#OOW16 - Introduction to Advanced Access Controls

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Introducing Oracle Fusion
Advanced Access Controls
to Strengthen Security
OpenWorld 2016

Introducing Oracle Fusion
Advanced Access Controls
to Strengthen Security
This session provides a first look at this upcoming cloud service:
Continually detect and manage unwanted user access in ERP, HCM & SCM Clouds
Streamline role design, access policies
Improve access controls for SOX, other regulations
This session will help you:
Learn about this cloud service from industry experts and Oracle’s product developers
Determine whether this cloud service will be right for your organization
Get answers to your questions in live Q&A with our panelists

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
3

4
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Why Are Access Controls
Needed?

Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
5

Panelists
– Katrina Johnson
Chief Audit Executive
Service Corp International
– Nicholas Seeman
Director, Advisory Services
KPMG LLP
– Mark Stebelton
Director, Product Management
Oracle Product Development
Moderator
– Barry Greenhut
Director, Product Strategy
Oracle Product Development
6
Session Speakers

Agenda
Panelist Q&A
More Resources
1
2
3
4
11

Advanced Access Controls – Design Objectives
Find users in
Oracle
ERP/HCM/SCM
Cloud who…
• Can generate unwanted transactions – e.g., have
separation of duties (SoD) conflicts
• Have access to sensitive data
Let
organizations…
• Identify and minimize unnecessary financial and
operational risk
• Demonstrate compliance with SOX and similar obligations
12

Why Are Access Controls Needed?
14
• Enforcement includes detecting users who can:
• Application owners must continually enforce those policies
Enter unwanted
transactions
Create invoices then pay them
Create purchase orders then record
receipts for them
Create/change critical setup
data and configurations
Spending authorization limits
Opening closed accounting periods
Create/change
master data
Supplier
Customer
Employee
Item

17
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Access Control Maturity

Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment for
same supplier
+ Create Supplier Create Payment for
supplier
≠
Why Is Separation of Duties Needed?
18

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
19

Deep, Dynamic Analysis
• Generate unwanted transactions
E.g., Separation of Duties
• Access to sensitive data
ERP/HCM/SCM
user abilities
• Ready to grow as privileges are added
to ERP/HCM/SCM
6,000+
ERP/HCM/SCM
privileges
20

User: Janie Adams
Job Role: Accounts Payable Supervisor
Duty Role: Payables Payment Creation
Privilege: Create Payables Payments
Privilege: Create Purchase Order
Job Role: Buyer
SoD Conflict
Deep, Dynamic Analysis
Duty Role: Purchase Order Authoring

Closed-loop, Compliant System
Enforce
control
objectives,
policies,
regulations
Maintain
as users
are added,
assigned
other roles
Evaluate
& enact
treatment
Detect users’
access
continually
Detect Evaluate
EnforceMaintain
24

Agenda
Preview
Panelist Q&A
More Resources
1
2
3
4
26

Preview
InFusion Corp: Goals and Requirements
Requirements: We need an enterprise solution that:
• Automates detection of users with excessive access
• Provides an audit trail of remediation activities for access issues
• Secures what users see and do within the solution
• Provides data and reports that key stakeholders need to make good decisions
• Requires minimum resources to administer after go-live
27
Goal: We need to address user access risk by understanding excessive
user access, treating access issues, and documenting accordingly
Process Owner and
Auditor

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 28
Best Practice Process
Identify
Excessive
Access
Deploy
Controls
Address
Issues
Report
Results
28
Create Models and
assess results
Remediate excessive access
where feasible
Convert Models to
Controls
Run Control Analysis
periodically
Manage incidents - options:
Adjust ERP/HCM/SCM
security configuration
Add compensating
transaction controls
Report incident
management results to
managers, auditors

I import pre-built models, test and
refine them, and use the results to
guide improvements to role
definitions
Preview
Diane Analyst

Import Pre-built Models

Import Pre-built Models
Procurement
• Create Payments &
• Create Suppliers
• Set Up Payment
• Create Purchase Orders &
• Approval Authorization
Control
• Approve Invoices
• Create Invoices
Financials
• Enter Journal Entry &
• Assets Workbench
• Create Invoices
• Create Payments
• Create Purchase Orders
• Post Journal Entry &
• Assets Workbench
• Create Invoices
• Create Payments
• Physical Inventory
Supply Chain
• Create Items &
• Cycle Counting
• Inventory Transactions
• Inventory Transactions &
• Receive Goods and Services
• Item Costing &
• Create Items
• Ship Confirm Goods
33
Some of the planned pre-built models (100+ planned)

Review Model

Configure Model – Business Objects

Configure Model- Filter Logic

Configure Model- Access Conditions

Review Model Results

Visualize Incidents

Convert Models to Controls

I review and remediate incidents in
my business area
Review and Remediate Incidents
Chris Owner

Review and Remediate Incidents

Simulate Role Redesign

I review incident reports and re-
evaluate our existing access controls
Review Incident Reports
Alan Auditor

Review Incident Reports

Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
46

Agenda
Panelist Q&A
Katrina Johnson Service Corp International
Nicholas Seeman KPMG LLP
Mark Stebelton Oracle Product Development
More Resources
1
2
3
4
51

Agenda
Panelist Q&A
More Resources
1
2
3
4
52

DEMOgrounds
Moscone West Level 3 Lobby (M,T,W) ERP Showcase
Workstation
WEP-020
53

Wednesday
CUSTOMER CASE STUDY
Sep 21, 11:00 AM – 11:45 AM| Moscone West 3005
Securing ERP: Application Compliance
and Controls Implementation
[CAS7689]
Gautham Ramkumar: Director, Advisory Services, KMPG LLP
Chuck Devore, Director, Finance Transformation, ADM
Kenneth Kobia, Risk & Controls Lead, Archer Daniels Midland
Organizations have successfully transformed their business
operations by leveraging Oracle ERP technologies. Yet they
continue to struggle to balance the two divergent needs of
empowering ERP business users, while protecting sensitive
data and transactions. In this session KPMG and Archer
Daniels Midland detail how they took advantage of Oracle’s
ERP security and controls capabilities, to support ADM’s
initiative to deploy Oracle ERP .
PANEL SEESION
Sep 21, 1:30 PM – 2:15PM | Moscone West 3005
Introducing Oracle Fusion Advanced
Access Controls to Strengthen Security
[CON7290]
Katrina Johnson, VP Risk Assurance, Service Corp
International
Nicholas Seeman, Director, Advisory Services, KMPG LLP
Barry Greenhut, Director, Product Strategy, Oracle
Mark Stebelton, Director, Product Management, Oracle
This session provides an overview of Oracle Fusion Advanced
Access Controls to continuously detect segregation of duties
violations, manage exceptions, and fix unauthorized access to
sensitive functions and data. Compliance managers and
auditors can use Oracle Fusion Advanced Access Controls to
ensure strong access controls across ERP, HCM and SCM
cloud applications.
PANEL SESSION
Sep 21, 4:15 PM – 5:00 PM | Moscone West 3005
Implement the Best Practice for Oracle
Financial Reporting Compliance Cloud
[CON7291]
Swarnali Bag, Governance, Risk & Compliance Practice Lead,
Oracle
Barry Greenhut, Director, Product Strategy , Oracle
Lakshmi Rajamohan, Principal Product Strategy Mgr., Oracle
This session provides a more detailed walkthrough of Oracle
Financial Reporting Compliance from an end user’s
perspective, and highlights how the product can be
configured to automate the best practice process. Based on
learning from a decade of customer experience, it showcases
the shortest and most cost-effective path to go live and
streamline operations.
54

Thursday
PANEL SESSION
Sep 22, 9:30 AM – 10:15 AM| Moscone West 3005
Implement the Best Practice for Oracle Fusion Advanced Financial
Controls Cloud Service
[CAS7286]
Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle
Christine Doxey, President, Doxey, Inc.
Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle
This session provides a detailed walkthrough of Oracle Fusion Financial Controls Cloud Service
from an end user’s perspective, and highlights how the product can be configured to automate
best practice controls. Oracle Fusion Advanced Financial Controls Cloud Service is designed to
meet the common needs of Oracle Financials Cloud subscribers. Based on learning from a decade
of customer experience, this session showcases Oracle’s best practice business process for
maximum ROI with minimum cost of ongoing operation.
PANEL SESSION
Sep 22, 12:00 PM – 12:45 PM | Moscone West 3005
Get Started with Financial Reporting Compliance and Advanced
Financial Controls
[CON7284]
Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle
Joel Alvarado, Customer Success Manager, Oracle
This session provides you with the most effective project plan to implement Oracle Financial
Reporting Compliance or Oracle Fusion Advanced Financial Controls Cloud Service. Participants
will learn the shortest and most cost-effective path to success using Oracle’s customer and
partner-tested “get started” process. Learn how to plan and adopt these cloud services, and then
sustain your use through growth and change. Learn how to get the experience and expertise
needed to succeed.
55

Arturo Martínez del
Campo Saucedo
Corporate Chief Financial Officer
Grupo Posadas S.A.B. de C.V. .
LEADERSHIP IN FINANCE
LATIN AMERICA - CLOUD
2016
Best
Practice
Adopter
First
Adopter
of Risk
Cloud

 For subscribers and partners
To Learn More
Cloud Portal Release Readiness User Documentation Modern Best Practice
Oracle University Success Managers  Get Started  Customer Connect 
57

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 5959
Join our LinkedIn Group
For the latest Updates and Presentations .

| Confidential – Oracle Internal/Restricted/Highly Restricted61

#OOW16 - Introduction to Advanced Access Controls

More Related Content

What's hot (20)

Similar to #OOW16 - Introduction to Advanced Access Controls (20)

Recently uploaded (20)

#OOW16 - Introduction to Advanced Access Controls