learn the latest trends and tools to help you id and remediate sod
TRANSCRIPT
Leverage Technology:Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
LearnthelatesttrendsandtoolstohelpyouIDandremediateSODandothersecurityviolationsinyourOracleapplications
Monthly Educational Webinar SeriesAdil Khan, Managing Director
Jan 19, 2017
www.fulcrumway.comPage 2Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 4Copyright © FulcrumWay
FulcrumWay Clients Over 250 engagements
Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 5Copyright © FulcrumWay
FulcrumWay™ InsightGlobal Thought Leadership
Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Feb 17th – Self Service User Provisioning Educational Webinar – Mar 23rd – Continuous Controls Monitoring
Oracle Cloud – Australia – March – GRC Round Table, Sydney, AustraliaCollaborate 17 – April 2-6 Las Vegas GRC Open HouseOracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa
Proven Expertise
www.fulcrumway.comPage 6Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 7Copyright © FulcrumWay
Are you ready for the Segregation of Duties Audit?SoD Overview
www.fulcrumway.comPage 8Copyright © FulcrumWay
Responsibility
Form
Complicated Security ModelContains many overriding security attributes
Menu
Function
UserEvaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
SoD Overview
www.fulcrumway.comPage 9Copyright © FulcrumWay
SoD Rule Consists of Business Activities Made Up of FunctionsSoD Overview
www.fulcrumway.comPage 10Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 11Copyright © FulcrumWay
Validate Access Risks and Verify Security Model
UseDashboardsandReportFilterstoanalyzerisks
Identify SoD Rule violations and analyze issues using Violation Score Card. Drill down into Responsibility and User Violations by OU, and Module
SOD Analysis
www.fulcrumway.comPage 12Copyright © FulcrumWay
Violations by User and ResponsibilitySOD Analysis
ResponsibilitywithSODConflict
UserwithSODConflict
AccesstoSupplierForm
AccesstoInvoiceApprovalPage
www.fulcrumway.comPage 13Copyright © FulcrumWay
Responsibility ConfigurationSOD Analysis
www.fulcrumway.comPage 14Copyright © FulcrumWay
Download in Excel for further reviewSOD Analytics
www.fulcrumway.comPage 15Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 16Copyright © FulcrumWay
What Are False Positives ?Users and Responsibilities
InactiveUsers
ExpiredUsers
TerminatedEmployeesstillactiveinEBS
End-DatedUsers
End-DatedResponsibilityAssignments
MenuswithoutPrompts
Inherent False+
www.fulcrumway.comPage 17Copyright © FulcrumWay
WithoutGrantFlagusercannotaccesstheSub-
MenuorFunction
Menuwithoutpromptsdisablesusertoseeand
navigate
A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menudefines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted.
What Are False Positives ?Oracle Menus Inherent False+
www.fulcrumway.comPage 18Copyright © FulcrumWay
Ifyouspecifytheparameter
QUERY_ONLY=YES,theformopensinquery-onlymode.
Inherent False+ What Are False Positives ?Oracle Functions
www.fulcrumway.comPage 19Copyright © FulcrumWay
TheFormPersonalizationfeatureallowsyoutodeclarativelyalterthebehaviorofForms-basedscreens,includingchangingproperties,executingbuiltins,displayingmessages,andaddingmenuentries.
Inherent False+ What Are False Positives ?Oracle Form Personalization
www.fulcrumway.comPage 20Copyright © FulcrumWay
Aprofileisasetofchangeableoptionsthataffectthewayyourapplicationlooksandbehaves.Youcansetuserprofileoptionsatdifferentlevels:site,application,
responsibility,user,server,andorganization,dependingonhowtheprofileoptionsaredefined.
Inherent False+ What Are False Positives ?Oracle Profile Options
www.fulcrumway.comPage 21Copyright © FulcrumWay
Global False PositivesFalse+ Checklist
Filter False+
Form Extensions
TableAudit
ConditionalFunctionAccess
DataAccess
FunctionAccess
Read-OnlyAccess
FunctionLimits
Filter False+
MenuAccess
Menu /Sub-Menu/Grants/Prompts
Data/Function Access
Disabled OracleResponsibilityAccess
EnabledOracleResponsibilityAccess
Read-OnlyRBACAccess
RBAC(Role BasedAccessControl)
Filter False+
FunctionLimits
Ledger DataAccess
CustomForms/Pages
Ledger SetAccess
Multi-Org Access
IT SupportAccess
MenuGrant Flag
Filter False+
User AccesstoSub-Menu
Inactive Users
Privileged User(Interface,etc)
User ResponsibilityAccessInactive
User ResponsibilityAccessActive
UserAccess enabled
Form Customization
Filter False+
Data AccessGroup(SharedServices)
GL AccessLimit
OperatingUnitAccess
OraclesecurityProfile
www.fulcrumway.comPage 22Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 23Copyright © FulcrumWay
Access/SOD Policy Management Approach
DetectSOD/PolicyViolations
AnalyzeViolations
CorrectRole
Access
MonitorViolationIncidents
ApplicationSecurityModel
ApplicationSecurity
Snapshot
ExceptionsCorrect
UserAccess
App Control Owners/ IS SecurityIS Security/
Audit/Compliance
Control Owners/
IS Security
ApplicationTest
EnvironmentAccess AnalyticsRules Manager Action Workflow
Application Administrator
Approach
Violations ManagerDataProbe ETL
Corrective Actions
Dashboard
ApplicationAccess Rules
Roles Manager
www.fulcrumway.comPage 24Copyright © FulcrumWay
System Filters
False+Filters
DataSecurity
Read-Only
Custom
INVINV
UserOU
FormProfile
Role
Filters Type Conditions Results Excluded
Inactive User Global End-Date Users
Inactive Role Global End-Date Roles
Business Unit Global OrgName Organization
View Only Local Function Path Functions
DataSecurity Local Data Group Groups
Personalization Local Form/Page Forms
Approach
Role UserOU
www.fulcrumway.comPage 25Copyright © FulcrumWay
Remove Inherent False PositivesApproach
UserGlobalConditionstofilter“inherent”FalsePositiveslike:
InactiveUsersInactiveResponsibilities
Read-onlyAccess
www.fulcrumway.comPage 26Copyright © FulcrumWay
FilterConditionscanbesetuptoexcludeSODviolationsfrom
results
Approach Exclude Local Exceptions
www.fulcrumway.comPage 27Copyright © FulcrumWay
RemediateViolations:RemoveUseraccesstoResponsibility
Approach Remediate SoD Rule Violations
www.fulcrumway.comPage 28Copyright © FulcrumWay
CreateTargetRolestoeliminateSODViolations
Approach Remove inherent SOD Risks
www.fulcrumway.comPage 29Copyright © FulcrumWay
Latest trends and tools to help you ID and remediate SOD
IntroductionsSegregation of Duties OverviewSoD Analysis False Positives and Exceptions Remediation Approach Case StudyQ&A
Agenda
www.fulcrumway.comPage 30Copyright © FulcrumWay
Fortune 500 Global Manufacturer Improves Segregation of Duty Controls across multiple ERP instances
OurClientFortune500company,manufacturesanddistributescoatings,specialtymaterials,andglassproducts.BusinessRunsonmultipleOracleEBS,SAPsystemsOver40,000employeesworld-wide
ChallengesReplacemultiplelegacysystemswithoneERPsolutionImprovedSegregationofDutycontrolswithinmissioncriticalapplicationsMaintainconsistentERPsystemaccessrolesacrossthesubsidiariesleveragingthesharedservicesmodelIncreaseexternalauditor’srelianceonERPAccessControlsMonitoring
SolutionsSafePaaSAccessPolicyManagerSafePaaSiAccessUserProviosning
Results:ReduceERPSODRemediationtimebyidentifyingandeliminating80%FalsePositivesresultinginover$50,000annualcostsavingsinAuditandRemediationCostsCreatedover100SegregationofDutycompliantRolesbybusinesssegmentwithtwoweeksfromFulcrumWayRoleTemplateswithinthecontrolscatalog.LoweredERPTotalCostofOwnershipbyreducingSoDremediationtimeandcostsbyensuringthatallusersaassignedonlythepre-approvedRolesImproveSoDandAccessControlstestingtimebyprovidingauditorstheaccesslogreportsshowingallUpdate,ReviewandApproveRoledesignchanges.AcceleratedERPAccessApprovaltimebyidentifyingvalidSODconflictsbeforetheRolesareassignedtoUsers.
Case Study
www.fulcrumway.comPage 31Copyright © FulcrumWay
Sign-up for FREE 30 Days EvaluationQ & A
Register online to try out SafePaaS