Reduce sod access violations with effective roles management techniques

617 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
617
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Reduce sod access violations with effective roles management techniques

  1. 1. Leverage Technology: Move Your Business Forward™ Enterprise Risk Management Financial Close Monitor Advanced Controls Catalog Enterprise Audit GRC Monitor FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Rapidly reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities with effective roles management techniques. .
  2. 2. www.fulcrumway.comPage 2Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  3. 3. www.fulcrumway.comPage 3Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  4. 4. www.fulcrumway.comPage 4Copyright © FulcrumWay FulcrumWay Intelligent, Integrated Instant Risk Management™ FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise, Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services such as Segregation of Duties. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services and Hosting for Oracle GRC applications. Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls Catalog. Data Management Tools: Rules Repository, DataProbe™ adaptors and Data Hub. USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago, Singapore Introduction
  5. 5. www.fulcrumway.comPage 5Copyright © FulcrumWay Government Oil and Gas Healthcare Communications Financial Services Industrial Equipment Natural Resources Manufacturing Retail FulcrumWay Clients High Tech Our Experience Media and Entertainment Life Sciences
  6. 6. www.fulcrumway.comPage 6Copyright © FulcrumWay FulcrumWay™ Insight Thought Leadership Our Experience Co-Authored GRC Book: First book on GRC for Oracle Applications Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012 OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices IIA - Presentations - Top Five Reasons for Automating Application Controls Collaborate 13 – GRC Client Appreciation Dinner April 9th , 2013 Denver Webcasts – GRC Best Practices, Trends and Expert Insight Oracle Open World – Annual GRC Dinner on September 23rd , 2013 W Hotel San Francisco LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
  7. 7. www.fulcrumway.comPage 7Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  8. 8. www.fulcrumway.comPage 8Copyright © FulcrumWay Enforce Segregation of Duty Controls and Security Polices We can not use Oracle “seeded” Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues. Which SOD Policies will mitigate the risk in our Oracle Responsibility Design? How do we ensure that the activities of users granted “super user” Responsibilities have effective compensating control? Why do have so many False Positives and how do we remove them from our analysis? What is an effective approach to Design and Test Oracle Security Model before deployment? When will be able to close all SOD incidents? Top Challenges
  9. 9. www.fulcrumway.comPage 9Copyright © FulcrumWay Responsibility Form Complicated Security Model High Risk of Segregation of Duties Issues Menu Function User Evaluate User Access • Test by User • Test by Privilege Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets Top Challenges
  10. 10. www.fulcrumway.comPage 10Copyright © FulcrumWay Key Factors impacting SOD violations Top Challenges EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc: – An average R12 customer has over 35,000 functions and 12,500 menus Number and complexity of SOD Policies – Range from 25 to 250 Number of Business Units and variation in Responsibilities across the business Security Model – RBAC, Single-Sign-On, OIM, etc Number of Users and Responsibilities
  11. 11. www.fulcrumway.comPage 11Copyright © FulcrumWay User: John Doe Responsibility: Payables Manager, US Menu: AP_Navigate_GUI12 Submenu: AP_Invoices_Entry Function: Invoice Batches User: Mike Jones Payables Users Responsibility: Payables Supervisor Responsibility: Payables UserMenu: UK_AP_Navigate_GUI12 SubMenu: AP_Invoices_Entry SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User Responsibility: Payables Supervisor Responsibility: Payables Manager, US Responsibility: Payables User Remediation in Oracle EBS is a permutation problem What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry? Root Cause Analysis is required for remediation! Top Challenges
  12. 12. www.fulcrumway.comPage 12Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  13. 13. www.fulcrumway.comPage 13Copyright © FulcrumWay Select ERP Controls from FW Controls Catalogs Detect Control Violations Analyze Issues Confirm Findings Present Project Plan Implement ERP Advanced Controls Prepare Assessment Checklist Probe ERP Data Manage Exceptions Prepare Remediation Plan FW Risk Advisor/Client Lead/Control Owners FW Risk Advisor/Client Lead Client Executive Sponsors FW/Client Project Team Establish Test Environment FulcrumWay™ Application Risk Assessment Best Practices Controls Assessment
  14. 14. www.fulcrumway.comPage 14Copyright © FulcrumWay DataProbe™ extracts the security, setup and master data information DataProbe™ is a desktop utility for the client DBA/manager to provide the data On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services Controls Assessment
  15. 15. www.fulcrumway.comPage 15Copyright © FulcrumWay FW Controls Catalog with over 1,000 advance controls Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment Detect control weaknesses across ERP system to identify business process optimization opportunities Controls Assessment
  16. 16. www.fulcrumway.comPage 16Copyright © FulcrumWay ERP Test environment consists of ERP configurations and data objects Selected security, setup and data objects are included in the environment ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks Controls Assessment
  17. 17. www.fulcrumway.comPage 17Copyright © FulcrumWay Advanced Analytics to analyze ERP Risks Pre-built Risk Analytics. Risk Reports available for client review Risk Advisory identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report Controls Monitoring
  18. 18. www.fulcrumway.comPage 18Copyright © FulcrumWay Mitigate and Control Risks Monitor Control Effectiveness Enforce Policies in Context What users can do How is the process set up How users execute processes What users have done What’s changed in the process What are the execution patterns SOD & Access Application Configuration Transaction Monitoring Preventive GRC Manager SOD & Access Application Configuration Transaction Monitoring GRC Intelligence GRC Controls Preventive Controls Assessment
  19. 19. www.fulcrumway.comPage 19Copyright © FulcrumWay Compensating Policies Preventive Provisioning Remediation (Clean-up) Access Analysis • Accelerate deployment and time to value with pre-delivered controls library • Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails • Simplify segregation of duties enforcement with simulation and remediation Define Access Controls Detection Prevention GRC Manager SOD & Access Application Configuration Transaction Monitoring GRC Intelligence GRC Controls Preventive Enforce Proper Segregation of Duties in Applications Controls Assessment
  20. 20. www.fulcrumway.comPage 20Copyright © FulcrumWay Prevent Suspicious Transactions Enforce Transaction Controls Investigate Incidents Transaction Analytics • Identify anomalies missed by traditional audit and controls • Apply Advanced Forensic and Pattern Analysis • Continuous Monitoring of Controls and Transactions Define Transaction Controls Detection Prevention GRC Manager SOD & Access Application Configuration Transaction Monitoring GRC Intelligence GRC Controls Preventive Test integrity of transactions and controls across business processes Controls Assessment
  21. 21. www.fulcrumway.comPage 21Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  22. 22. www.fulcrumway.comPage 22Copyright © FulcrumWay FulcrumWay Roles Manager Overview Eliminate Root Cause of Access Control Violations in ERP: Improve Segregation of Duty controls within mission critical applications Reduce ERP implementation and upgrade costs with pre-configured roles Lower ERP Total Cost of Ownership by assigning pre-approved Roles We enable ERP Administrators: Select pre-configured ERP roles from a roles catalog Update, Review and Approve Role design changes. Identify SOD conflicts before the Roles are assigned to Users. Role Design
  23. 23. www.fulcrumway.comPage 23Copyright © FulcrumWay Role Manager is an ERP security design tool Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies. Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup. You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction. Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles. The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles. Leverage FW DataProbe/Scripts to load current Roles Secure Access from fulcrumway.com portal Role Design FulcrumWay Roles Manager Features
  24. 24. www.fulcrumway.comPage 24Copyright © FulcrumWay Access to Roles ManagerRole Design Sign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com Roles Manager is a component of the FulcrumWay Risk Remediation software services that is available instantly over a secure internet-connection.
  25. 25. www.fulcrumway.comPage 25Copyright © FulcrumWay Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab Search and Browse through catalog of Roles for Oracle EBS R12 Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start Role Design
  26. 26. www.fulcrumway.comPage 26Copyright © FulcrumWay Access to Roles Manager Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business activities inherent in the EBS Responsibility configuration Role Design
  27. 27. www.fulcrumway.comPage 27Copyright © FulcrumWay Access to Roles ManagerRole Design Select/ Deselect business activities to update Role configuration automatically Reduce Role design time and effort by selecting business activities to drive the configuration of Oracle Responsibilities.
  28. 28. www.fulcrumway.comPage 28Copyright © FulcrumWay Access to Roles ManagerRole Design Select/ Deselect Request Sets to update Role configuration automatically Effective SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submitting a request.
  29. 29. www.fulcrumway.comPage 29Copyright © FulcrumWay Access to Roles ManagerRole Design Review and approve Roles using email notifications Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
  30. 30. www.fulcrumway.comPage 30Copyright © FulcrumWay Access to Roles ManagerRole Design Access the link to approve or reject the new Role Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
  31. 31. www.fulcrumway.comPage 31Copyright © FulcrumWay Access to Roles ManagerRole Design Assign Application Role Owner, Reviewer, Approver and Security Admin Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
  32. 32. www.fulcrumway.comPage 32Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  33. 33. www.fulcrumway.comPage 33Copyright © FulcrumWay Global car and equipment rental company, improves employee productivity Our Client Leader in the car and equipment rental businesses worldwide Providing quality car rental service for over 90 years. Over 30,000 employees Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring Solutions GRC DataProbe ERP Controls Catalog ERP Roles Monitor Results: Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre- approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users. Client case
  34. 34. www.fulcrumway.comPage 34Copyright © FulcrumWay Reduce SOD Access Violations with effective roles management techniques. Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A Agenda
  35. 35. www.fulcrumway.comPage 35Copyright © FulcrumWay Thank You! Join us on LinkedIn to view webinar and discussion Summary and Q&A

×