webinar feb 16 2017 learn to streamline user provisioning process in oracle apps with workflows

38
Leverage Technology: Turn Risk into Opportunity™ Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics A Leader in Risk Based Enterprise Controls Management Solutions Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Learn to streamline User Provisioning process in Oracle Applications with workflows Monthly Educational Webinar Series Adil Khan, Managing Director Feb 16, 2017

Upload: alice-cantu

Post on 22-Jan-2018

72 views

Category:

Software


0 download

TRANSCRIPT

Leverage Technology:Turn Risk into Opportunity™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

LearntostreamlineUserProvisioningprocessinOracleApplicationswithworkflows

Monthly Educational Webinar SeriesAdil Khan, Managing Director

Feb 16, 2017

www.fulcrumway.comPage 2Copyright © FulcrumWay

Streamline User Provision in Oracle Apps

IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 3Copyright © FulcrumWay

Streamline User Provision in Oracle Apps

IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 4Copyright © FulcrumWay

FulcrumWay™ InsightGlobal Thought Leadership

Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, AustraliaCollaborate 17 – April 2-6 Las Vegas GRC Open HouseEducational Webinar – April 20th – Internal Audit Management with Advanced Control Analytics Oracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa

Proven Expertise

www.fulcrumway.comPage 5Copyright © FulcrumWay

FulcrumWay Client Studies Successful Track Record

Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural ResourcesManufacturing

Retail

High TechMedia/Entertainment Life Sciences

www.fulcrumway.comPage 6Copyright © FulcrumWay

Streamline User Provision in Oracle Apps

IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 7Copyright © FulcrumWay

Current Challenges

Portal

Email

Help Desk

Provisioning

Paper form

IT Admin

User ProvisioningProcess

ProcessHundreds of user add, change, deletes requests every day…Inconsistent, ad-hoc and manual processes – platform dependent…Disparate provisioning tools and workflows…Many human touch points: business managers, help desk, IT, etc…

ChallengesNo consistent policy enforcementNo common controls or audit trailVery difficult to ensure compliance and assess risk

www.fulcrumway.comPage 8Copyright © FulcrumWay

#1 area requiring remedial actionUser Access –Common Source of Internal AbuseA Top Focus for IT Audits

Gartner survey: 44% of IT audit deficiencies are IAM-related

Ernst & Young: 7 of Top 10 control deficiencies relate to user access control

PROTECTEDInformation

Entitlement Creep• Accumulated privileges • Potential toxic combinations• Increased risk of fraud

Privileged Users• Users with “keys to kingdom”• Poor visibility due to shared

accounts

Rogue Accounts• Fake accounts created by criminals • Undetected access and activity• Data theft, fraud, and abuse

Orphan Accounts

• Poor de-provisioning• High risk of sabotage, theft, fraud

User ProvisioningProcess

www.fulcrumway.comPage 9Copyright © FulcrumWay

Streamline User Provision in Oracle Apps

IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 10Copyright © FulcrumWay

Role Definition – Privliges

10

Access Policy

www.fulcrumway.comPage 11Copyright © FulcrumWay

Components of access policy

11Source: Fusion Applications - Role Based Security, Kiran Mundy, Nigel King, Oracle Fusion

Access Policy

www.fulcrumway.comPage 12Copyright © FulcrumWay

Responsibility

Form

Complicated Security ModelHigh Risk of Access Control Deficiencies

Menu

Function

UserEvaluate User Access• Test by User • Test by Privilege

Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD

Rule Sets

Access Policy

www.fulcrumway.comPage 13Copyright © FulcrumWay

Compliance ChecklistInability to translate corporate governance into actionable IT policy

– Segregation of Duties– Data Privacy policy

Access Controls Testing– Email or spreadsheet-based– Human error, inconsistencies– Data is hard to obtain, missing

No ability to manage identity through a business lens

– Lack of transparency– IT / Identity data not understood

by the business

Management Control Assessmentq Is ERP system access protected?q Do we conform to access policy?q Are we responding to risk Incidents?

Access Policy

www.fulcrumway.comPage 14Copyright © FulcrumWay

Streamline User Provision in Oracle Apps

IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 15Copyright © FulcrumWay

Oracle EBS Access ProvisioningUser Security Assignment

OracleEBSUser

PasswordPolicy

UserisassignedtotheHRRecord

Active/InactiveUser

Oneormoreresponsibilitiesassignedtoa

User

AResponsibilityhasmanyMenusandSub-Menus

Menuhasmanyfunctions/

forms

www.fulcrumway.comPage 16Copyright © FulcrumWay

User: John Doe

Responsibility: Payables Manager, US

Menu: AP_Navigate_GUI12

Submenu: AP_Invoices_EntryFunction: Invoice Batches

User: Mike JonesPayables Users

Responsibility: Payables Supervisor

Responsibility: Payables UserMenu: UK_AP_Navigate_GUI12

SubMenu: AP_Invoices_Entry

SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User

Responsibility: Payables Supervisor

Responsibility: Payables Manager, US

Responsibility: Payables User

Access Policy Violations are costly to remediate after provisioning

What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?

Root Cause Analysis is required for remediation!

User Security Assignment

www.fulcrumway.comPage 17Copyright © FulcrumWay

Self Service User Provisioning in Oracle

IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 18Copyright © FulcrumWay

www.fulcrumway.comPage 19Copyright © FulcrumWay

Risk Based Approach to Access ManagementUser ProvisioningProcess

ProvisioningLife-cycle

SelfServiceActions

PolicyEvaluation

Tacking&Reporting

RegulatoryReporting

Business

Security

Help Desk

Users

RiskModel?

• Provisioning&

Directory✗• Access Analytics

• Roles Management• Violation Monitoring

• Workflow for user provisioning

process

www.fulcrumway.comPage 20Copyright © FulcrumWay

Self Service Access ManagementUser ProvisioningProcess

Move from fragmented approaches to centralized visibility and controlAutomate identity controls and business processesA business-friendly layer linking business users and processes to underlying technology and technical usersActively measures and monitors risk associated with users and resources

www.fulcrumway.comPage 21Copyright © FulcrumWay

Self Service User Provisioning in Oracle

IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 22Copyright © FulcrumWay

A Leading Global Auto Manufacturer Improves User Access Management across multiple ERP instances

OurClientAleadingglobalsupplierofdrivetrain,mobility,brakingandaftermarketsolutionsforcommercialvehicleandindustrialmarketWithmorethana100-yearlegacyofprovidinginnovativeproductstocustomersaroundtheworld

ChallengesReplacemultiplelegacysystemswithoneERPsolutionImprovedSegregationofDutycontrolswithinmissioncriticalapplicationsMaintainconsistentERPsystemaccessrolesacrossthesubsidiariesleveragingthesharedservicesmodelIncreaseexternalauditor’srelianceonERPAccessControlsMonitoring

SolutionsRolesManager/AdvancedSelfService

Results:ReduceUserprovisioningtimebyidentifyingandeliminating80%manualstepsresultinginover$50,000annualcostsavingsinAuditandRemediationCostsCreatedaccesspoliciestoensurecomplianceduringuserprovisioningprocess.LoweredERPTotalCostofOwnershipbyreducingSoDremediationtimeandcostsbyensuringthatallusersaassignedonlythepre-approvedRolesImproveSoDandAccessControlstestingtimebyprovidingauditorstheaccesslogreportsshowingallUpdate,ReviewandApproveRoledesignchanges.AcceleratedERPAccessApprovaltimebyidentifyingvalidSODconflictsbeforetheRolesareassignedtoUsers.

Case Study

www.fulcrumway.comPage 23Copyright © FulcrumWay

User Provisioning Challenges

DotheERPRolesmeetrequirements

forallusers?

DoesUserprovisioning

preventsecuritypolicyviolations?

Howdoyoumonitor“super-user”activities?

Doyouobtainuseraccessverificationfrommanagers,periodically?

HowdoyoudetectSegregationofDutypolicyviolations?

Isaccesstosensitivedataand

functionsprotected?

DoyoumaintainaudittrailonERPconfigurationcontrols?

CanyoupreventunauthorizedMasterDatachanges?

Howdoyouensurethatterminatedemployeescan’taccessERP?

Case Study

www.fulcrumway.comPage 24Copyright © FulcrumWay

A Risk Based Approach to User Provisioning

UserRegistration

Request Roles

Add/Update

User

MonitorApplication

Access

Employee/Manager

List

Network User

List (AD)

TestAccess Policy

Add/Update

Role

Requesters / ApproversIS Security/

Audit/Compliance

IS Security

ActiveEmployee

UsersiAccess Rules Manager Workflow

Application Administrator

iAccess

Rules ManagerDataProbe ETL

Process ApprovalRequest

Dashboard

ApplicationAccess Rules

DataProbe ETL

www.fulcrumway.comPage 25Copyright © FulcrumWay

Discover User Activities and Improve Productivity

Enhance security, improve helpdesk productivity, reduce support costs

Analyze User Access RightsDesign and Manager User RolesConfigure Application Security Control Data AccessDeploy Role ConfigurationProvision Roles to UsersGrant Emergency Access (Fire Fighter ID)Certify User-Role Assignment

Case Study

www.fulcrumway.comPage 26Copyright © FulcrumWay

SafePaaS CapabilitiesSOD Rules

Can be developed or deployed from FulcrumWay’s Controls Catalogue

www.fulcrumway.comPage 27Copyright © FulcrumWay

UserRegistrationUser Provisioning

www.fulcrumway.comPage 28Copyright © FulcrumWay

UserRegistrationUser Provisioning

www.fulcrumway.comPage 29Copyright © FulcrumWay

UserRegistrationUser Provisioning

www.fulcrumway.comPage 30Copyright © FulcrumWay

UserRegistrationUser Provisioning

www.fulcrumway.comPage 31Copyright © FulcrumWay

UserApplicationRoleRequestUser Provisioning

www.fulcrumway.comPage 32Copyright © FulcrumWay

UserApplicationRoleRequestUser Provisioning

www.fulcrumway.comPage 33Copyright © FulcrumWay

UserApplicationRoleRequestUser Provisioning

www.fulcrumway.comPage 34Copyright © FulcrumWay

UserApplicationRoleRequestUser Provisioning

www.fulcrumway.comPage 35Copyright © FulcrumWay

AnalyzeERPRiskswithAnalytics

Use Adhoc Reporting to establish scope, analyze issues, remove false positives and exceptions

Risk Analytics

www.fulcrumway.comPage 36Copyright © FulcrumWay

SafePaaS CapabilitiesRoles Redesign

www.fulcrumway.comPage 37Copyright © FulcrumWay

Self Service User Provisioning in Oracle

IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A

Agenda

www.fulcrumway.comPage 38Copyright © FulcrumWay

Sign-up for FREE 14 Days EvaluationQ & A

Register online to try out SafePaaS