FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Strengthen SOD Controls & Boost User Productivity in Oracle EBS

Leverage Technology:
Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Learn
Role
and
Responsibility
Design
Techniques
that
strengthen
Segrega9on
of
Duty
Controls

and
boost
User
Produc9vity
in
Oracle
E-‐Business
Suite

Third Thursday Training Webinar Series
Adil Khan, Managing Director
February 19th, 2015

www.fulcrumway.comPage 2Copyright © FulcrumWay
Strengthen Segregation of Duty Controls and Boost
User Productivity
  Introductions
  Fundamentals of Oracle EBS Security Model
  Checklist of User Security Risks
  Security Assessment Approach
  Role Design Techniques
  Case Study
  Q&A
Agenda

User Productivity
  Introductions
  Case Study
  Q&A
Agenda

A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management
Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle
Market clients. Since 2003, we have successfully assisted companies across all major industry
segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best
Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial,
Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced
Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified
us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools,
Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San
Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
FulcrumWay

FulcrumWay ClientsSuccessful
Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences

FulcrumWay™ Insight
Thought Leadership
Co-Authored GRC Book: First book on GRC for Oracle
Applications
SROAUG GRC Solution Lab - February 27th – Los
Angels: GRC Case Studies and Best Practices
Innovate 15 – March 19th – Iselin, NJ -GRC Case
Studies and Best Practices
Collaborate 15 – GRC Client Appreciation Dinner April
13th, 2015 Las Vegas
IIA/ISACA GRC Conference – August 17th - 19th, 2015 -
Presentations – GRC Case Studies and Best Practices
Educational Webcasts – Every 3rd Thursday of the
Month – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on October
26th, 2015 - San Francisco, CA
LinkedIn –FulcrumWay Risk, Compliance and Audit
Software Group
YouTube Podcasts – FulcrumWay Instant Insight in 10
min or less
Proven Expertise

User Productivity
  Introductions
  Case Study
Agenda

Responsibility
Form
Complicated Security Model
High Risk of Access Control Deficiencies
Menu
Function
User
Evaluate User Access
•  Test by User
•  Test by Privilege
Manage
Segregation of Duties
•  Identify incompatible Privileges
•  Predefined & Extensible SOD
Rule Sets
Fundamentals

www.fulcrumway.comCopyright © FulcrumWay
High Risk of Access Control DeficienciesFundamentals
Oracle
EBS
User

Password
Policy

User
is
assigned

to
the
HR
Record

Ac:ve/Inac:ve

User

One
or
more

responsibili:es

assigned
to
a
User

A
Responsibility

has
many
Menus

and
Sub-‐Menus

Menu
has
many

func:ons
/
forms

Menu
has

prompts
that
user

can
see
to

navigate

Grant
Flag

enables
access
to

the
Sub-‐Menu
or

Func:on

Menu
has

prompts
that
user

can
see
to

navigate

A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menu
defines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be
accessed by the responsibility, which are granted.

Func:ons
enable

users
to
view,
enter,

update,
delete
data

on
a
Form

Responsibility
-‐
The
func:on
is
controlled
by
the

user's
responsibility

Organiza:on
-‐
The
func:on
is
controlled
by
the

user's
organiza:on

Security
Group
-‐
The
func:on
is
controlled
by
the

user's
security
group

A function is a part of an application's functionality that is registered under a unique name for the purpose of assigning it to,
or excluding it from, a responsibility.
Oracle
EBS
User

have
access
to:

Self
Service
Web

Pages

If
you
specify
the

parameter

QUERY_ONLY=YES,

the
form
opens
in

query-‐only
mode.

The
Form
Personaliza:on
feature
allows

you
to
declara:vely
alter
the
behavior
of

Forms-‐based
screens,
including
changing

proper:es,
execu:ng
buil:ns,
displaying

messages,
and
adding
menu
entries.

A
profile
is
a
set
of
changeable
op:ons
that
affect
the
way

your
applica:on
looks
and
behaves.
You
can
set
user

profile
op:ons
at
different
levels:
site,
applica:on,

responsibility,
user,
server,
and
organiza:on,
depending

on
how
the
profile
op:ons
are
defined.

You
can
use
request
security
groups

to
specify
the
reports,
request
sets,

and
concurrent
programs
that
your

users
can
run
from
a
standard

submission
form,
such
as
the
Submit

Requests
form.

User Productivity
  Introductions
  Case Study
Agenda

Security Risk Factors
  Complexity of ERP System Security Model
–  An average Oracle EBS R12 customer has over 35,000 functions and 12,500
menus
  Effectiveness Roles Design
–  Single Global Roles Template or wide variation based on user needs
  Completeness of User Provisioning Process
–  Does user provisioning process include control warnings for approvers?
  Auditability of ERP Configuration and Data Access
–  Can you track ALL changes to key setup and or master data?
  Number of ERP environments
–  Do you need to control access to multiple ERP systems?
Checklist

Security questions to benchmark ERP
security maturity (Qualitative Analysis)Checklist
Do
the
ERP
Roles

meet
requirements

for
all
users?

Does
User

provisioning

prevent
security

policy
viola:ons?

How
do
you

monitor
“super-‐
user”
ac:vi:es?

Do
you
obtain
user

access
veriﬁca:on

from
managers,

periodically?

How
do
you
detect

Segrega:on
of
Duty

policy
viola:ons?

Is
access
to

sensi:ve
data
and

func:ons

protected?

Do
you
maintain

audit
trail
on
ERP

conﬁgura:on

controls?

Can
you
prevent

unauthorized

Master
Data

changes?

How
do
you
ensure

that
terminated

employees
can’t

access
ERP?

User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_Entry
Function: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables Supervisor
Responsibility:
Payables UserMenu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility:
Payables User
What if we exclude ‘Invoice
Batches’ from
AP_Invoices_Entry?
Root Cause Analysis is
required for remediation!
Checklist Quantitative Analysis of Security Model

Risk Based Access Management
Detect/
Analyze
Findings
Implement
Corrective
Actions
Monitor
Controls
Scope
Application
Controls
Sample
ERP
Data
Manage
Exceptions
Implement
Controls
Risk Advisors/
ERP Managers/
Control Owners
Risk Advisors/
Control Owners
Control
Owners/
ERP
Managers
Establish
Test
Environment
Assess RiskIdentify Risk
Design Controls
Advanced
Controls
Experts/
ERP Managers
Approach

Top Down Risk Based Approach to Application
Controls
What
are
the
enterprise
wide
risks

that
need
to
be

Assessed?

Which
business
processes
are
impacted
by

these
risks?

Which
ERP
apps
are
used
to
perform
these

processes

Where
(business
loca9ons)
are
the

processes
performed

What
applica9on
func9ons
control
the

processes?

Identify Risks

Application Risk Factors
Risk
Threshold

AR

AP
GL

INV

INV

PR

HR

OM

PO

FA
List
of

Apps

Primary

Process

Enabler

Financial
/
Sensi9ve

Data

Custom

Code

Freq.
of

Changes

Audit

Logs

Risk

Ra9ng

GL
8
9
5
9
8
34

AP
7
7
6
8
9
32

AR
7
7
9
9
7
39

FA
5
5
5
5
5
25

PO
5
5
4
6
4
24

AP
GL

AR
Risk Scale: Highest 10
Risk Threshold: Over 30
Assess Risks

ERP Control Methods
Monitor Controls
Mitigate Remediate & Prevent
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
I
M
P
A
C
T
PROBABILITY
Treat Risk

Role Design
Build roles that strengthen security
and user productivty
1.
Extract/Map

Roles

• Extract

Security

Model
from

the
Source.

This
step

requires

mapping
of

all
security

tables
as
well

as
any

ajributes

that
limit

access
to

source

system

func:ons

and
data.

2.
Configure

Security
Sekngs

• Using
the

Role

migra:on

map,
and

security

configura:on

data,
create

target
roles

base
on
the

target

configura:on

ajributes

available.

3.
Configure
Data

Access

• Apply

repor:ng

and
data

access

ajributes

available
in

the
target

system
based

on
the
role

migra:on

map.

4.
Apply
Security

Ajributes

• Apply

securing

ajributes

such
as

security

exclusion
or

inclusion

ajributes

from
the

source

system
roles

that
map
to

the
target

system

5.
Compare

Source
and
Target

• Generate

reports
from

the
Roles

Manager
to

compare
and

confirm
that

the
target

roles
are

migra:ng

from
the

source
roles

according
to

the
security

migra:on

map.

6.
Obtain
Role

Approval

• Provide
Role

hierarchy

report
to

business
and

IT
users
to

obtain

approval
for

deployment

into
the

target

system
for

Role
tes:ng.

7.
Deploy
Roles
to

Business
Units

• Once
the

source
roles

are
accepted

by
ERP

system
users,

each
role
is

deployed
for

the
business

units
within

scope

Advanced Analytics to Accelerate Role
Design
Pre-‐built
Risk
Analy9cs.

Risk
Reports
available
for
client
review

Risk Advisors identifies controls violations and has the capability to analyze
issues, remove false positives to prepare the findings report

Role Design

User Productivity
  Introductions
  Case Study
  Q&A
Agenda

Global car and equipment rental company, improves
employee productivity
Our
Client

  Leader
in
the
car
and
equipment
rental
businesses

worldwide

  Providing
quality
car
rental
service
for
over
90
years.

  Over
30,000
employees

Challenges

  Replace
mul9ple
legacy
systems
with
one
ERP

solu9on

  Improved
Segrega9on
of
Duty
controls
within

mission
cri9cal
applica9ons

  Maintain
consistent
ERP
system
access
roles

across
the
subsidiaries
leveraging
the
shared

services
model

  Increase
external
auditor’s
reliance
on
ERP
Access

Controls
Monitoring

Solu9ons

ERP
Controls
Catalog

ERP
Roles
Monitor

Results:

  Reduce
ERP
Role
design,
build,
tes9ng
and

implementa9on
9me
by
80%
resul9ng
in
over
$200,000

cost
savings
during
ERP
system
implementa9on
and

global
roll-‐out.

  Created
over
100
Segrega9on
of
Duty
compliant
Roles

by
business
segment
with
two
weeks
from
FulcrumWay

Role
Templates
within
the
controls
catalog.

  Lowered
ERP
Total
Cost
of
Ownership
by
reducing
SoD

remedia9on
9me
and
costs
by
ensuring
that
all
users
a

assigned
only
the
pre-‐approved
Roles

  Improve
SoD
and
Access
Controls
tes9ng
9me
by

providing
auditors
the
access
log
reports
showing
all

Update,
Review
and
Approve
Role
design
changes.

  Accelerated
ERP
tes9ng
and
deploying
9me
by

iden9fying
SOD
conﬂicts
before
the
Roles
are
assigned

to
Users.

Case Study

Enterprise Controls Platform
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
•  Accelerate deployment and time to
value with ready-made controls library
•  Mitigate risk of inappropriate user
access with approval workflow and
audit trails
•  Simplify segregation of duties
enforcement with simulation and
remediation
Define Access
Controls
Detection Prevention
GRC Manager
SOD &
Access
Application
Configuration
Transaction
Monitoring
GRC Intelligence
Advanced Controls
Application Access Controls
Embed Controls Natively in Enterprise Apps
Case Study

FulcrumWay Roles Manager Overview
Eliminate Root Cause of Access Control Violations in ERP:
  Improve Segregation of Duty controls within mission critical applications
  Reduce ERP implementation and upgrade costs with pre-configured roles
  Lower ERP Total Cost of Ownership by assigning pre-approved Roles
We enable ERP Administrators:
  Select pre-configured ERP roles from a roles catalog
  Update, Review and Approve Role design changes.
  Identify SOD conflicts before the Roles are assigned to Users.
Case Study

  Role Manager is an ERP security design tool
  Contains a pre-configured catalog of roles which comply with segregation of
duty (SOD) policies.
  Roles by ERP module and typical access requirements for those modules
such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.
  You can use this tool to view existing role templates and design new roles
by easily selecting or deselecting ERP functions/transaction.
  Once you complete the roles design, you can send it, using workflows, to
pre-assigned reviewers and approvers to finalize the roles.
  The role preparers, reviewers and approvers can also assess the SOD
control risks before finalizing the roles.
  Leverage FW DataProbe/Scripts to load current Roles
  Secure Access from fulcrumway.com portal
Role Design FulcrumWay Roles Manager Features

Access to Roles ManagerRole Design
Sign-‐in
to
ERP
Controls
and
Navigate
to
Roles
Manager
at
FulcrumWay.com

Roles
Manager
is
a
component
of
the
FulcrumWay
Risk
Remedia9on
so^ware
services

that
is

available
instantly
over
a

secure
internet-‐connec9on.

Select
the
Access
Monitor
Icon.

Then
click
on
the
Maintain
Access
Roles
Tab

Search and Browse through catalog of
Roles for Oracle EBS R12
Roles
Manager
contains
hundreds
of
Oracle
EBS
Responsibili9es
with
SOD
Controls

Designed
into
the
conﬁgura9on
to
give
you
a
jump
start

Role Design

Access to Roles Manager
Use
a
“source”
role
to
create
a
new
“target”
role.

View
exis9ng
SOD
issues
with
the
“source”
role.

Assign
Reviewers
and
Approvers
for
the
role

Embed
SOD
Controls
into
Oracle
Responsibili9es
design
by
elimina9ng
conﬂic9ng
business

ac9vi9es
inherent
in
the
EBS
Responsibility
conﬁgura9on

Role Design

Access to Roles ManagerRole Design
Select/
Deselect
business
ac9vi9es
to
update
Role
configura9on
automa9cally

Reduce
Role
design
9me
and
effort
by
selec9ng
business
ac9vi9es
to
drive
the

configura9on
of
Oracle
Responsibili9es.

ERP Role Provisioning
Save Precious Time Verifying Role Provision Request
  Prevent Unauthorized Systems Access
  Reduce the Risk of Internal Fraud
  Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
  Automate manual access request processes
  Ensure there are no unauthorized users
  Detect and prevent disallowed access attempts
Case Study


Monitor
Role
Assignment
Requests
Mitigate Access
Risks
Monitor
controls
over
the
user
provisioning
process.

Maintain
audit
log

Reduce
SOD
viola9ons
by
monitoring
User
Access
Requests
at
Helpdesk
and

perform
SOD
analysis
before
access
is
granted

Periodically Verify Role Assignments
Save Precious Time Verifying User Access
  Detect Unauthorized Systems Access
  Automate User Access Review
  Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
  Ensure there are no unauthorized users
  Maintain universal access security compliance
Monitor Access
Risks

Prevent
dormant
user
role
assignments
Monitor Access
Risks
Send
user
access
veriﬁca9on
request
to
applica9on
control
owners
using

“passkey”
to
verify
ot
terminate
access

Monitor
User
Access
to
Responsibility/Role
and
Func9ons

Compensating Controls for Privileged
(super-user) roles
Apply Continuous Monitoring to ERP Controls
  Minimize Process Errors and Losses
  Maintain compliance with regulations and internal policies
  Reduce the Cost of Risk and Audit
We enable Business and IT Managers:
  Meet your organizational control objectives
  Complete your controls monitoring repository
  Apply policies and rules to each business cycle
Case Study

FW Controls Catalog with over 1,000
advance controls
Select
SOD,
Master
Data,
Setup,
and
Transac9on
Controls
Risk
Assessment

Detect
control
weaknesses
across
ERP
system
to
iden9fy
business
process

op9miza9on
opportuni9es

Case Study

Leader in Risk Based Management ControlsQ & A
Visit Resources to get
started with Security
Assessment and Role
Design

FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Strengthen SOD Controls & Boost User Productivity in Oracle EBS

Recommended

Recommended

More Related Content

Similar to FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Strengthen SOD Controls & Boost User Productivity in Oracle EBS

Similar to FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Strengthen SOD Controls & Boost User Productivity in Oracle EBS (20)

Recently uploaded

Recently uploaded (20)

FulcrumWay - Ed. Webinar - Role & Responsibility Design Techniques that Strengthen SOD Controls & Boost User Productivity in Oracle EBS