SlideShare a Scribd company logo

Identify and monitoring multi-platform and cross-platform access control

A
Alice Cantu

The document discusses Fulcrumway's approach to identifying and managing multi-platform access control risks and segregation of duties (SoD) in enterprise software systems. It highlights the challenges organizations face with multi-platform ERP systems and emphasizes solutions for enhancing control environments and reducing false positives in access control. A case study illustrates successful outcomes achieved through implementing these solutions, including significant cost savings and improved compliance efficiency.

Software
1 of 45
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Leverage Technology: Move Your Business Forward™ Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics A Leader in Risk Based Enterprise Controls Management Solutions Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes ID and Monitoring Multi-Platform and Cross-Platform Access Control Jeffrey T. Hare, CPA CISA CIA Eduardo Garibaldi, Director of Global Risk Advisory
www.fulcrumway.comPage 2Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay FulcrumWay Clients Over 250 engagements Successful Track Record Government Oil and Gas Healthcare Communications Financial Services Transportation Natural ResourcesManufacturing Retail High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 4Copyright © FulcrumWay FulcrumWay™ Insight Global Thought Leadership Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UK Educational Webinar – Feb 17th – Self Service User Provisioning Educational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, Australia Collaborate 17 – April 2-6 Las Vegas GRC Open House Oracle Open World – October 1-5 – Mascone West, San Francisco, CA Gitex – October 8-12 – GRC Round Table, Dubai UAE Oracle UK Users Group – December – GRC Round Table, Birmingham, UK Oracle Connect Africa – October – GRC Round Table, South Africa Proven Expertise
www.fulcrumway.comPage 5Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comPage 6Copyright © FulcrumWay Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks Most organizations have multiple software applications to help run their business. Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective. Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, monitoring controls, and access controls.
www.fulcrumway.comPage 7Copyright © FulcrumWay Scenario 1: Multi-platform risks across Oracle E- Business Suite and Hyperion Organization uses Oracle E-Business Suite for core applications and Hyperion for budgeting and consolidations Scenario 1
www.fulcrumway.comPage 8Copyright © FulcrumWay Risks Across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Using Journal Approval Workflow that now leverages AME. All ‘manual JEs’ are required to go through the journal approval workflow process Hyperion JEs can be entered and posted by anyone Manual controls of JEs (outside system) Budgeting Consolidations Multi-platform
www.fulcrumway.comPage 9Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite SoD Conflicts: Enter Journals vs Journal Sources Enter Journals vs Journal Authorization Limits Enter Journals vs Profile Option Values Enter Journals vs AME Setups Enter Journals vs Accounting Setup Manager Hyperion SoD Conflicts Enter Budgets vs Maintain Budget Approvers Multi-platform
www.fulcrumway.comPage 10Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Sensitive Access Risks: Journal Sources Journal Authorization Limits Profile Option Values AME Setups Budget Setups Journal Import Correction Accounting Setup Manager Hyperion Sensitive Access Risks: Define Budget Budget Approvers Consolidation Setups Enter Journals Multi-platform
www.fulcrumway.comPage 11Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Operational Sensitive Access Risks: Enter Journals Post Journals Chart of Account maintenance (Flexfield Values) AutoPost Hyperion Operational Sensitive Access Risks: None Multi-platform
www.fulcrumway.comPage 12Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Other Notes: Further discussion on how Mass Allocations and Recurring Journals are handled Assumption is Journal Approval workflow is properly configured Hyperion Operational Sensitive Access Risks: None Multi-platform
www.fulcrumway.comPage 13Copyright © FulcrumWay Scenario 2: Cross-platform risks across Oracle E-Business Suite and Oracle ERP Cloud Organization uses Oracle E-Business Suite for core applications (less Requisitions) and Oracle ERP Cloud (Fusion) for Requisitions Scenario 2
www.fulcrumway.comPage 14Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Activities within EBS Segregating JEs – Enter vs Post Approved Reqs are converted to POs POs are updated manually since ERP Cloud doesn’t support PO updates Suppliers i/f’d from ERP Cloud Oracle ERP Cloud Activities within ERP Cloud: JEs not allowed Approved Requisitions are interfaced to EBS Suppliers are interfaced to EBS Multi-platform
www.fulcrumway.comPage 15Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Sensitive Access Risks: Suppliers (none s/b entered) AutoCreate Docs Buyers Purchase Orders PO Setups – Document Types PO Approval Setups Payables Options Oracle ERP Cloud Sensitive Access Risks: Suppliers Requisition Approval Setup Requisition Setups – Document Types Multi-platform
www.fulcrumway.comPage 16Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite SoD Conflicts: PO’s vs Enter Goods Receipts Enter Suppliers vs Enter PO’s PO’s vs PO Options Suppliers vs Payables Options PO’s vs Buyers Oracle ERP Cloud SoD Conflicts: Requisitions vs Requisition Approval Setup Enter Suppliers vs Requisitions Multi-platform
www.fulcrumway.comPage 17Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Cross Platform SoD Conflicts: Enter PO’s(EBS) Oracle ERP Cloud Cross Platform SoD Conflicts: Enter Suppliers (Cloud) Multi-platform
www.fulcrumway.comPage 18Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comPage 19Copyright © FulcrumWay Are you ready for the Segregation of Duties Audit?SoD Overview
www.fulcrumway.comPage 20Copyright © FulcrumWay The Big PictureSafePaaS MonitorPaaS ProcessPaaS/DocumentPaaS Operations Management RiskPaaS Risk Library KRI ManagerPolicy Manager Process Definition Workflow Business Rules Audit Manager Audit Planner Compliance Manager Master Data Monitor DataProbeIntegrationServices Risk Assessments AuditPaaS Transaction Monitor App Configuration Monitor Rules Repository Access Monitor SOD Policy Monitor Roles Manager AccessPaaS iAccess Policy based provisioning Issue Manager Survey Manager Enterprise Risk Management Continuous Controls Monitoring Financial Governance Audit and Compliance Automation IT Governance
www.fulcrumway.comPage 21Copyright © FulcrumWay Multi-platform
www.fulcrumway.comPage 22Copyright © FulcrumWay Responsibility Form Complicated Security Model Contains many overriding security attributes Menu Function User Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets SoD Overview
www.fulcrumway.comPage 23Copyright © FulcrumWay Roles Hyperion Security Model High Risk of SOD Issues Groups Functions User Security Class SoD Overview Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
www.fulcrumway.comPage 24Copyright © FulcrumWay Role Page PeopleSoft Security Model High Risk of SOD Issues Permission List Menu User Profile Component SoD Overview Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
www.fulcrumway.comPage 25Copyright © FulcrumWay JD Edwards Security Model High Risk of SOD Issues Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets Roles Menu / Task User Form Application Versions Report Versions SoD Overview
www.fulcrumway.comCopyright © FulcrumWay Access/SOD Risk Based Detect SOD/Policy Violations Analyze Violations Correct Role Access Monitor Violation Incidents Application Security Model Application Security Snapshot Exceptions Correct User Access App Control Owners/ IS SecurityIS Security/ Audit/Compliance Control Owners/ IS Security Application Test Environment Access AnalyticsRules Manager Action Workflow Application Administrator SOD Overview Violations ManagerDataProbe ETL Corrective Actions Dashboard Application Access Rules Roles Manager
www.fulcrumway.comPage 27Copyright © FulcrumWay SoD Rule Consists of Business Activities Made Up of FunctionsSoD Overview
www.fulcrumway.comPage 28Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comPage 29Copyright © FulcrumWay Validate Access Risks and Verify Security Model Use Dashboards and Report Filters to analyze risks Identify SoD Rule violations and analyze issues using Violation Score Card. Drill down into Responsibility and User Violations by OU, and Module SOD Analysis
www.fulcrumway.comPage 30Copyright © FulcrumWay Violations by User and ResponsibilitySOD Analysis Responsibility with SOD Conflict User with SOD Conflict Access to Supplier Form Access to Invoice Approval Page
www.fulcrumway.comPage 31Copyright © FulcrumWay Responsibility ConfigurationSOD Analysis
www.fulcrumway.comPage 32Copyright © FulcrumWay Download in Excel for further reviewSOD Analytics
www.fulcrumway.comPage 33Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comCopyright © FulcrumWay What Are False Positives ? Users and Responsibilities Inactive Users Expired Users Terminated Employees still active in EBS End-Dated Users End-Dated Responsibility Assignments Menus without Prompts Inherent False+
www.fulcrumway.comCopyright © FulcrumWay Without Grant Flag user can not access the Sub- Menu or Function Menu without prompts disables user to see and navigate A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menu defines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted. What Are False Positives ? Oracle MenusInherent False+
www.fulcrumway.comCopyright © FulcrumWay If you specify the parameter QUERY_ONLY=YES, the form opens in query-only mode. Inherent False+ What Are False Positives ? Oracle Functions
www.fulcrumway.comCopyright © FulcrumWay The Form Personalization feature allows you to declaratively alter the behavior of Forms-based screens, including changing properties, executing builtins, displaying messages, and adding menu entries. Inherent False+ What Are False Positives ? Oracle Form Personalization
www.fulcrumway.comCopyright © FulcrumWay A profile is a set of changeable options that affect the way your application looks and behaves. You can set user profile options at different levels: site, application, responsibility, user, server, and organization, depending on how the profile options are defined. Inherent False+ What Are False Positives ? Oracle Profile Options
www.fulcrumway.comCopyright © FulcrumWay Global False PositivesFalse+ Checklist Filter False+ Form Extensions Table Audit Conditional Function Access Data Access Function Access Read-Only Access Function Limits Filter False+ Menu Access Menu / Sub-Menu / Grants / Prompts Data / Function Access Disabled Oracle Responsibility Access Enabled Oracle Responsibility Access Read-Only RBAC Access RBAC (Role Based Access Control) Filter False+ Function Limits Ledger Data Access Custom Forms/Pages Ledger Set Access Multi-Org Access IT Support Access Menu Grant Flag Filter False+ User Access to Sub-Menu Inactive Users Privileged User (Interface, etc) User Responsibility Access Inactive User Responsibility Access Active User Access enabled Form Customization Filter False+ Data Access Group (Shared Services) GL Access Limit Operating Unit Access Oracle security Profile
www.fulcrumway.comCopyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comCopyright © FulcrumWay System Filters False+ Filters Data Security Read- Only Custom INV INV User OU Form Pro file Role Filters Type Conditions Results Excluded Inactive User Global End-Date Users Inactive Role Global End-Date Roles Business Unit Global Org Name Organization View Only Local Function Path Functions Data Security Local Data Group Groups Personalization Local Form/Page Forms Approach Role User OU
www.fulcrumway.comCopyright © FulcrumWay Remove Inherent False PositivesApproach User Global Conditions to filter “inherent” False Positives like: Inactive Users Inactive Responsibilities Read-only Access
www.fulcrumway.comCopyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
www.fulcrumway.comCopyright © FulcrumWay Fortune 500 Global Manufacturer Improves Segregation of Duty Controls across multiple ERP instances Our Client Fortune 500 company, manufactures and distributes coatings, specialty materials, and glass products. Business Runs on multiple Oracle EBS, SAP systems Over 40,000 employees world-wide Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring Solutions SafePaaS Access Policy Manager SafePaaS iAccess User Proviosning Results: Reduce ERP SOD Remediation time by identifying and eliminating 80% False Positives resulting in over $50,000 annual cost savings in Audit and Remediation Costs Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP Access Approval time by identifying valid SOD conflicts before the Roles are assigned to Users. Case Study
www.fulcrumway.comCopyright © FulcrumWay Sign-up for FREE 30 Days EvaluationQ & A Register online to try out SafePaaS

More Related Content

PDF
Reduce sod access violations with effective roles management techniques
actjax
 
PDF
FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Stren...
FulcrumWay
 
PDF
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay
 
PDF
Oracle Scene Oct 2017
Alice Cantu
 
PDF
Oracle Scene Safeguard your Business
Emma Kelly
 
PDF
VMware HIPAA SDDC-EUC Product Applicability Guide Final
Anthony Dukes
 
PDF
Mobile application management (mam) in enterprise management
Softweb Solutions
 
PPTX
Federal Grade Security with Mocana
Apperian
 
Reduce sod access violations with effective roles management techniques
actjax
 
FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Stren...
FulcrumWay
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
FulcrumWay
 
Oracle Scene Oct 2017
Alice Cantu
 
Oracle Scene Safeguard your Business
Emma Kelly
 
VMware HIPAA SDDC-EUC Product Applicability Guide Final
Anthony Dukes
 
Mobile application management (mam) in enterprise management
Softweb Solutions
 
Federal Grade Security with Mocana
Apperian
 

Similar to Identify and monitoring multi-platform and cross-platform access control (20)

PDF
FulcrumWay - Planning to Implement, Upgrade or Deploy a New ERP System?
FulcrumWay
 
PDF
Webinar feb 16 2017 Learn to Streamline User Provisioning process in Oracle A...
Alice Cantu
 
PDF
Learn the latest trends and tools to help you id and remediate SOD
Alice Cantu
 
PPTX
Reduce License costs and increase security in Oracle Applications
Seecuring
 
PPS
FulcrumWay GRC Solutions
Mantala
 
PDF
FulcrumWay - Effective Ways to Assess ERP Controls 2014
FulcrumWay
 
PPTX
Architecting in the Cloud: Choosing the Right Technologies for your Solution
Jeff Douglas
 
PDF
FulcrumWay - Plug Your Top Revenue Drains in Order to Cash Cycle
FulcrumWay
 
PPTX
Sroaug October 27 2017 Learn to Streamline User Provisioning in Oracle Apps
Jane Jones
 
PPTX
Oracle Access Management - Customer presentation
Delivery Centric
 
PDF
SAP GRC
Kellton Tech Solutions Ltd
 
PDF
Salesforce platform session 2
Salesforce - Sweden, Denmark, Norway
 
PDF
Advanced Controls access and user security for superusers con8824
Oracle
 
PPTX
Heroku Introduction: Scaling customer facing apps & services
John Stevenson
 
PPTX
FulcrumWay - Implement Effective Access Controls within your Oracle ERP System
FulcrumWay
 
PPTX
Webinar May 24 2017 Modern Audit Methods
Emma Kelly
 
PPTX
Coding in the App Cloud
Salesforce Developers
 
PDF
DevOps for Highly Regulated Environments
DevOps.com
 
PDF
IPO Readiness SOX Sod
William Francis
 
PDF
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Oracle
 
FulcrumWay - Planning to Implement, Upgrade or Deploy a New ERP System?
FulcrumWay
 
Webinar feb 16 2017 Learn to Streamline User Provisioning process in Oracle A...
Alice Cantu
 
Learn the latest trends and tools to help you id and remediate SOD
Alice Cantu
 
Reduce License costs and increase security in Oracle Applications
Seecuring
 
FulcrumWay GRC Solutions
Mantala
 
FulcrumWay - Effective Ways to Assess ERP Controls 2014
FulcrumWay
 
Architecting in the Cloud: Choosing the Right Technologies for your Solution
Jeff Douglas
 
FulcrumWay - Plug Your Top Revenue Drains in Order to Cash Cycle
FulcrumWay
 
Sroaug October 27 2017 Learn to Streamline User Provisioning in Oracle Apps
Jane Jones
 
Oracle Access Management - Customer presentation
Delivery Centric
 
SAP GRC
Kellton Tech Solutions Ltd
 
Salesforce platform session 2
Salesforce - Sweden, Denmark, Norway
 
Advanced Controls access and user security for superusers con8824
Oracle
 
Heroku Introduction: Scaling customer facing apps & services
John Stevenson
 
FulcrumWay - Implement Effective Access Controls within your Oracle ERP System
FulcrumWay
 
Webinar May 24 2017 Modern Audit Methods
Emma Kelly
 
Coding in the App Cloud
Salesforce Developers
 
DevOps for Highly Regulated Environments
DevOps.com
 
IPO Readiness SOX Sod
William Francis
 
Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP ...
Oracle
 
Ad

Recently uploaded (20)

PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
System and Network Administration Chapter 2
jaramharo
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Introduction to Artificial Intelligence
lohedi9363
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Ad

Identify and monitoring multi-platform and cross-platform access control

  • 1. Leverage Technology: Move Your Business Forward™ Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics A Leader in Risk Based Enterprise Controls Management Solutions Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes ID and Monitoring Multi-Platform and Cross-Platform Access Control Jeffrey T. Hare, CPA CISA CIA Eduardo Garibaldi, Director of Global Risk Advisory
  • 2. www.fulcrumway.comPage 2Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 3. www.fulcrumway.comPage 3Copyright © FulcrumWay FulcrumWay Clients Over 250 engagements Successful Track Record Government Oil and Gas Healthcare Communications Financial Services Transportation Natural ResourcesManufacturing Retail High TechMedia/Entertainment Life Sciences
  • 4. www.fulcrumway.comPage 4Copyright © FulcrumWay FulcrumWay™ Insight Global Thought Leadership Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UK Educational Webinar – Feb 17th – Self Service User Provisioning Educational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, Australia Collaborate 17 – April 2-6 Las Vegas GRC Open House Oracle Open World – October 1-5 – Mascone West, San Francisco, CA Gitex – October 8-12 – GRC Round Table, Dubai UAE Oracle UK Users Group – December – GRC Round Table, Birmingham, UK Oracle Connect Africa – October – GRC Round Table, South Africa Proven Expertise
  • 5. www.fulcrumway.comPage 5Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 6. www.fulcrumway.comPage 6Copyright © FulcrumWay Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks Most organizations have multiple software applications to help run their business. Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective. Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, monitoring controls, and access controls.
  • 7. www.fulcrumway.comPage 7Copyright © FulcrumWay Scenario 1: Multi-platform risks across Oracle E- Business Suite and Hyperion Organization uses Oracle E-Business Suite for core applications and Hyperion for budgeting and consolidations Scenario 1
  • 8. www.fulcrumway.comPage 8Copyright © FulcrumWay Risks Across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Using Journal Approval Workflow that now leverages AME. All ‘manual JEs’ are required to go through the journal approval workflow process Hyperion JEs can be entered and posted by anyone Manual controls of JEs (outside system) Budgeting Consolidations Multi-platform
  • 9. www.fulcrumway.comPage 9Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite SoD Conflicts: Enter Journals vs Journal Sources Enter Journals vs Journal Authorization Limits Enter Journals vs Profile Option Values Enter Journals vs AME Setups Enter Journals vs Accounting Setup Manager Hyperion SoD Conflicts Enter Budgets vs Maintain Budget Approvers Multi-platform
  • 10. www.fulcrumway.comPage 10Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Sensitive Access Risks: Journal Sources Journal Authorization Limits Profile Option Values AME Setups Budget Setups Journal Import Correction Accounting Setup Manager Hyperion Sensitive Access Risks: Define Budget Budget Approvers Consolidation Setups Enter Journals Multi-platform
  • 11. www.fulcrumway.comPage 11Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Operational Sensitive Access Risks: Enter Journals Post Journals Chart of Account maintenance (Flexfield Values) AutoPost Hyperion Operational Sensitive Access Risks: None Multi-platform
  • 12. www.fulcrumway.comPage 12Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Other Notes: Further discussion on how Mass Allocations and Recurring Journals are handled Assumption is Journal Approval workflow is properly configured Hyperion Operational Sensitive Access Risks: None Multi-platform
  • 13. www.fulcrumway.comPage 13Copyright © FulcrumWay Scenario 2: Cross-platform risks across Oracle E-Business Suite and Oracle ERP Cloud Organization uses Oracle E-Business Suite for core applications (less Requisitions) and Oracle ERP Cloud (Fusion) for Requisitions Scenario 2
  • 14. www.fulcrumway.comPage 14Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Activities within EBS Segregating JEs – Enter vs Post Approved Reqs are converted to POs POs are updated manually since ERP Cloud doesn’t support PO updates Suppliers i/f’d from ERP Cloud Oracle ERP Cloud Activities within ERP Cloud: JEs not allowed Approved Requisitions are interfaced to EBS Suppliers are interfaced to EBS Multi-platform
  • 15. www.fulcrumway.comPage 15Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Sensitive Access Risks: Suppliers (none s/b entered) AutoCreate Docs Buyers Purchase Orders PO Setups – Document Types PO Approval Setups Payables Options Oracle ERP Cloud Sensitive Access Risks: Suppliers Requisition Approval Setup Requisition Setups – Document Types Multi-platform
  • 16. www.fulcrumway.comPage 16Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite SoD Conflicts: PO’s vs Enter Goods Receipts Enter Suppliers vs Enter PO’s PO’s vs PO Options Suppliers vs Payables Options PO’s vs Buyers Oracle ERP Cloud SoD Conflicts: Requisitions vs Requisition Approval Setup Enter Suppliers vs Requisitions Multi-platform
  • 17. www.fulcrumway.comPage 17Copyright © FulcrumWay Risks across Oracle E-Business Suite and Hyperion Oracle E-Business Suite Cross Platform SoD Conflicts: Enter PO’s(EBS) Oracle ERP Cloud Cross Platform SoD Conflicts: Enter Suppliers (Cloud) Multi-platform
  • 18. www.fulcrumway.comPage 18Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 19. www.fulcrumway.comPage 19Copyright © FulcrumWay Are you ready for the Segregation of Duties Audit?SoD Overview
  • 20. www.fulcrumway.comPage 20Copyright © FulcrumWay The Big PictureSafePaaS MonitorPaaS ProcessPaaS/DocumentPaaS Operations Management RiskPaaS Risk Library KRI ManagerPolicy Manager Process Definition Workflow Business Rules Audit Manager Audit Planner Compliance Manager Master Data Monitor DataProbeIntegrationServices Risk Assessments AuditPaaS Transaction Monitor App Configuration Monitor Rules Repository Access Monitor SOD Policy Monitor Roles Manager AccessPaaS iAccess Policy based provisioning Issue Manager Survey Manager Enterprise Risk Management Continuous Controls Monitoring Financial Governance Audit and Compliance Automation IT Governance
  • 21. www.fulcrumway.comPage 21Copyright © FulcrumWay Multi-platform
  • 22. www.fulcrumway.comPage 22Copyright © FulcrumWay Responsibility Form Complicated Security Model Contains many overriding security attributes Menu Function User Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets SoD Overview
  • 23. www.fulcrumway.comPage 23Copyright © FulcrumWay Roles Hyperion Security Model High Risk of SOD Issues Groups Functions User Security Class SoD Overview Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
  • 24. www.fulcrumway.comPage 24Copyright © FulcrumWay Role Page PeopleSoft Security Model High Risk of SOD Issues Permission List Menu User Profile Component SoD Overview Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
  • 25. www.fulcrumway.comPage 25Copyright © FulcrumWay JD Edwards Security Model High Risk of SOD Issues Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets Roles Menu / Task User Form Application Versions Report Versions SoD Overview
  • 26. www.fulcrumway.comCopyright © FulcrumWay Access/SOD Risk Based Detect SOD/Policy Violations Analyze Violations Correct Role Access Monitor Violation Incidents Application Security Model Application Security Snapshot Exceptions Correct User Access App Control Owners/ IS SecurityIS Security/ Audit/Compliance Control Owners/ IS Security Application Test Environment Access AnalyticsRules Manager Action Workflow Application Administrator SOD Overview Violations ManagerDataProbe ETL Corrective Actions Dashboard Application Access Rules Roles Manager
  • 27. www.fulcrumway.comPage 27Copyright © FulcrumWay SoD Rule Consists of Business Activities Made Up of FunctionsSoD Overview
  • 28. www.fulcrumway.comPage 28Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 29. www.fulcrumway.comPage 29Copyright © FulcrumWay Validate Access Risks and Verify Security Model Use Dashboards and Report Filters to analyze risks Identify SoD Rule violations and analyze issues using Violation Score Card. Drill down into Responsibility and User Violations by OU, and Module SOD Analysis
  • 30. www.fulcrumway.comPage 30Copyright © FulcrumWay Violations by User and ResponsibilitySOD Analysis Responsibility with SOD Conflict User with SOD Conflict Access to Supplier Form Access to Invoice Approval Page
  • 31. www.fulcrumway.comPage 31Copyright © FulcrumWay Responsibility ConfigurationSOD Analysis
  • 32. www.fulcrumway.comPage 32Copyright © FulcrumWay Download in Excel for further reviewSOD Analytics
  • 33. www.fulcrumway.comPage 33Copyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 34. www.fulcrumway.comCopyright © FulcrumWay What Are False Positives ? Users and Responsibilities Inactive Users Expired Users Terminated Employees still active in EBS End-Dated Users End-Dated Responsibility Assignments Menus without Prompts Inherent False+
  • 35. www.fulcrumway.comCopyright © FulcrumWay Without Grant Flag user can not access the Sub- Menu or Function Menu without prompts disables user to see and navigate A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menu defines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted. What Are False Positives ? Oracle MenusInherent False+
  • 39. www.fulcrumway.comCopyright © FulcrumWay Global False PositivesFalse+ Checklist Filter False+ Form Extensions Table Audit Conditional Function Access Data Access Function Access Read-Only Access Function Limits Filter False+ Menu Access Menu / Sub-Menu / Grants / Prompts Data / Function Access Disabled Oracle Responsibility Access Enabled Oracle Responsibility Access Read-Only RBAC Access RBAC (Role Based Access Control) Filter False+ Function Limits Ledger Data Access Custom Forms/Pages Ledger Set Access Multi-Org Access IT Support Access Menu Grant Flag Filter False+ User Access to Sub-Menu Inactive Users Privileged User (Interface, etc) User Responsibility Access Inactive User Responsibility Access Active User Access enabled Form Customization Filter False+ Data Access Group (Shared Services) GL Access Limit Operating Unit Access Oracle security Profile
  • 40. www.fulcrumway.comCopyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 41. www.fulcrumway.comCopyright © FulcrumWay System Filters False+ Filters Data Security Read- Only Custom INV INV User OU Form Pro file Role Filters Type Conditions Results Excluded Inactive User Global End-Date Users Inactive Role Global End-Date Roles Business Unit Global Org Name Organization View Only Local Function Path Functions Data Security Local Data Group Groups Personalization Local Form/Page Forms Approach Role User OU
  • 42. www.fulcrumway.comCopyright © FulcrumWay Remove Inherent False PositivesApproach User Global Conditions to filter “inherent” False Positives like: Inactive Users Inactive Responsibilities Read-only Access
  • 43. www.fulcrumway.comCopyright © FulcrumWay Introductions Identifying and Monitoring Multi-Platform and Cross- Platform Access Control Risks Segregation of Duties Overview SoD Analysis False Positives and Exceptions Remediation Approach Q&A Agenda
  • 44. www.fulcrumway.comCopyright © FulcrumWay Fortune 500 Global Manufacturer Improves Segregation of Duty Controls across multiple ERP instances Our Client Fortune 500 company, manufactures and distributes coatings, specialty materials, and glass products. Business Runs on multiple Oracle EBS, SAP systems Over 40,000 employees world-wide Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring Solutions SafePaaS Access Policy Manager SafePaaS iAccess User Proviosning Results: Reduce ERP SOD Remediation time by identifying and eliminating 80% False Positives resulting in over $50,000 annual cost savings in Audit and Remediation Costs Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP Access Approval time by identifying valid SOD conflicts before the Roles are assigned to Users. Case Study
  • 45. www.fulcrumway.comCopyright © FulcrumWay Sign-up for FREE 30 Days EvaluationQ & A Register online to try out SafePaaS