JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf

  • 447 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
447
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
28
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security  Implica/ons  when   Upgrading  JD  Edwards   Mike  Ward   Managing  Director   • The most comprehensive Oracle applications & technology content under one roof
  • 2. Have  pity  on  the  homeland.....   • The most comprehensive Oracle applications & technology content under one roof
  • 3. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  • 4.              The  Oracle  Security  &  Compliance  People   270+ Customers • The most comprehensive Oracle applications & technology content under one roof
  • 5. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  • 6. Why  Upgrade?  •  MigraAng  from  World  to  E1  ?  •  Moving  from  blue  stack  to  red  stack  ?  •  Support  consideraAons  ?  •  Moving  to  newer  standards  based  IT  ?  •  Moving  to  higher  performance  h/w  &  s/w   plaKorm  ?  •  ConsolidaAng  instances  of  JDE  ?  •  New  FuncAonality  ?   • The most comprehensive Oracle applications & technology content under one roof
  • 7. Issues  with  Instance  ConsolidaAon?  Instance  refers  to  the  unique  set  of  JD  Edwards  EnterpriseOne  data  which  includes   transacAonal  data,  control  tables  and  system  data     Increased   Maintenance   Cost   MulAple   Disparate   data   processes   centers   MulAple   Duplicate   ERP   architecture   WARNING versions   SIGNS Highly   Customised   Improper   Environment   controls   • The most comprehensive Oracle applications & technology content under one roof
  • 8. Upgrade  consideraAons  –  FuncAonal  Changes   1,000+ Enhancements Industry Modules New   Func/onality  Fraud & IP Theft Custom Share Price Business   Programs Risks  Loss of Business Processes   &Inability to do job Improvements Alignment  of   Controls   Maximise Staff Effectiveness Affects Roles / Responsibilities • The most comprehensive Oracle applications & technology content under one roof
  • 9. Security  &  Upgrades  Scope  Creep  •  Ex-­‐employees  sAll  have  access  •  Changes  to  business  processes  •  OrganisaAonal  &  process  changes  •  Upgrades.........   Risk Task 4 Task 3   Task 3 Task 2 Task 2 Task 1 Task 1 Time • The most comprehensive Oracle applications & technology content under one roof
  • 10. Fraud  will  never  happen  to  You  •  75%  of  fraud  is  due  to  ineffecAve  internal   controls,  split  between     –  Lack  of  controls  38%   –  Over  riding  controls  19%   –  Lack  of  management  review  18%  •  80%  of  businesses  modify  controls  a^er  Fraud   AssociaAon  of  CerAfied  Fraud  Examiners   • The most comprehensive Oracle applications & technology content under one roof
  • 11. It  doesn’t  happen  here.......   UK: Canada:61% admit businesses suffered crime NewSouth 50% largesuffered “significant fraud Germany: 55% companieseconomicfraudUSA:almost Africa: 62%persuffering fraud 35% companies to business suffered companies Zealand: 42% suffered suffered crime almost83%incidents experiencedmost common -  Average 8 - average cost $491,000economic crime”asset misappropriation bribery & - 75% of 59% (5,000+ employees) - larger - Average cost 40% suffered economic crime Australia: of sufferedchancemilliontip-off - -most 38% detected by 100 incidentsEuros crime cost 4.2 increasingly corruption or by -33% of these by middle / senior management - likely cause is pressure due to economy Source: PwC 2009 fraud survey Crime survey Source: PwCopportunitySource: PwC driver survey 2009 - increased 2009Source: PwCPwC 2009 crime survey fraud Source: 2009 Crimecrime Source: PwC 2009 survey survey is primary Source: PwC 2009 crime survey • The most comprehensive Oracle applications & technology content under one roof
  • 12. SegregaAon  of  DuAes  (SoD)   Jones & Jones Inc. A Manager Sets up MB Inc. as a supplierAccepts Purchase Invoices from MB Inc. Approves Invoices Processes for Payment Transfers the funds Runs  off  with  $1m   • The most comprehensive Oracle applications & technology content under one roof
  • 13. •  VP  in  Finance  Department  •  July  –  December  2010  •  Stole  $19m   “Defendant  bought  a  Masera3,  6  Proper3es,   and  a  $½m  entertainment  system”   “Excessive  Access  Rights”   • The most comprehensive Oracle applications & technology content under one roof
  • 14. Deloife  –  Auditor  Survey  •  3  Most  Common  Frauds   –  MisappropriaAon  of  Assets  –  31%   –  Improper  Expenditures  –  22%   –  Procurement  Fraud  –  16%  •  63%  companies  say  vulnerability  has  increased  •  83%  UK  companies  had  suffered  fraud   • The most comprehensive Oracle applications & technology content under one roof
  • 15. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  • 16. Issues  in  JD  Edwards  E1   §  All  Doors  Open  v  All  Doors  Closed   •  Menu  Security  is  no  Security   •  No  SegregaAon  of  DuAes   •  Access  to  criAcal  programs   •  30+  security  types,    300  opAons   •  35,000  Objects     •  Complexity  of  Maintenance  -­‐  forms,  versions   •  MulAple  roles  /  Sequence  Manager   •  Unexpected  security  authoriAes   •  Changes  lead  to  unexpected  results   •  ApplicaAon  access  is  very  complex   •  Task  Views   •  FineCut   •  FastPath     •  Hidden  &  Associated  Applica/ons   • The most comprehensive Oracle applications & technology content under one roof
  • 17. Issues  in  JD  Edwards  E1   §  All  Doors  Open  v  All  Doors  Closed   •  Menu  Security  is  no  Security   •  No  SegregaAon  of  DuAes   •  Access  to  criAcal  programs   •  30+  security  types,    300  opAons   •  35,000  Objects     •  Complexity  of  Maintenance  -­‐  forms,  versions   •  MulAple  roles  /  Sequence  Manager   •  Unexpected  security  authoriAes   •  Changes  lead  to  unexpected  results   •  ApplicaAon  access  is  very  complex   •  •  •  Task  Views   FineCut   FastPath       •  Hidden  &  Associated  Applica/ons   • The most comprehensive Oracle applications & technology content under one roof
  • 18. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  • 19. Auditors  Recommend  Roles  Based  Access  Control    •  NaAve  in  8.10  upwards  •  EssenAal  to  retain  this  funcAonality  •  Why  .....   § Simplified  systems  administraAon   § Enhanced  security  &  integrity   § Simplified  regulatory  compliance     § Enhanced  organisaAonal  producAvity   • The most comprehensive Oracle applications & technology content under one roof
  • 20. Security  Planning  •  Upgrading  is  a  good  Ame  to  review  security   –  Has  it  kept  pace  with  organisaAonal  changes?   –  Are  you  suffering  from  “security  creep”?   –  Who  can  access  criAcal  programs?   –  What  is  your  security  policy?  •  All  Doors  Closed   –  Grant  back  access  –  Roles  Based  Access   Control   “Only  way  to  ensure  a  fully  auditable  system”   –  But  need  to  build  a  maintainable  model   “Sustainable  Compliance”   • The most comprehensive Oracle applications & technology content under one roof
  • 21. Security  Planning  •  Security  must  not  be  an  a^erthought   – It  should  be  planned  in   – Should  match  business  processes  •  EffecAve  SoD  policy  is  a  must   – Prevent  Fraud   – Auditor  requirement   – Adds  value   • The most comprehensive Oracle applications & technology content under one roof
  • 22. Upgrading:  Security  plan  checklist   InformaAon   Gathering   • The most comprehensive Oracle applications & technology content under one roof
  • 23. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   • The most comprehensive Oracle applications & technology content under one roof
  • 24. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   • The most comprehensive Oracle applications & technology content under one roof
  • 25. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   Evaluate   Tools   • The most comprehensive Oracle applications & technology content under one roof
  • 26. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  • 27. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Risk  Management   Added  Value   Plan   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  • 28. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Integrate   Audit   Security   Security   Risk  Management   Added  Value   Plan   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  • 29. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  • 30. The  Dangers  and  Costs:  The  Alinean  ROI  Report   Avg. Risk of Avg. Business & Breaches per Avg. IT Staff Hours Collateral Typical Threats Year (per 1,000 per Breach Damage per users) Breach Virus / Worms / 4 hours per infected 2 $24,000 Trojans assetDenial of Service 2 serious incidents 32 hours per system $122,000Data Destruction / 1 120 hours $350,000 Damage 25% employees Physical Theft 2 hours leave with $5,000 Disclosure assetsInformation Theft 1 180 hours $250,000 and Disclosure Policy Violation 30 2 hours $20,000 Errant User 2 hours 15 $20,000 Behaviour • The most comprehensive Oracle applications & technology content under one roof
  • 31. Impact  Analysis    (Cost  of  InacAon)   PROBLEM POSSIBLE IMPACT Fail audit Cost of compensating controls?Poor SoD Control Cost of remedial action? Cost of fraud? Cost of errors? Incremental cost of Audit trying to get necessary data? Impact on business of failed audit? i.e. share price, lost orders Cost of compensating controls?Failed audit Cost of remedial action? Cost of fraud? Potential each quarter from shareholder litigation? Potential regulatory fines? Impact of missing deadline. Impact on other projects if SOX lateSecurity / SOX Cost of overtime / additional internal resources to achieve deadline?deadline Cost of external resources to help achieve deadline Cost of security incidents?Unauthorised (CSI 2009 survey states average per incident cost exceedsAccess / $230k )Ineffective Incremental audit costs tracking posting / reconciliation errorsSecurity (Ciber states that best way to reduce reconciliation errors to implement better security) • The most comprehensive Oracle applications & technology content under one roof
  • 32. Return  On  Security  Investment  (ROSI)    •  Return  On  Investment  (ROI)   –  Money  earned  or  saved  v  Money  Invested   –  QuanAtaAve  •  Return  On  Security  Investment  (ROSI)   –  Includes  risk  reducAon   –  Includes  QualitaAve   –  Insurance  •  Auditors  place  value  in  accounts  for  risk   • The most comprehensive Oracle applications & technology content under one roof
  • 33. Adding  Value  to  the  Upgrade  •  Establish  value  in  strong  Security  •  Maybe  use  RoSI?  •  Build  in  SoD  &  Compliance  ReporAng  •  Cost  of  inacAon?  •  Audit  to  reduce  Risk   • The most comprehensive Oracle applications & technology content under one roof
  • 34. Summary  •  Functional upgrades will impact business processes –  Upgrading requires security restructure•  Technical upgrades may enable security standardisation•  JDE security has pitfalls for the unwary•  Ineffective security can prove costly –  Fraud is on the increase –  More regulations to comply with –  High non-compliance costs•  Effective security can assist in paying for upgrade –  Reduce opportunity for fraud –  Reduce non-compliance costs • The most comprehensive Oracle applications & technology content under one roof
  • 35. Q  Product  Family   Quick Fix AcceleratorSecurity Build & Maintain E1Config Audit E1SoD Compliance Reporting erpAudit • The most comprehensive Oracle applications & technology content under one roof
  • 36. Q  –  Secure  &  Comply  •  ADC  in  a  few  days  •  80%  saving  in  Security  Management  •  Integrated  SoD  •  Extensive  Access  ReporAng  •  MulAple  Roles  retained  &  Improved  •  Audit  Security  –  tool  to  convince   Management  •  Upgrade  tools   • The most comprehensive Oracle applications & technology content under one roof
  • 37. Cameron  has  it  all  under  control   • The most comprehensive Oracle applications & technology content under one roof
  • 38. Ques/ons?  • The most comprehensive Oracle applications & technology content under one roof