Symantec, Facebook and Navillus - a comprehensive approach to securing & monitoring user access with...
description
Transcript of Symantec, Facebook and Navillus - a comprehensive approach to securing & monitoring user access with...
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Do you really know what your users can do, or maybe have done?Session ID: CON8200
Mark Stebelton, CPA, CFE (Oracle) – Director of GRC Product ManagementDaryl Geryol (Navillus) - PartnerDavid Claytor (Facebook) – IT Global ApplicationsJaime Ramos (Symantec) – IT Global Applications
@OracleAdvCntrlsFollow us on Twitter
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MANAGE RISK | REDUCE COSTS | IMPROVE CONTROLS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Strategic Priorities Survey________________
Finance Executives SURVEYED
263
Reaching New Heights: The Dividends of Collaboration between
Finance and Procurement is published by CFO Publishing LLC, May 2012
Survey question: Where does the procurement function need to get stronger?
SUMMARY:________________________________
Better Controls & Efficiencies Needed
#1#2
#3
#4
#5
Audit/Control of Procurement
Risk Analysis
CashFlow
PayableExposure
Compliance
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6
BOTTOM LINE: Document/Email Approaches Challenge GRC
53%
Spreadsheets, Documents & Email
17%
Solutions Built In-house by IT
24%
Commercial GRC Solution
6%
2+ CommercialGRC Solutions
The lack in modern
technology makes achieving
goals challenging
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
The impact on FTE’s is particularly significant
One financial services organization stated that 80% of their GRC staff
resources were nothing more than document reconciles for
reporting. […] A mess they are aggressively trying to correct.
of GRC professionals reported that they use Spreadsheets, Emails, Custom reports apps.
70%
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 7
Oracle GRC Product Strategy
PLATFORM
ENTERPRISE
GRC
COMPLETE
One, UnifiedPlatform
The #1 PlatformWith intelligence, advanced controls
& management capabilities
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Comprehensive Risk & Controls Mgmt.
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the
LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author
Execute
Investigate
3. CONTINUOUS MONITORS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Meeting Mission Critical Goals
1OneUnified Platform
2Big Data Techniques for Advanced Analytics
MASTER DATA
3
Embedded ControlsExtensive API Library
FINISHED
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Enterprise Graph
__________________
ALL USERS
_____________
ALL SYSTEMS
__________________
ALL TRANSACTIONS
INTUITIVE | FLEXIBLE | COMPLETE
SECURITY
SETUP
MASTERDATA
TRANSACTIONS
_______________________________________
__________________________________BILLIONS OF NODES & RELATIONSHIPS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 11
Big Data Analytics
USERS
SYSTEMSTXN
TXN
ROLES
SET UP
ROLES
USERS
SETUP
MASTER DATA
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Standard Controls
User Roles
3-Way Match
Approval Hierarchies
StandardControls
Social Media Policy
E-learningEthics Policy
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Standard + Advanced Controls
Sentiment Analysis
Split Purchase
OrdersHide
Displays of Sensitive
DataDuplicate Payments
Transaction Threshold Amounts
Duplicate Vendors
Fine-grained User Access
ConfigurationSnapshots &
Audit Trial
Transaction Pattern Analysis
Fuzzy Logic, ‘similar values’
User Roles
3-Way Match
Approval Hierarchies
Advanced Controls
StandardControls
Social Media Policy
E-learning Ethics Policy
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Government/Education
Technology/Services
Retail
Energy
Communication Industrial
Logistics
Healthcare Services
Mining/Exploration
Customer By Industry
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Advanced Controls Partner SpecialistsOracle recommends using partners and consultants who are Advanced Controls specialists:
Specialized Partner
Implementation Specialist
Pre-Sales Specialist
Sales Specialist
• Can plan, design, deliver, support successful solutions
• Has all specialists shown below
• Demonstrated track record of success
• Can design detailed solutions
• Passed rigorous Oracle examination
• Can describe introductory solutions
• Completed ten hours of study and self-assessment
• Can identify need for Advanced Controls
• Completed ten hours of study and self-assessment
Oracle Confidential – Internal/Restricted/Highly Restricted 16
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Specialized PartnersIncrease your Return On Investment
• Get more from Advanced ControlsSpecialists address more of your needs with Advanced Controls’ many capabilities
• Increase your organization’s effectiveness Specialists help you embed Advanced Controls in your business processes
• Accelerate your implementationSpecialists guide and support you during planning, implementation and go-live
Oracle Confidential – Internal/Restricted/Highly Restricted 17
DO YOU REALLY KNOW WHAT YOUR USERS
CAN DO, OR MAYBE HAVE DONE?Daryl Geryol – Partner
www.navillusllc.com@NavillusLLC @DarylGeryol
19
About Navillus Partners
International professional services and solutions firm headquartered in Boston, Massachusetts
Established in 2009, Navillus has experienced on average 40% growth year over year in Oracle
Advanced Controls professional services
Oracle Gold Level Partner specializing in Oracle Advanced Controls & E-Business Suite / PeopleSoft
professional implementation and advisory services
Recognized as the #1 Oracle Commercial and Federal Advanced Controls Partner
The first in the industry to hold Oracle Advanced Controls Specialization accreditation
Is an Oracle authorized training partner
Navillus is a privately held company that has been profitable consistently both from a cash and accrual
basis since the 4th month of operations with zero external debt outstanding.
Our team’s collective experience includes:
168 years working in the information technology industry
177 years implementing the Oracle e-Business Suite ERP package
76 years implementing the Oracle GRC applications
More than 512 GRC implementations to the team’s credit to date
20
Navillus Partners is A World Leader
More than 500 combined Oracle Advanced controls implementations
34+ skilled and experienced Advanced Controls professionals averaging more
than 10 years of experience worldwide
Functional & technical experience across nearly all Oracle e-business applications
(HRMS, Financials, Supply Chain Management, CRM, other)
Multiple consultants with Oracle accredited specializations
Experience
Global
Delivery
Centers
of Excellence
Right-shore Delivery capabilities for Oracle Advanced Controls including
utilization of our experienced Chennai, India team, well beyond installation &
technical responsibilities
Navillus provides training to customers and other implementation partners
worldwide
International experience in more than 10 countries
Navillus’ Center of Excellence (CoE) is a solution center that works closely with
Oracle OAC Product & Product Strategy and promotes and trains the extended
team on new product features and techniques
Provides new and innovative delivery techniques from in-field feedback and
experience to continuously enhance our NAViGATE Methodology
Works with Oracle’s product group on new features and enhancements
21
Risk- Everything is related
Access and Security -- How do user’s gain access (Entrance, Accessible Areas, Exit) the ERP system?
Provisioning and Deprovisioning
Privileged Access
Segregation of Duties
Emergency Access
Operational– How do they do it?
Usability
Security
Optimization
Automation
Configuration -- What did they change?
Pre and Post Patching
Change Control and Validation
Critical Configurations
Consistency
Transactional – Is what happened within Policy?
Within tolerance
Fraudulent
Correctness
Access & Security
Operational
Configuration
Transactional
22
Advanced Controls
It’s a Journey- Controls will evolve
Controls are related and typically work together with a focus on Increasing Value while
Reducing Risk
Controls may validate one another – such as a Transactional control reporting that
Operational controls limiting certain transactions by amount are indeed effective
Controls should have a balance and work together to help ensure a secure, sound,
effective and efficient system
E-Business SuiteAccess Controls
E-Business SuitePreventive Controls
E-Business SuiteTransaction Controls
23
Advanced Controls Approaches
24
Navillus presents……Customers on the Journey
Dave Claytor, IT Global Apps
Jaime Ramos, IT Global Apps - DaVinci GRC Team
Do you really know what your users can do, or maybe have done?
David Claytor, facebook IT Global Apps Atul Gupte, Navillus Partners- Advanced Controls Architect
1 ITGC Approach, Teaming with Navillus Partners
2 Self Service Application and DB User Requests, Preventative SOD
3 Quarterly User Audit Automation (Managers & BPO’s)
4 Utilizing CCG to shift CSA’s from Business to IT
5 Summary
Background
Getting Serious about ITGC’s
▪ With company mottos like ‘Move Fast and Break Things’, we knew we
had to get serious about intelligent audit automation and detection
▪ After managing ITGC CSA’s for a quarter, became obvious we needed
to automate user provisioning, quarterly audit and SOD processes
▪ Determined we needed help building an integrated solution. Met with
various vendors based on Oracle’s recommendations, went with
Navillus Partners
▪ Went down a path of creating easy to use workflows for our end users
▪ Then began to shift CSA’s from business to IT owned controls, via
CCG. This also required out of the box thinking, to pinpoint the
alerting.
Self Service Access Management via OAF
▪ Custom OAF pages for:
▪ Users to request access, and on behalf of any user
▪ Users to revoke their access
▪ Managers to revoke their team’s access
▪ Systematic quarterly application access review, for managers and business process owners
▪ Integration with GRC AACG, to enforce preventative SOD
▪ Lookup table determines:
▪ If the access request is passed through GRC for SOD Audit
▪ If the access is reviewed quarterly by Manager and / or BPO’s
▪ If the max grant duration is enforced (all setup and admin related access is granted for 7 days or less)
Utilizing OAF for Self Service Access Requests
Automating Quarterly ITGC User Audits
Transitioning CSA’s to IT System Controls
▪ CFO pushed to automate & transition business owned CSA’s to IT system
controls. We will have moved 50 CSA’s by the end of 2014, in 2 primary ways:
▪ Introduced second variant of systematic quarterly user audit, where BPO’s (also the access approvers) review and revoke access as needed, for key functions like Journal Entry, Receiving & AP Payments
▪ Monitoring key application setups via CCG, and pairing up change alerts with valid change tasks
Summary
▪ Once we built the user access pages in OAF, realized detective SOD was
insufficient. Out of the box, GRC (AACG) only works with the java form based
access request. This is where the Navillus Partners technical consultants were
key, given their deep understanding of the product, as many of them came
from LogicalApps. They also helped us systematically tackle managing GRC
development instance refreshes, which presented it’s own challenges.
▪ As we implemented CCG to shift CSA’s from business to IT owned, realized it
only monitored core forms and even then we could not drill into specific areas
of those forms for pin pointed monitoring. Again, the Navillus Partners team
was a key partner in determining how to add content without introducing too
much risk or upgrade headaches using their Navillus CCG content.
33
Do you really know what your users can do, or maybe have done?
Jaime Ramos, Symantec IT Global Apps - DaVinci GRC team
Project da Vinci – Symantec
Richard Goddard, Navillus Partners - Director of Delivery
Agenda
• History of GRC at Symantec
• The DaVinci Initiative
• Challenges
• Approach
• Managing SOD conflicts in an RBAC system
• Go-Live Activities
• Critical Success Factors, Lessons Learned.
34Project da Vinci – Symantec
History of GRC at Symantec
• In 2008 Symantec implemented the LogicalApps products, Form rules (PCG precursor) and AppsAccess for Segregation of Duties
• Symantec’s custom Self service responsibility provisioning system was integrated with the SOD system to prevent Users from requesting combinations of responsibilities deemed inappropriate.
• In 2013 Symantec decided to use the GRC suite of Applications as part of its DaVinciinitiative to implement R12.1 EBS.
35Project da Vinci – Symantec
The DaVinci Initiative
• EBS R12.1 for 30,000 worldwide Users
• Customer Data Hub (CDH) and Product Data Hub PDH in their own instances
• Five separate System environments - DEV, QA, Training, UAT and Production instances (5 GRC systems managing 5 x 3 EBS/CDH/PDH systems)
• Full Oracle Advanced Controls GRC suite implementation (PCG, ACG, TCG, CCG, eGRCM and GRC Intelligence)
• ACG 140+ SOD and Sensitive Access policies including Module configuration versus Module Transactions for each EBS of the 33 application
• CCG was implemented for continuous monitoring of changes for 12 key controls in the EBS Financial applications
• PCG / TCG were used to automate control testing for items such as identification of Journals > $5m, Workflow Approval of Recurring Journals, Enforce comments and attachments for Manual Journals per Symantec policy , Mask Project Rates derived from actual Salary information.
36Project da Vinci – Symantec
Challenges
• Scalability - SOD rules tracking for more than 30,000 Users and 3000+ function combinations including custom and localization functions
• RBAC role based security, more than 400 unique roles
• Cross Platform SOD for Users with accounts in the EBS, Product Data Hub and Customer Data Hub systems. Each GRC system had 3 data sources using email address as the identifier of the same
• AACG reports don’t contain RBAC role information, only responsibility names – How can we determine SOD conflicts within a role?
37Project da Vinci – Symantec
Approach
• SOD rules definition and analysis was prioritized to ensure Security design was as effective as possible before go-live. AACG rules were defined to implement SOD policies and track which roles/responsibilities had access to critical system functions –Add User, Modify responsibility, Close GL Period etc.
• PCG and TCG were used to solve specific requirements for identifying unusual activity.
• CCG configuration monitoring was deployed in a limited way to support SOX key controls where module configurations have significant impact to Oracle Financials
• eGRCM implementation was deferred to allow Internal Audit to define EBS R12 specific Processes, Risks and Controls- eGRCM is now currently in process
• OIM – ACG integration to enforce SOD policies when User’s request system access was deferred to after go – live.
38Project da Vinci – Symantec
Managing SOD for each Role
• We created 400 test users and assigned them each 1 role using UMX
• We completed Access analysis using only our “Test User Accounts” by setting global conditions
• We used the Access Incident detail report to identify Conflicts within a single responsibility and within a single role (Intra and Inter Responsibility Conflicts)
• We consolidated a list of ‘unique’ role violations for a management decision
• We held a series of meetings for Business Process Owners and module SMEs to make decisions where roles violate SOD policy. After the changes were made the Access was re-analyzed and the residual problems analyzed and presented
39Project da Vinci – Symantec
Go-Live Activities
• User Accounts were loaded via OIM into a pre-production environment for SOD pre-check before cutover, Internal Audit reviewed and accepted go-live SOD violations.
• The go–live cutover support teams were provided access with future end dated access for the initial Hyper-Care support period.
• On going SOD reviews are conducted in AACG
• CCG controls are used to identify all changes to Security definitions - roles, responsibilities, menus, functions Etc.
40Project da Vinci – Confidential … GRC Overview for Phase 2
Critical Success Factors / Lessons Learned
• Without the Advanced Controls applications it would not have been possible to design SOD compliant roles and responsibilities within the project timeline.
• Involve Internal Audit, External Audit and Module SME’s in SOD policy design
• Review SOD results and eliminate noise, identify and present unique access decisions for decision makers
• Start early! Security design often happens late in the project timeline and final UAT may be the first attempt to test Security roles and responsibilities. It is an iterative process!
• EBS Security, Module SMEs and GRC teams need to work closely together.
• Last minute Security change requests must be evaluated for SOD impact before they are accepted and implemented.
41Project da Vinci – Symantec
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle GRC – Enterprise Risk and Controls Foundation
A Unified Platform
Enterprise Risk & Controls Foundation
Dashboards, Reports and AlertsNotificationsWorklists Email PerspectivesSearch
Risk, Controls & Compliance ManagementReviewsDocumentation Assessments RemediationSurveys
Continuous Controls & Risk MonitoringSetupsAccess Master Data Audit TestsTransactions
User Authored ControlsData Connectors Fraud & Error Patterns
Ro
le B
ase
d A
cce
ss S
ecu
rity
We
b S
erv
ice
s &
AP
Is Flexible
• Graphical Authoring• Detect and Prevent• Access, Transactions, Setups
Data Driven
• 100% of Transactions• Manage by Exception• Pattern Analysis
Comprehensive
• Multiple GRC Projects• From Documentation to Test• Closed Loop Approach
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Roadmap: Investment Areas
Enterprise Risk & Controls Foundation
Dashboards, Reports and AlertsNotificationsWorklists Email PerspectivesSearch
Risk, Controls & Compliance ManagementReviewsDocumentation Assessments RemediationSurveys
Continuous Controls & Risk MonitoringSetupsAccess Master Data Audit TestsTransactions
User Authored ControlsData Connectors Fraud & Error Patterns
Ro
le B
ase
d A
cce
ss S
ecu
rity
We
b S
erv
ice
s &
AP
Is
Pre-Built Controls
Pre-Built Business Objects
Investment Areas
Pre-Built Integrations
Platform Features
Extensibility
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle GRC Advanced Controls - Sessions
IDWestin
3rd & MarketSpeakers
Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance
8208Thu, 10:15
Olympictext text text
Controlling for Multiple ERP Systems with Oracle Advanced Controls
8154Thu, 12:45
Olympictext text
How Your Vendor Master File is Critical to Governance, Risk Management and Compliance
8213Thu, 2:45Olympic
----
44
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle GRC Advanced Controls - MTE and Demo Grounds
IDDay, TimeLocation
Host
Meet the Governance, Risk, and Compliance Experts
MTE8487
Wed, 5:00Westin at 3rd & Market St
Metropolitan III
Demo Station: Oracle Fusion Governance, Risk, and Compliance Advanced Controls
4250
Mon 9:45 – 6:00Tue 9:45 – 6:00Wed 9:30 – 3:45
Moscone West Station WCL-003
45
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DEMOgrounds: Moscone West Station ID WCL-003
46
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 48