment


ERP Test Environment Consists of ERP Configurations and Data Objects

Selected security, setup and data objects are included in the environment

ERP Configura/on such as 3-‐way match in payable op/ons, master data such as Users, Responsibili/es, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks

Controls Assessment


Advanced Analytics to Analyze ERP Risks

Pre-‐built Risk Analy/cs. Risk Reports available for client review

Risk Advisory identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report

Controls Assessment


FulcrumWay Roles Manager Overview

Eliminate Root Cause of Access Control Violations in ERP: !   Improve Segregation of Duty controls within mission critical applications !   Reduce ERP implementation and upgrade costs with pre-configured roles !   Lower ERP Total Cost of Ownership by assigning pre-approved Roles We enable ERP Administrators: !   Select pre-configured ERP roles from a roles catalog !   Update, Review and Approve Role design changes. !   Identify SOD conflicts before the Roles are assigned to Users.

Role Design


!   Role Manager is an ERP security design tool !   Contains a pre-configured catalog of roles which comply with segregation of

duty (SOD) policies. !   Roles by ERP module and typical access requirements for those modules

such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup. !   You can use this tool to view existing role templates and design new roles

by easily selecting or deselecting ERP functions/transaction. !   Once you complete the roles design, you can send it, using workflows, to

pre-assigned reviewers and approvers to finalize the roles. !   The role preparers, reviewers and approvers can also assess the SOD

control risks before finalizing the roles. !   Leverage FW DataProbe/Scripts to load current Roles !   Secure Access from fulcrumway.com portal

Role Design FulcrumWay Roles Manager Features


Access to Roles Manager Role Design Sign-‐in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com

Roles Manager is a component of the FulcrumWay Risk Remedia/on soVware services that is available instantly over a secure internet-‐connec/on.


Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab

Search and Browse through catalog of Roles for Oracle EBS R12

Roles Manager contains hundreds of Oracle EBS Responsibili/es with SOD Controls Designed into the configura/on to give you a jump start

Role Design


Access to Roles Manager

Use a “source” role to create a new “target” role. View exis/ng SOD issues with the “source” role. Assign Reviewers and Approvers for the role

Embed SOD Controls into Oracle Responsibili/es design by elimina/ng conflic/ng business ac/vi/es inherent in the EBS Responsibility configura/on

Role Design


Access to Roles Manager Role Design

Select/ Deselect business ac/vi/es to update Role configura/on automa/cally

Reduce Role design /me and effort by selec/ng business ac/vi/es to drive the configura/on of Oracle Responsibili/es.



Select/ Deselect Request Sets to update Role configura/on automa/cally

Effec/ve SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submi^ng a request.



Review and approve Roles using email no/fica/ons

Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure



Access the link to approve or reject the new Role




Assign Applica/on Role Owner, Reviewer, Approver and Security Admin



Reduce SOD Access Violations with Effective Roles Management Techniques.

!   Introduction !  Top SOD Challenges in Oracle EBS !  SOD Controls Assessment Overview !  Role Design Techniques !  Case Study !  Q&A

Agenda


Global Car and Equipment Rental Company, Improves Employee Productivity

Our Client !   Leader in the car and equipment rental businesses

worldwide !   Providing quality car rental service for over 90 years. !   Over 30,000 employees

Challenges !   Replace mulAple legacy systems with one ERP

soluAon !   Improved SegregaAon of Duty controls within

mission criAcal applicaAons !   Maintain consistent ERP system access roles across

the subsidiaries leveraging the shared services model

!   Increase external auditor’s reliance on ERP Access Controls Monitoring

Solu/ons !   GRC DataProbe !   ERP Controls Catalog !   ERP Roles Monitor

Results: !   Reduce ERP Role design, build, tesAng and

implementaAon Ame by 80% resulAng in over $200,000 cost savings during ERP system implementaAon and global roll-‐out.

!   Created over 100 SegregaAon of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.

!   Lowered ERP Total Cost of Ownership by reducing SoD remediaAon Ame and costs by ensuring that all users a assigned only the pre-‐approved Roles

!   Improve SoD and Access Controls tesAng Ame by providing auditors the access log reports showing all Update, Review and Approve Role design changes.

!   Accelerated ERP tesAng and deploying Ame by idenAfying SOD conflicts before the Roles are assigned to Users.

Client case


Reduce SOD Access Violations with Effective Roles Management Techniques

!   Introduction !  Top SOD Challenges in Oracle EBS !  SOD Controls Assessment Overview !  Role Design Techniques !  Case Study !  Q&A

Agenda


Thank You! Join us on LinkedIn and Follow us on Twitter Summary and Q&A !

Rapidly(Reduce(Segrega/on(of(Duty(Viola/ons(in(Oracle…dc.communities.oaug.org/multisites/dc/media/Documents/... ·...

Documents

Transcript of Rapidly(Reduce(Segrega/on(of(Duty(Viola/ons(in(Oracle…dc.communities.oaug.org/multisites/dc/media/Documents/... ·...