session 15 – erp security
DESCRIPTION
Session 15 – ERP Security. Objectives Oracle ERP Overview Oracle ERP Security Oracle Workflow and Security How to Secure Oracle Applications Security and Controls Considerations by Business Cycle Segregation of Duties. 1.Objectives. Become familiar with Oracle terminology and concepts - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/1.jpg)
Slide 1
Session 15 – ERP Security
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 2: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/2.jpg)
Slide 2
1. Objectives
• Become familiar with Oracle terminology and concepts
• Understand security and control features within Oracle Applications
• Discuss leading practices to secure Oracle Applications
• Realize importance of segregation of duties
![Page 3: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/3.jpg)
Slide 3
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 4: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/4.jpg)
Slide 4
2. Oracle ERP Overview
Human Resources
Finance
Projects
Self-Service
Supply Chain Management
Manufacturing
Front Office
Applied
Technology
FinanceGeneral LedgerFinancial Analyzer Cash ManagementPayablesReceivablesFixed Assets
ManufacturingEngineeringBills of MaterialMaster Scheduling / MRPCapacityWork in ProcessQualityCost ManagementProcess (OPM)Rhythm Factory PlanningRhythm Advanced SchedulingProject ManufacturingFlow Manufacturing
Supply Chain ManagementOrder EntryPurchasingProduct ConfiguratorSupply Chain PlanningSupplier SchedulingInventory
ProjectsProject CostingProject BillingPersonal Time & ExpenseActivity Management GatewayProject Connect
CRMMarketing (3 modules)Sales (5 modules)Service (5 modules)Call Center (5 modules)
Human ResourcesPayrollHuman ResourcesTraining AdministrationTime ManagementAdvanced Benefits
Applied TechnologyWorkflowAlert (Business Agents)Applications Data WarehouseEDI Gateway
Self-ServiceWeb CustomersWeb SuppliersWeb Employees
![Page 5: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/5.jpg)
Slide 5
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 6: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/6.jpg)
Slide 6
Oracle ERP Security Issues
• Oracle Applications is huge and complex – More than 100 modules– Millions of lines of coding– Hundreds of configurations (settings)
• Acquisition of other major ERPs– PeopleSoft, JDE, Siebel, etc……
• Multiple Technologies involved– Multiple technologies like Networks, OS, Web server,
Application Server, Database, Reporting, etc..
![Page 7: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/7.jpg)
Slide 7
Oracle ERP Security Issues (cont’d)
• Many seeded account passwords and seeded configuration settings that are not secure
• Multiple access avenues:– Applications - any account with Sysadmin
responsibility– Process Tab – ANZ Menus– Database – system, sys, apps, applsys– UNIX - root, oracle, applmgr
![Page 8: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/8.jpg)
Slide 8
Oracle ERP Security Issues (cont’d)
• Complex regulatory environment
• Customization and Extensions to Oracle Applications
• Security and Controls should be on the “critical path” during implementations
![Page 9: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/9.jpg)
Slide 9
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 10: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/10.jpg)
Slide 10
Oracle Workflow and Security
What does it Do?• Oracle Workflow automates standard business processes,
allowing for transparency and a recorded history of process transactions
• Oracle Workflow is highly customizable and is used to drive processes through the system from start to finish.
Who uses it?• Workflow Specialist configures workflow during install• End Users• Workflow Administrator
![Page 11: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/11.jpg)
Slide 11
Oracle Workflow and Security (cont’d)
General Ledger
Journal Entry Approval
iExpense
Expense Report Approvals
Terminated Employees
Accounts Payable
Invoice Approval
Process Pay (Positive Pay) Message
Receivables
Credit Memo Approvals
Credit Application Approval
Order Management
Order and Return Processing
Schedule, ship and pack delivery
Purchasing
Requisition and PO Document Approval
Auto Document Creation
Receipt Confirmation
Exceeding of Price/Receipt Tolerances
Projects
Projects Approval
Project Accounting
iTime
Timecard Approval
Most Commonly Used Seeded Workflows
![Page 12: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/12.jpg)
Slide 12
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
8. Configurable Controls
![Page 13: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/13.jpg)
Slide 13
Control Structure
Non-LinkedSuppliers
Upstream
Internal and External Control Structure
Downstream
Suppliers
EDIE -
Commerce
Customers
EDIE -
Commerce
InterfacesData Feeds
InterfacesData Feeds
InterfacesData Feeds
Business Processes
InternalControls
InternalControls
ExternalControls
ExternalControls
InterfacesData Feeds
Non-LinkedSuppliers
IT Infrastructure
ORACLEORACLE
Linked Systems
Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls
![Page 14: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/14.jpg)
Slide 14
Application Security
BusinessProcessTeam
Controls & SecurityTeam
ChangeManagement(Stakeholder)
Oracle AppsFunctionality
ControlRequirements &Oracle Security Expertise
Business Requirements
Oracle Apps(User ResponsibilityProfiles)
• Security Administration - managed by appropriate management within the organization
• Security Impact Assessment - on business processes and user environment
• Security Design - current and future needs are assessed and implemented with high priority controls environment
• Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment
• Segregation of Duties - controls over business process are adequate and implemented
• Security Functionality - comprehensively utilized and maintained
• On-going Security Administration - managed and maintained by appropriate management within the organization
Managing Risk by Ensuring that Key Controls are Adequately Implemented Over
APPLICATION SECURITY:
![Page 15: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/15.jpg)
Slide 15
Some Leading Practices to Secure Oracle (Cont’d)
• Restrict ‘Back-end’ access to the Database
• Review of standard reports to access signon, unsuccessful signon, responsibility usage, form usage and concurrent request usage.
• Enabling Auditing on certain Tables
• Oracle Alerts
![Page 16: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/16.jpg)
Slide 16
Some Leading Practices to Secure Oracle (Cont’d)
Profile Options – Signon / Suggested settings• Signon Password No Reuse – “180”• Signon Password Length – “6-8”• Signon Password Hard to Guess – “Y”• Signon Password Failure Limit – “3”
![Page 17: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/17.jpg)
Slide 17
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 18: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/18.jpg)
Slide 18
Security and Controls Considerations by Business Cycle
A ‘configurable control’ is
• Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps– Profile options– Transaction type settings– Financial options– Payment options– Invoice options
• Different from ‘inherent’ controls, which are pre-programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non-numeric characters)
![Page 19: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/19.jpg)
Slide 19
Security and Controls Considerations by Business Cycle
The following key cycles will be discussed in the next few slides
• Order to Cash• Procure to Pay• General Ledger/Financial Close
![Page 20: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/20.jpg)
Slide 20
Security and Controls Considerations by Business Cycle
1. Order to Cash– OM Transactions type Setting– Holds: Operational and Financial– Processing Constraints Rules– Payment Terms– Credit Limit and Credit Check
What is security implication?
![Page 21: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/21.jpg)
Slide 21
Security and Controls Considerations by Business Cycle
2. Procure to Pay– Document Types – PO, Requisitions, etc– Approval Limits and Approval Groups– Tolerances– Invoice Matching– Banks setup
What is security implication?
![Page 22: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/22.jpg)
Slide 22
Security and Controls Considerations by Business Cycle
3. General Ledger/Financial Close– GL Chart of Accounts, Security rules, Cross-validation
rules– Journal Approval and Posting– Consolidation Mapping Rules– Translation and Exchange Rates– Suspense Posting and Dynamic insert option
What is security implication?
![Page 23: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/23.jpg)
Slide 23
Agenda
1. Objectives
2. Oracle ERP Overview
3. Oracle ERP Security
4. Oracle Workflow and Security
5. How to Secure Oracle Applications
6. Security and Controls Considerations by Business Cycle
7. Segregation of Duties
![Page 24: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/24.jpg)
Slide 24
Segregation of Duties
What is ‘Segregation of Duties’ (SOD)?
• The principle of separating incompatible functions from an individual
• Designed to prevent, rather than detect
• Reduces risk, as circumventing a well designed SOD environment requires collusion
• SOD includes system level segregation as well as segregation of manual processes
![Page 25: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/25.jpg)
Slide 25
Segregation of Duties
What must be segregated?
Record Keeping Custody of Assets
Authorization Reconciliation
![Page 26: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/26.jpg)
Slide 26
Segregation of Duties
Approval Hieararchy
Roles and Responsibilities
Organizations
General Ledger Security
Business Units / Sets of Books
Workflow
Accounting Transactions
Custom Code
Segregation of Duties and restricted access is a multi-dimensional challenge.
Tools may be used to assist in the initial analysis of segregation of duties and the design of Roles and Responsibilities. In addition, other dimensions of the ERP application security should be understood to assess the full nature of segregation of duties weaknesses.
![Page 27: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/27.jpg)
Slide 27
Segregation of Duties
In a practical way, SOD is enforced in Oracle through responsibilities!
• A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run
• Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable
• A user can be assigned more than one responsibility
• Role Based Access Control (RBAC)
![Page 28: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/28.jpg)
Slide 28
Segregation of Duties
ApplicationsUser
User Name
Password
Responsibility
Main Menu
Menu
Forms
Menu
Forms
Request Security Group
Reports
Request Sets
Concurrent Programs
Security Rules
Flexfield Values
Report Parameters
Responsibility SecurityResponsibility Security
Role Based Access Control - RBAC
![Page 29: Session 15 – ERP Security](https://reader030.vdocuments.us/reader030/viewer/2022020716/56813597550346895d9d0b68/html5/thumbnails/29.jpg)
Slide 29
Summary
• Oracle automated controls include:• Configurable parameters and settings
• User access controls and responsibilities
• Review of Oracle configurations and access levels are always as of a ‘point-in-time’
• Segregation of Duties is critical– Requires use of right tool to perform the review– Manual review not recommended