Your SlideShare is downloading. ×
0
Security	  Implica/ons	  when	    Upgrading	  JD	  Edwards	           Mike	  Ward	         Managing	  Director	           ...
Have	  pity	  on	  the	  homeland.....	                  • The most comprehensive Oracle applications & technology content...
Agenda	  Q	  So;ware	  creden/als	  Security	  considera/ons	  when	  upgrading	  JD	  Edwards	  E1	  	  Security	  issues...
 	  	  	  	  	  	  The	  Oracle	  Security	  &	  Compliance	  People	                                                     ...
Agenda	  Q	  So;ware	  creden/als	  Security	  considera/ons	  when	  upgrading	  JD	  Edwards	  E1	  	  Security	  issues...
Why	  Upgrade?	  •  MigraAng	  from	  World	  to	  E1	  ?	  •  Moving	  from	  blue	  stack	  to	  red	  stack	  ?	  •  Su...
Issues	  with	  Instance	  ConsolidaAon?	  Instance	  refers	  to	  the	  unique	  set	  of	  JD	  Edwards	  EnterpriseOne...
Upgrade	  consideraAons	  –	  FuncAonal	  Changes	                                    1,000+ Enhancements                 ...
Security	  &	  Upgrades	  Scope	  Creep	  •  Ex-­‐employees	  sAll	  have	  access	  •  Changes	  to	  business	  processe...
Fraud	  will	  never	  happen	  to	  You	  •  75%	  of	  fraud	  is	  due	  to	  ineffecAve	  internal	     controls,	  spl...
It	  doesn’t	  happen	  here.......	   UK: Canada:61% admit businesses suffered crime NewSouth 50% largesuffered “signific...
SegregaAon	  of	  DuAes	  (SoD)	                           Jones & Jones Inc.                                             ...
•  VP	  in	  Finance	  Department	  •  July	  –	  December	  2010	  •  Stole	  $19m	   “Defendant	  bought	  a	  Masera3,	...
Deloife	  –	  Auditor	  Survey	  •  3	  Most	  Common	  Frauds	     –  MisappropriaAon	  of	  Assets	  –	  31%	     –  Imp...
Agenda	  Q	  So;ware	  creden/als	  Security	  considera/ons	  when	  upgrading	  JD	  Edwards	  E1	  	  Security	  issues...
Issues	  in	  JD	  Edwards	  E1	            §  All	  Doors	  Open	  v	  All	  Doors	  Closed	                  •     Menu...
Issues	  in	  JD	  Edwards	  E1	            §  All	  Doors	  Open	  v	  All	  Doors	  Closed	                  •     Menu...
Agenda	  Q	  So;ware	  creden/als	  Security	  considera/ons	  when	  upgrading	  JD	  Edwards	  E1	  	  Security	  issues...
Auditors	  Recommend	  Roles	  Based	  Access	  Control	  	  •  NaAve	  in	  8.10	  upwards	  •  EssenAal	  to	  retain	  ...
Security	  Planning	  •  Upgrading	  is	  a	  good	  Ame	  to	  review	  security	      –  Has	  it	  kept	  pace	  with	 ...
Security	  Planning	  •  Security	  must	  not	  be	  an	  a^erthought	      – It	  should	  be	  planned	  in	      – Sho...
Upgrading:	  Security	  plan	  checklist	                InformaAon	                  Gathering	                 • The mos...
Upgrading:	  Security	  plan	  checklist	                InformaAon	                  Gathering	                          ...
Upgrading:	  Security	  plan	  checklist	                InformaAon	                  Gathering	                          ...
Upgrading:	  Security	  plan	  checklist	                InformaAon	                  Gathering	                          ...
Upgrading:	  Security	  plan	  checklist	                     InformaAon	                       Gathering	                ...
Upgrading:	  Security	  plan	  checklist	                            InformaAon	                              Gathering	  ...
Upgrading:	  Security	  plan	  checklist	                                  InformaAon	                                    ...
Agenda	  Q	  So;ware	  creden/als	  Security	  considera/ons	  when	  upgrading	  JD	  Edwards	  E1	  	  Security	  issues...
The	  Dangers	  and	  Costs:	  The	  Alinean	  ROI	  Report	                          Avg. Risk of                        ...
Impact	  Analysis	  	  (Cost	  of	  InacAon)	     PROBLEM                                     POSSIBLE IMPACT             ...
Return	  On	  Security	  Investment	  (ROSI)	  	  •  Return	  On	  Investment	  (ROI)	       –  Money	  earned	  or	  save...
Adding	  Value	  to	  the	  Upgrade	  •    Establish	  value	  in	  strong	  Security	  •    Maybe	  use	  RoSI?	  •    Bu...
Summary	  •  Functional upgrades will impact business processes   –  Upgrading requires security restructure•  Technical u...
Q	  Product	  Family	        Quick Fix                   AcceleratorSecurity Build &       Maintain                     E1...
Q	  –	  Secure	  &	  Comply	  •  ADC	  in	  a	  few	  days	  •  80%	  saving	  in	  Security	  Management	  •  Integrated	...
Cameron	  has	  it	  all	  under	  control	                     • The most comprehensive Oracle applications & technology ...
Ques/ons?	  • The most comprehensive Oracle applications & technology content under one roof
Upcoming SlideShare
Loading in...5
×

JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf

474

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
474
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf"

  1. 1. Security  Implica/ons  when   Upgrading  JD  Edwards   Mike  Ward   Managing  Director   • The most comprehensive Oracle applications & technology content under one roof
  2. 2. Have  pity  on  the  homeland.....   • The most comprehensive Oracle applications & technology content under one roof
  3. 3. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  4. 4.              The  Oracle  Security  &  Compliance  People   270+ Customers • The most comprehensive Oracle applications & technology content under one roof
  5. 5. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  6. 6. Why  Upgrade?  •  MigraAng  from  World  to  E1  ?  •  Moving  from  blue  stack  to  red  stack  ?  •  Support  consideraAons  ?  •  Moving  to  newer  standards  based  IT  ?  •  Moving  to  higher  performance  h/w  &  s/w   plaKorm  ?  •  ConsolidaAng  instances  of  JDE  ?  •  New  FuncAonality  ?   • The most comprehensive Oracle applications & technology content under one roof
  7. 7. Issues  with  Instance  ConsolidaAon?  Instance  refers  to  the  unique  set  of  JD  Edwards  EnterpriseOne  data  which  includes   transacAonal  data,  control  tables  and  system  data     Increased   Maintenance   Cost   MulAple   Disparate   data   processes   centers   MulAple   Duplicate   ERP   architecture   WARNING versions   SIGNS Highly   Customised   Improper   Environment   controls   • The most comprehensive Oracle applications & technology content under one roof
  8. 8. Upgrade  consideraAons  –  FuncAonal  Changes   1,000+ Enhancements Industry Modules New   Func/onality  Fraud & IP Theft Custom Share Price Business   Programs Risks  Loss of Business Processes   &Inability to do job Improvements Alignment  of   Controls   Maximise Staff Effectiveness Affects Roles / Responsibilities • The most comprehensive Oracle applications & technology content under one roof
  9. 9. Security  &  Upgrades  Scope  Creep  •  Ex-­‐employees  sAll  have  access  •  Changes  to  business  processes  •  OrganisaAonal  &  process  changes  •  Upgrades.........   Risk Task 4 Task 3   Task 3 Task 2 Task 2 Task 1 Task 1 Time • The most comprehensive Oracle applications & technology content under one roof
  10. 10. Fraud  will  never  happen  to  You  •  75%  of  fraud  is  due  to  ineffecAve  internal   controls,  split  between     –  Lack  of  controls  38%   –  Over  riding  controls  19%   –  Lack  of  management  review  18%  •  80%  of  businesses  modify  controls  a^er  Fraud   AssociaAon  of  CerAfied  Fraud  Examiners   • The most comprehensive Oracle applications & technology content under one roof
  11. 11. It  doesn’t  happen  here.......   UK: Canada:61% admit businesses suffered crime NewSouth 50% largesuffered “significant fraud Germany: 55% companieseconomicfraudUSA:almost Africa: 62%persuffering fraud 35% companies to business suffered companies Zealand: 42% suffered suffered crime almost83%incidents experiencedmost common -  Average 8 - average cost $491,000economic crime”asset misappropriation bribery & - 75% of 59% (5,000+ employees) - larger - Average cost 40% suffered economic crime Australia: of sufferedchancemilliontip-off - -most 38% detected by 100 incidentsEuros crime cost 4.2 increasingly corruption or by -33% of these by middle / senior management - likely cause is pressure due to economy Source: PwC 2009 fraud survey Crime survey Source: PwCopportunitySource: PwC driver survey 2009 - increased 2009Source: PwCPwC 2009 crime survey fraud Source: 2009 Crimecrime Source: PwC 2009 survey survey is primary Source: PwC 2009 crime survey • The most comprehensive Oracle applications & technology content under one roof
  12. 12. SegregaAon  of  DuAes  (SoD)   Jones & Jones Inc. A Manager Sets up MB Inc. as a supplierAccepts Purchase Invoices from MB Inc. Approves Invoices Processes for Payment Transfers the funds Runs  off  with  $1m   • The most comprehensive Oracle applications & technology content under one roof
  13. 13. •  VP  in  Finance  Department  •  July  –  December  2010  •  Stole  $19m   “Defendant  bought  a  Masera3,  6  Proper3es,   and  a  $½m  entertainment  system”   “Excessive  Access  Rights”   • The most comprehensive Oracle applications & technology content under one roof
  14. 14. Deloife  –  Auditor  Survey  •  3  Most  Common  Frauds   –  MisappropriaAon  of  Assets  –  31%   –  Improper  Expenditures  –  22%   –  Procurement  Fraud  –  16%  •  63%  companies  say  vulnerability  has  increased  •  83%  UK  companies  had  suffered  fraud   • The most comprehensive Oracle applications & technology content under one roof
  15. 15. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  16. 16. Issues  in  JD  Edwards  E1   §  All  Doors  Open  v  All  Doors  Closed   •  Menu  Security  is  no  Security   •  No  SegregaAon  of  DuAes   •  Access  to  criAcal  programs   •  30+  security  types,    300  opAons   •  35,000  Objects     •  Complexity  of  Maintenance  -­‐  forms,  versions   •  MulAple  roles  /  Sequence  Manager   •  Unexpected  security  authoriAes   •  Changes  lead  to  unexpected  results   •  ApplicaAon  access  is  very  complex   •  Task  Views   •  FineCut   •  FastPath     •  Hidden  &  Associated  Applica/ons   • The most comprehensive Oracle applications & technology content under one roof
  17. 17. Issues  in  JD  Edwards  E1   §  All  Doors  Open  v  All  Doors  Closed   •  Menu  Security  is  no  Security   •  No  SegregaAon  of  DuAes   •  Access  to  criAcal  programs   •  30+  security  types,    300  opAons   •  35,000  Objects     •  Complexity  of  Maintenance  -­‐  forms,  versions   •  MulAple  roles  /  Sequence  Manager   •  Unexpected  security  authoriAes   •  Changes  lead  to  unexpected  results   •  ApplicaAon  access  is  very  complex   •  •  •  Task  Views   FineCut   FastPath       •  Hidden  &  Associated  Applica/ons   • The most comprehensive Oracle applications & technology content under one roof
  18. 18. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  19. 19. Auditors  Recommend  Roles  Based  Access  Control    •  NaAve  in  8.10  upwards  •  EssenAal  to  retain  this  funcAonality  •  Why  .....   § Simplified  systems  administraAon   § Enhanced  security  &  integrity   § Simplified  regulatory  compliance     § Enhanced  organisaAonal  producAvity   • The most comprehensive Oracle applications & technology content under one roof
  20. 20. Security  Planning  •  Upgrading  is  a  good  Ame  to  review  security   –  Has  it  kept  pace  with  organisaAonal  changes?   –  Are  you  suffering  from  “security  creep”?   –  Who  can  access  criAcal  programs?   –  What  is  your  security  policy?  •  All  Doors  Closed   –  Grant  back  access  –  Roles  Based  Access   Control   “Only  way  to  ensure  a  fully  auditable  system”   –  But  need  to  build  a  maintainable  model   “Sustainable  Compliance”   • The most comprehensive Oracle applications & technology content under one roof
  21. 21. Security  Planning  •  Security  must  not  be  an  a^erthought   – It  should  be  planned  in   – Should  match  business  processes  •  EffecAve  SoD  policy  is  a  must   – Prevent  Fraud   – Auditor  requirement   – Adds  value   • The most comprehensive Oracle applications & technology content under one roof
  22. 22. Upgrading:  Security  plan  checklist   InformaAon   Gathering   • The most comprehensive Oracle applications & technology content under one roof
  23. 23. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   • The most comprehensive Oracle applications & technology content under one roof
  24. 24. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   • The most comprehensive Oracle applications & technology content under one roof
  25. 25. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   Evaluate   Tools   • The most comprehensive Oracle applications & technology content under one roof
  26. 26. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Added  Value   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  27. 27. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Audit   Security   Risk  Management   Added  Value   Plan   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  28. 28. Upgrading:  Security  plan  checklist   InformaAon   Gathering   Integrate   Audit   Security   Security   Risk  Management   Added  Value   Plan   Take   Evaluate   Advice   Tools   • The most comprehensive Oracle applications & technology content under one roof
  29. 29. Agenda  Q  So;ware  creden/als  Security  considera/ons  when  upgrading  JD  Edwards  E1    Security  issues  in  JD  Edwards  E1      Planning  for  security  as  part  of  the  upgrade  How  effec/ve  security  can  help  to  pay  for  the  upgrade  project   • The most comprehensive Oracle applications & technology content under one roof
  30. 30. The  Dangers  and  Costs:  The  Alinean  ROI  Report   Avg. Risk of Avg. Business & Breaches per Avg. IT Staff Hours Collateral Typical Threats Year (per 1,000 per Breach Damage per users) Breach Virus / Worms / 4 hours per infected 2 $24,000 Trojans assetDenial of Service 2 serious incidents 32 hours per system $122,000Data Destruction / 1 120 hours $350,000 Damage 25% employees Physical Theft 2 hours leave with $5,000 Disclosure assetsInformation Theft 1 180 hours $250,000 and Disclosure Policy Violation 30 2 hours $20,000 Errant User 2 hours 15 $20,000 Behaviour • The most comprehensive Oracle applications & technology content under one roof
  31. 31. Impact  Analysis    (Cost  of  InacAon)   PROBLEM POSSIBLE IMPACT Fail audit Cost of compensating controls?Poor SoD Control Cost of remedial action? Cost of fraud? Cost of errors? Incremental cost of Audit trying to get necessary data? Impact on business of failed audit? i.e. share price, lost orders Cost of compensating controls?Failed audit Cost of remedial action? Cost of fraud? Potential each quarter from shareholder litigation? Potential regulatory fines? Impact of missing deadline. Impact on other projects if SOX lateSecurity / SOX Cost of overtime / additional internal resources to achieve deadline?deadline Cost of external resources to help achieve deadline Cost of security incidents?Unauthorised (CSI 2009 survey states average per incident cost exceedsAccess / $230k )Ineffective Incremental audit costs tracking posting / reconciliation errorsSecurity (Ciber states that best way to reduce reconciliation errors to implement better security) • The most comprehensive Oracle applications & technology content under one roof
  32. 32. Return  On  Security  Investment  (ROSI)    •  Return  On  Investment  (ROI)   –  Money  earned  or  saved  v  Money  Invested   –  QuanAtaAve  •  Return  On  Security  Investment  (ROSI)   –  Includes  risk  reducAon   –  Includes  QualitaAve   –  Insurance  •  Auditors  place  value  in  accounts  for  risk   • The most comprehensive Oracle applications & technology content under one roof
  33. 33. Adding  Value  to  the  Upgrade  •  Establish  value  in  strong  Security  •  Maybe  use  RoSI?  •  Build  in  SoD  &  Compliance  ReporAng  •  Cost  of  inacAon?  •  Audit  to  reduce  Risk   • The most comprehensive Oracle applications & technology content under one roof
  34. 34. Summary  •  Functional upgrades will impact business processes –  Upgrading requires security restructure•  Technical upgrades may enable security standardisation•  JDE security has pitfalls for the unwary•  Ineffective security can prove costly –  Fraud is on the increase –  More regulations to comply with –  High non-compliance costs•  Effective security can assist in paying for upgrade –  Reduce opportunity for fraud –  Reduce non-compliance costs • The most comprehensive Oracle applications & technology content under one roof
  35. 35. Q  Product  Family   Quick Fix AcceleratorSecurity Build & Maintain E1Config Audit E1SoD Compliance Reporting erpAudit • The most comprehensive Oracle applications & technology content under one roof
  36. 36. Q  –  Secure  &  Comply  •  ADC  in  a  few  days  •  80%  saving  in  Security  Management  •  Integrated  SoD  •  Extensive  Access  ReporAng  •  MulAple  Roles  retained  &  Improved  •  Audit  Security  –  tool  to  convince   Management  •  Upgrade  tools   • The most comprehensive Oracle applications & technology content under one roof
  37. 37. Cameron  has  it  all  under  control   • The most comprehensive Oracle applications & technology content under one roof
  38. 38. Ques/ons?  • The most comprehensive Oracle applications & technology content under one roof
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×