Contenu connexe
Similaire à Reduce sod access violations with effective roles management techniques
Similaire à Reduce sod access violations with effective roles management techniques (20)
Reduce sod access violations with effective roles management techniques
- 1. Leverage Technology:
Move Your Business Forward™
Enterprise Risk Management Financial Close Monitor Advanced Controls Catalog Enterprise Audit GRC Monitor
FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Rapidly reduce Segregation of Duty Violations in Oracle EBS R12
Responsibilities with effective roles management techniques.
.
- 2. www.fulcrumway.comPage 2Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 3. www.fulcrumway.comPage 3Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 4. www.fulcrumway.comPage 4Copyright © FulcrumWay
FulcrumWay
Intelligent, Integrated Instant Risk Management™
FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise,
Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with
over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully
assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business
Applications. Best Practices for Risk Mitigation and Internal Controls Automation.
Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk
Remediation Services such as Segregation of Duties.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC
Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle
has certified us as the only partner with Accelerators for Oracle GRC. We also provide
Managed Services and Hosting for Oracle GRC applications.
Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close
Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls
Catalog. Data Management Tools: Rules Repository, DataProbe™ adaptors and Data
Hub.
USA Presence: Privately held Delaware Corporation with US offices in New York City,
Dallas and San Francisco
International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago,
Singapore
Introduction
- 5. www.fulcrumway.comPage 5Copyright © FulcrumWay
Government Oil and Gas
Healthcare
Communications
Financial Services
Industrial
Equipment
Natural
Resources
Manufacturing
Retail
FulcrumWay Clients
High Tech
Our Experience
Media and
Entertainment
Life Sciences
- 6. www.fulcrumway.comPage 6Copyright © FulcrumWay
FulcrumWay™ Insight
Thought Leadership
Our Experience
Co-Authored GRC Book: First book on GRC
for Oracle Applications
Executive Round Tables – GRC Solutions for
Energy Industry, Houston, November 2012
OAUG GRC Solution Lab - April 7th – 11th
Denver: GRC Case Studies and Best Practices
IIA - Presentations - Top Five Reasons for
Automating Application Controls
Collaborate 13 – GRC Client Appreciation
Dinner April 9th , 2013 Denver
Webcasts – GRC Best Practices, Trends and
Expert Insight
Oracle Open World – Annual GRC Dinner on
September 23rd , 2013 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance
and Audit Software Group
YouTube Podcasts – FulcrumWay Instant
Insight in 10 min or less
- 7. www.fulcrumway.comPage 7Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 8. www.fulcrumway.comPage 8Copyright © FulcrumWay
Enforce Segregation of Duty
Controls and Security Polices
We can not use Oracle “seeded” Responsibilities because of
inherent SOD conflicts. GL Supper User can Enter Journals, Post
Journal. Change Approval Limits, Update GL Accounts, Change
Calendar. Our R12 Patches created even more SOD issues.
Which SOD Policies will mitigate the risk in our Oracle
Responsibility Design?
How do we ensure that the activities of users granted “super
user” Responsibilities have effective compensating control?
Why do have so many False Positives and how do we remove
them from our analysis?
What is an effective approach to Design and Test Oracle Security
Model before deployment?
When will be able to close all SOD incidents?
Top Challenges
- 9. www.fulcrumway.comPage 9Copyright © FulcrumWay
Responsibility
Form
Complicated Security Model
High Risk of Segregation of
Duties Issues
Menu
Function
User
Evaluate User Access
• Test by User
• Test by Privilege
Manage
Segregation of Duties
• Identify incompatible Privileges
• Predefined & Extensible SOD
Rule Sets
Top Challenges
- 10. www.fulcrumway.comPage 10Copyright © FulcrumWay
Key Factors impacting SOD
violations
Top Challenges
EBS Release and Business Cycles enables by Oracle modules:
Order to Cash, Procure to Pay, Record to Report, Hire to Retire,
Design to Build, etc:
– An average R12 customer has over 35,000 functions and 12,500 menus
Number and complexity of SOD Policies
– Range from 25 to 250
Number of Business Units and variation in Responsibilities
across the business
Security Model – RBAC, Single-Sign-On, OIM, etc
Number of Users and Responsibilities
- 11. www.fulcrumway.comPage 11Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_Entry
Function: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables Supervisor
Responsibility:
Payables UserMenu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G
Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility:
Payables User
Remediation in Oracle EBS is a
permutation problem
What if we exclude ‘Invoice
Batches’ from
AP_Invoices_Entry?
Root Cause Analysis is
required for remediation!
Top Challenges
- 12. www.fulcrumway.comPage 12Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 13. www.fulcrumway.comPage 13Copyright © FulcrumWay
Select ERP
Controls from
FW Controls
Catalogs
Detect
Control
Violations
Analyze
Issues
Confirm
Findings
Present
Project
Plan
Implement
ERP
Advanced
Controls
Prepare
Assessment
Checklist
Probe
ERP
Data
Manage
Exceptions
Prepare
Remediation
Plan
FW Risk
Advisor/Client
Lead/Control Owners
FW Risk
Advisor/Client Lead
Client
Executive
Sponsors
FW/Client
Project Team
Establish
Test
Environment
FulcrumWay™ Application Risk
Assessment Best Practices
Controls
Assessment
- 14. www.fulcrumway.comPage 14Copyright © FulcrumWay
DataProbe™ extracts the security,
setup and master data information
DataProbe™ is a desktop utility for the client DBA/manager to provide the data
On average it takes our cleints less than an hour to install and extract the ERP
security , setup and master data for submission to FulcrumWay risk advisory
services
Controls
Assessment
- 15. www.fulcrumway.comPage 15Copyright © FulcrumWay
FW Controls Catalog with over 1,000
advance controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process
optimization opportunities
Controls
Assessment
- 16. www.fulcrumway.comPage 16Copyright © FulcrumWay
ERP Test environment consists of ERP
configurations and data objects
Selected security, setup and data objects are included in the environment
ERP Configuration such as 3-way match in payable options, master data such as
Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments
records are analyzed for control failure risks
Controls
Assessment
- 17. www.fulcrumway.comPage 17Copyright © FulcrumWay
Advanced Analytics to analyze ERP
Risks
Pre-built Risk Analytics. Risk Reports available for client review
Risk Advisory identifies controls violations and has the capability to analyze
issues, remove false positives to prepare the findings report
Controls
Monitoring
- 18. www.fulcrumway.comPage 18Copyright © FulcrumWay
Mitigate and Control Risks
Monitor Control Effectiveness
Enforce Policies in Context
What users
can do
How is the process
set up
How users execute
processes
What users
have done
What’s changed in
the process
What are the
execution patterns
SOD & Access
Application
Configuration
Transaction
Monitoring
Preventive
GRC Manager
SOD &
Access
Application
Configuration
Transaction
Monitoring
GRC Intelligence
GRC Controls
Preventive
Controls
Assessment
- 19. www.fulcrumway.comPage 19Copyright © FulcrumWay
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
• Accelerate deployment and time to
value with pre-delivered controls library
• Mitigate risk of privileged user access
to enterprise applications with
approval workflow and audit trails
• Simplify segregation of duties
enforcement with simulation and
remediation
Define Access
Controls
Detection Prevention
GRC Manager
SOD &
Access
Application
Configuration
Transaction
Monitoring
GRC Intelligence
GRC Controls
Preventive
Enforce Proper Segregation of Duties in
Applications
Controls
Assessment
- 20. www.fulcrumway.comPage 20Copyright © FulcrumWay
Prevent
Suspicious
Transactions
Enforce
Transaction
Controls
Investigate
Incidents
Transaction
Analytics
• Identify anomalies missed by
traditional audit and controls
• Apply Advanced Forensic and Pattern
Analysis
• Continuous Monitoring of Controls
and Transactions
Define
Transaction
Controls
Detection Prevention
GRC Manager
SOD &
Access
Application
Configuration
Transaction
Monitoring
GRC Intelligence
GRC Controls
Preventive
Test integrity of transactions and controls
across business processes
Controls
Assessment
- 21. www.fulcrumway.comPage 21Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 22. www.fulcrumway.comPage 22Copyright © FulcrumWay
FulcrumWay Roles Manager
Overview
Eliminate Root Cause of Access Control Violations in ERP:
Improve Segregation of Duty controls within mission critical
applications
Reduce ERP implementation and upgrade costs with pre-configured
roles
Lower ERP Total Cost of Ownership by assigning pre-approved
Roles
We enable ERP Administrators:
Select pre-configured ERP roles from a roles catalog
Update, Review and Approve Role design changes.
Identify SOD conflicts before the Roles are assigned to Users.
Role Design
- 23. www.fulcrumway.comPage 23Copyright © FulcrumWay
Role Manager is an ERP security design tool
Contains a pre-configured catalog of roles which comply with
segregation of duty (SOD) policies.
Roles by ERP module and typical access requirements for those
modules such as Manager, Supervisor, Clerk, Inquiry, Business
Setup and IT Setup.
You can use this tool to view existing role templates and design new
roles by easily selecting or deselecting ERP functions/transaction.
Once you complete the roles design, you can send it, using
workflows, to pre-assigned reviewers and approvers to finalize the
roles.
The role preparers, reviewers and approvers can also assess the
SOD control risks before finalizing the roles.
Leverage FW DataProbe/Scripts to load current Roles
Secure Access from fulcrumway.com portal
Role Design
FulcrumWay Roles Manager
Features
- 24. www.fulcrumway.comPage 24Copyright © FulcrumWay
Access to Roles ManagerRole Design
Sign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com
Roles Manager is a component of the FulcrumWay Risk Remediation software
services that is available instantly over a secure internet-connection.
- 25. www.fulcrumway.comPage 25Copyright © FulcrumWay
Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
Search and Browse through catalog of
Roles for Oracle EBS R12
Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD
Controls Designed into the configuration to give you a jump start
Role Design
- 26. www.fulcrumway.comPage 26Copyright © FulcrumWay
Access to Roles Manager
Use a “source” role to create a new “target” role. View existing SOD issues with
the “source” role. Assign Reviewers and Approvers for the role
Embed SOD Controls into Oracle Responsibilities design by eliminating
conflicting business activities inherent in the EBS Responsibility configuration
Role Design
- 27. www.fulcrumway.comPage 27Copyright © FulcrumWay
Access to Roles ManagerRole Design
Select/ Deselect business activities to update Role configuration automatically
Reduce Role design time and effort by selecting business activities to drive the
configuration of Oracle Responsibilities.
- 28. www.fulcrumway.comPage 28Copyright © FulcrumWay
Access to Roles ManagerRole Design
Select/ Deselect Request Sets to update Role configuration automatically
Effective SOD Controls should include access to Concurrent Request. Remember
in R12 you can open/close GL Periods by submitting a request.
- 29. www.fulcrumway.comPage 29Copyright © FulcrumWay
Access to Roles ManagerRole Design
Review and approve Roles using email notifications
Reduce ERP implementation/upgrade costs and audit fees by enabling change
controls over the Oracle Responsibilities. Reduce risk of SOD control failure
- 30. www.fulcrumway.comPage 30Copyright © FulcrumWay
Access to Roles ManagerRole Design
Access the link to approve or reject the new Role
Reduce ERP implementation/upgrade costs and audit fees by enabling change
controls over the Oracle Responsibilities. Reduce risk of SOD control failure
- 31. www.fulcrumway.comPage 31Copyright © FulcrumWay
Access to Roles ManagerRole Design
Assign Application Role Owner, Reviewer, Approver and Security Admin
Reduce ERP implementation/upgrade costs and audit fees by enabling change
controls over the Oracle Responsibilities. Reduce risk of SOD control failure
- 32. www.fulcrumway.comPage 32Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
- 33. www.fulcrumway.comPage 33Copyright © FulcrumWay
Global car and equipment rental company,
improves employee productivity
Our Client
Leader in the car and equipment rental
businesses worldwide
Providing quality car rental service for over 90
years.
Over 30,000 employees
Challenges
Replace multiple legacy systems with one
ERP solution
Improved Segregation of Duty controls
within mission critical applications
Maintain consistent ERP system access roles
across the subsidiaries leveraging the shared
services model
Increase external auditor’s reliance on ERP
Access Controls Monitoring
Solutions
GRC DataProbe
ERP Controls Catalog
ERP Roles Monitor
Results:
Reduce ERP Role design, build, testing and
implementation time by 80% resulting in over
$200,000 cost savings during ERP system
implementation and global roll-out.
Created over 100 Segregation of Duty compliant
Roles by business segment with two weeks from
FulcrumWay Role Templates within the controls
catalog.
Lowered ERP Total Cost of Ownership by
reducing SoD remediation time and costs by
ensuring that all users a assigned only the pre-
approved Roles
Improve SoD and Access Controls testing time by
providing auditors the access log reports
showing all Update, Review and Approve Role
design changes.
Accelerated ERP testing and deploying time by
identifying SOD conflicts before the Roles are
assigned to Users.
Client case
- 34. www.fulcrumway.comPage 34Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda