identify and monitoring multi-platform and cross-platform access control

Leverage Technology:Move Your Business Forward™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

IDandMonitoringMulti-PlatformandCross-PlatformAccessControl

JeffreyT.Hare,CPACISACIA

EduardoGaribaldi,DirectorofGlobalRiskAdvisory

www.fulcrumway.comCopyright © FulcrumWay

IntroductionsIdentifying and Monitoring Multi-Platform and Cross-Platform Access Control RisksSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Q&A

Agenda


FulcrumWay Clients Over 250 engagements

Successful Track Record

Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural ResourcesManufacturing

Retail

High TechMedia/Entertainment Life Sciences


FulcrumWay™ InsightGlobal Thought Leadership

Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Feb 17th – Self Service User Provisioning Educational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, AustraliaCollaborate 17 – April 2-6 Las Vegas GRC Open HouseOracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa

Proven Expertise



Agenda


Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks

Most organizations have multiple software applications to help run their business. Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective. Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and

multi-platform control risks and how organizations can mature their control environment through necessary manual controls, monitoring controls, and

access controls.


Scenario 1: Multi-platform risks across Oracle E-Business Suite and Hyperion

Organization uses Oracle E-Business Suite for core applications and Hyperion for budgeting and consolidations

Scenario 1


Risks Across Oracle E-Business Suite and Hyperion

Oracle E-Business SuiteUsing Journal Approval Workflow that now leverages AME. All ‘manual JEs’ are required to go through the journal approval workflow process

HyperionJEs can be entered and posted by anyoneManual controls of JEs (outside system)BudgetingConsolidations

Multi-platform


Risks across Oracle E-Business Suite and Hyperion

Oracle E-Business SuiteSoD Conflicts:

Enter Journals vs Journal SourcesEnter Journals vs Journal Authorization LimitsEnter Journals vs Profile Option ValuesEnter Journals vs AME SetupsEnter Journals vs Accounting Setup Manager

HyperionSoD Conflicts

Enter Budgets vs Maintain Budget Approvers

Multi-platform



Oracle E-Business SuiteSensitive Access Risks:

Journal SourcesJournal Authorization Limits Profile Option ValuesAME SetupsBudget SetupsJournal Import CorrectionAccounting Setup Manager

HyperionSensitive Access Risks:

Define BudgetBudget ApproversConsolidation SetupsEnter Journals

Multi-platform



Oracle E-Business SuiteOperational Sensitive Access Risks:

Enter JournalsPost JournalsChart of Account maintenance (Flexfield Values)AutoPost

HyperionOperational Sensitive Access Risks:

None

Multi-platform



Oracle E-Business SuiteOther Notes:

Further discussion on how Mass Allocations and Recurring Journals are handledAssumption is Journal Approval workflow is properly configured

HyperionOperational Sensitive Access Risks:

None

Multi-platform


Scenario 2: Cross-platform risks across Oracle E-Business Suite and Oracle ERP Cloud

Organization uses Oracle E-Business Suite for core applications (less Requisitions) and Oracle ERP Cloud (Fusion) for Requisitions

Scenario 2



Oracle E-Business SuiteActivities within EBS

Segregating JEs – Enter vs PostApproved Reqs are converted to POsPOs are updated manually since ERP Cloud doesn’t support PO updatesSuppliers i/f’d from ERP Cloud

Oracle ERP CloudActivities within ERP Cloud:

JEs not allowedApproved Requisitions are interfaced to EBSSuppliers are interfaced to EBS

Multi-platform



Oracle E-Business SuiteSensitive Access Risks:

Suppliers (none s/b entered)AutoCreate DocsBuyersPurchase OrdersPO Setups – Document Types PO Approval SetupsPayables Options

Oracle ERP CloudSensitive Access Risks:

Suppliers Requisition Approval SetupRequisition Setups –Document Types

Multi-platform



Oracle E-Business SuiteSoD Conflicts:

PO’s vs Enter Goods ReceiptsEnter Suppliers vs Enter PO’sPO’s vs PO OptionsSuppliers vs Payables OptionsPO’s vs Buyers

Oracle ERP CloudSoD Conflicts:

Requisitions vs Requisition Approval SetupEnter Suppliers vs Requisitions

Multi-platform



Oracle E-Business SuiteCross Platform SoD Conflicts:

Enter PO’s(EBS)

Oracle ERP CloudCross Platform SoD Conflicts:

Enter Suppliers (Cloud)

Multi-platform



Agenda


Are you ready for the Segregation of Duties Audit?SoD Overview


The Big PictureSafePaaS

MonitorPaaS

ProcessPaaS/DocumentPaaS Operations Management

RiskPaaSRiskLibrary KRIManagerPolicyManager

ProcessDefinition

Workflow BusinessRules

AuditManager AuditPlanner

ComplianceManager

MasterDataMonitor

Dat

aPro

be In

tegr

atio

n Se

rvic

es

RiskAssessments

AuditPaaS

TransactionMonitor AppConfigurationMonitor RulesRepository

AccessMonitor SODPolicyMonitor RolesManager

AccessPaaSiAccessPolicybasedprovisioning

IssueManager

SurveyManager

EnterpriseRiskManagement

ContinuousControlsMonitoring

FinancialGovernance AuditandComplianceAutomation

ITGovernance


Multi-platform


Responsibility

Form

Complicated Security ModelContains many overriding security attributes

Menu

Function

UserEvaluate User Access• Test by User • Test by Privilege

Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD

Rule Sets

SoD Overview


Roles

Hyperion Security ModelHigh Risk of SOD Issues

Groups

Functions

User

Security Class

SoD OverviewEvaluate User Access• Test by User • Test by Privilege


Rule Sets


Role

Page

PeopleSoft Security ModelHigh Risk of SOD Issues

Permission List

Menu

User Profile

Component

SoD OverviewEvaluate User Access• Test by User • Test by Privilege


Rule Sets


JD Edwards Security ModelHigh Risk of SOD Issues

Evaluate User Access• Test by User • Test by Privilege


Rule Sets

Roles

Menu / Task

User

Form

Application

Versions

Report

Versions

SoD Overview


Access/SOD Risk Based

DetectSOD/PolicyViolations

AnalyzeViolations

CorrectRole

Access

MonitorViolationIncidents

ApplicationSecurityModel

ApplicationSecurity

Snapshot

ExceptionsCorrect

UserAccess

App Control Owners/

IS SecurityIS Security/ Audit/Compliance

Control Owners/

IS Security

ApplicationTest

EnvironmentAccess AnalyticsRules Manager Action Workflow

Application Administrator

SOD Overview

Violations ManagerDataProbe ETL

Corrective Actions

Dashboard

ApplicationAccess Rules

Roles Manager


SoD Rule Consists of Business Activities Made Up of FunctionsSoD Overview



Agenda


Validate Access Risks and Verify Security Model

UseDashboardsandReportFilterstoanalyzerisks

Identify SoD Rule violations and analyze issues using Violation Score Card. Drill down into Responsibility and User Violations by OU, and Module

SOD Analysis


Violations by User and ResponsibilitySOD Analysis

ResponsibilitywithSODConflict

UserwithSODConflict

AccesstoSupplierForm

AccesstoInvoiceApprovalPage


Responsibility ConfigurationSOD Analysis


Download in Excel for further reviewSOD Analytics



Agenda


What Are False Positives ?Users and Responsibilities

InactiveUsers

ExpiredUsers

TerminatedEmployeesstillactiveinEBS

End-DatedUsers

End-DatedResponsibilityAssignments

MenuswithoutPrompts

Inherent False+


WithoutGrantFlagusercannotaccesstheSub-

MenuorFunction

Menuwithoutpromptsdisablesusertoseeand

navigate

A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menudefines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted.

What Are False Positives ?Oracle Menus Inherent False+


Ifyouspecifytheparameter

QUERY_ONLY=YES,theformopensinquery-onlymode.

Inherent False+ What Are False Positives ?Oracle Functions


TheFormPersonalizationfeatureallowsyoutodeclarativelyalterthebehaviorofForms-basedscreens,includingchangingproperties,executingbuiltins,displayingmessages,andaddingmenuentries.

Inherent False+ What Are False Positives ?Oracle Form Personalization


Aprofileisasetofchangeableoptionsthataffectthewayyourapplicationlooksandbehaves.Youcansetuserprofileoptionsatdifferentlevels:site,application,

responsibility,user,server,andorganization,dependingonhowtheprofileoptionsaredefined.

Inherent False+ What Are False Positives ?Oracle Profile Options


Global False PositivesFalse+ Checklist

Filter False+

Form Extensions

TableAudit

ConditionalFunctionAccess

DataAccess

FunctionAccess

Read-OnlyAccess

FunctionLimits

Filter False+

MenuAccess

Menu /Sub-Menu/Grants/Prompts

Data/Function Access

Disabled OracleResponsibilityAccess

EnabledOracleResponsibilityAccess

Read-OnlyRBACAccess

RBAC(Role BasedAccessControl)

Filter False+

FunctionLimits

Ledger DataAccess

CustomForms/Pages

Ledger SetAccess

Multi-Org Access

IT SupportAccess

MenuGrant Flag

Filter False+

User AccesstoSub-Menu

Inactive Users

Privileged User(Interface,etc)

User ResponsibilityAccessInactive

User ResponsibilityAccessActive

UserAccess enabled

Form Customization

Filter False+

Data AccessGroup(SharedServices)

GL AccessLimit

OperatingUnitAccess

OraclesecurityProfile



Agenda


System Filters

False+Filters

DataSecurity

Read-Only

Custom

INVINV

UserOU

FormProfile

Role

Filters Type Conditions Results Excluded

Inactive User Global End-Date Users

Inactive Role Global End-Date Roles

Business Unit Global OrgName Organization

View Only Local Function Path Functions

DataSecurity Local Data Group Groups

Personalization Local Form/Page Forms

Approach

Role UserOU


Remove Inherent False PositivesApproach

UserGlobalConditionstofilter“inherent”FalsePositiveslike:

InactiveUsersInactiveResponsibilities

Read-onlyAccess



Agenda


Fortune 500 Global Manufacturer Improves

Segregation of Duty Controls across multiple ERP instancesOurClient

Fortune500company,manufacturesanddistributescoatings,specialtymaterials,andglassproducts.BusinessRunsonmultipleOracleEBS,SAPsystemsOver40,000employeesworld-wide

ChallengesReplacemultiplelegacysystemswithoneERPsolutionImprovedSegregationofDutycontrolswithinmissioncriticalapplicationsMaintainconsistentERPsystemaccessrolesacrossthesubsidiariesleveragingthesharedservicesmodelIncreaseexternalauditor’srelianceonERPAccessControlsMonitoring

SolutionsSafePaaSAccessPolicyManagerSafePaaSiAccessUserProviosning

Results:ReduceERPSODRemediationtimebyidentifyingandeliminating80%FalsePositivesresultinginover$50,000annualcostsavingsinAuditandRemediationCostsCreatedover100SegregationofDutycompliantRolesbybusinesssegmentwithtwoweeksfromFulcrumWayRoleTemplateswithinthecontrolscatalog.LoweredERPTotalCostofOwnershipbyreducingSoDremediationtimeandcostsbyensuringthatallusersaassignedonlythepre-approvedRolesImproveSoDandAccessControlstestingtimebyprovidingauditorstheaccesslogreportsshowingallUpdate,ReviewandApproveRoledesignchanges.AcceleratedERPAccessApprovaltimebyidentifyingvalidSODconflictsbeforetheRolesareassignedtoUsers.

Case Study


Sign-up for FREE 30 Days EvaluationQ & A

Register online to try out SafePaaS

identify and monitoring multi-platform and cross-platform access control

Software