This was presented on Feb. 19, 2014 in FulcrumWay's monthly Webinar sessions, which occur on the 3rd Tuesday of every month. Anyone may attend, just go to http://www.fulcrumway.com/events/upcoming-events for details. Hope to see you there!!
This presentation addresses:
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
2. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Page 2
3. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Page 3
4. FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management
Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market
clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best
Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial,
Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced
Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified
us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools,
Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San
Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
Page 4
6. FulcrumWay™ Insight
Proven Expertise
Thought Leadership
Co-Authored GRC Book: First book on GRC for
Oracle Applications
Executive Round Tables – GRC Solutions for
Energy Industry, Houston, November 2012
OAUG GRC Solution Lab - April 7th – 11th Denver:
GRC Case Studies and Best Practices
IIA - Presentations - Top Five Reasons for
Automating Application Controls
Collaborate 14 – GRC Client Appreciation Dinner
April 9th , 2014 Las Vegas
Webcasts – GRC Best Practices, Trends and Expert
Insight
Oracle Open World – Annual GRC Dinner on
September 23rd , 2014 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit
Software Group
YouTube Podcasts – FulcrumWay Instant Insight in
10 min or less
Page 6
7. Top Challenges
Access Management Challenges
for CIO and CFO
ERP Roles need
significant changes
to meet
requirements
Access to sensitive
data is not
protected
No audit trail on
ERP configuration
controls
User provisioning
does not prevent
control violations
Segregation of Duty
controls are
deficient
Can not prevent
unauthorized
Master Data
changes
Super User activity
in not monitored
Periodic user
Certification is not
reliable
Terminated
employees have
access to ERP
Page 7
8. Top Challenges
Key Factors impacting Access Control
Complexity of ERP System Security Model
– An average Oracle EBS R12 customer has over 35,000 functions and 12,500
menus
Effectiveness Roles Design
– Single Global Roles Template or wide variation based on user needs
Completeness of User Provisioning Process
– Does user provisioning process include control warnings for approvers?
Auditability of ERP Configuration and Data Access
– Can you track ALL changes to key setup and or master?
Number of ERP environments
– Do you need to control access to multiple ERP systems?
10. Complicated Security Model
High Risk of Access Control Deficiencies
Top Challenges
Evaluate User Access
• Test by User
• Test by Privilege
User
Responsibility
Menu
Manage
Segregation of Duties
• Identify incompatible Privileges
• Predefined & Extensible SOD
Rule Sets
Function
Form
11. Top Challenges
Root Cause Analysis is
required for remediation!
ERP Security Management is a
permutation problem
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
What if we exclude ‘Invoice
Batches’ from
AP_Invoices_Entry?
Submenu: AP_Invoices_Entry
Function: Invoice Batches
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G
Menu: UK_AP_Navigate_GUI12
Menu: AX_Payables_User
Responsibility:
Payables User
Responsibility: Payables Supervisor
Payables Users
User: Mike Jones
12. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
13. Access Risk
Assessment
FulcrumWay Application Risk Assessment
Best Practices
Manage
Exceptions
Prepare
Assessment
Checklist
Select ERP
Controls from
FW Controls
Catalogs
Establish
Test
Environment
Detect
Control
Violations
Prepare
Remediation
Plan
Analyze
Issues
Present
Project
Plan
Confirm
Findings
Implement
Access
Management
System
Probe
ERP
Data
FW Risk
Advisor/Client Lead
FW Risk
Advisor/Client
Lead/Control Owners
Client
Executive
Sponsors
FW/Client
Project Team
14. Access Risk
Assessment
DataProbe™ extracts the security, setup and
master data information
DataProbe™ is a desktop utility for the client DBA/manager to provide the data
On average it takes our cleints less than an hour to install and extract the ERP
security , setup and master data for submission to FulcrumWay risk advisory
services
15. Access Risk
Assessment
Controls Catalog with over 1,000 advance
controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process
optimization opportunities
16. Access Risk
Assessment
ERP Test environment consists of ERP
configurations and data objects
Selected security, setup and data objects are included in the environment
ERP Configuration such as 3-way match in payable options, master data such as
Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments
records are analyzed for control failure risks
17. Access Risk
Assessment
Advanced Analytics to analyze ERP
Risks
Pre-built Risk Analytics. Risk Reports available for client review
Risk Advisors identifies controls violations and has the capability to analyze
issues, remove false positives to prepare the findings report
18. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
19. Role Design
FulcrumWay Roles Manager Overview
Eliminate Root Cause of Access Control Violations in ERP:
Improve Segregation of Duty controls within mission critical applications
Reduce ERP implementation and upgrade costs with pre-configured roles
Lower ERP Total Cost of Ownership by assigning pre-approved Roles
We enable ERP Administrators:
Select pre-configured ERP roles from a roles catalog
Update, Review and Approve Role design changes.
Identify SOD conflicts before the Roles are assigned to Users.
20. Role Design
FulcrumWay Roles Manager Features
Role Manager is an ERP security design tool
Contains a pre-configured catalog of roles which comply with segregation of
duty (SOD) policies.
Roles by ERP module and typical access requirements for those modules
such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.
You can use this tool to view existing role templates and design new roles
by easily selecting or deselecting ERP functions/transaction.
Once you complete the roles design, you can send it, using workflows, to
pre-assigned reviewers and approvers to finalize the roles.
The role preparers, reviewers and approvers can also assess the SOD
control risks before finalizing the roles.
Leverage FW DataProbe/Scripts to load current Roles
Secure Access from fulcrumway.com portal
21. Role Design
Access to Roles Manager
Sign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com
Roles Manager is a component of the FulcrumWay Risk Remediation software services that is
available instantly over a secure internet-connection.
22. Role Design
Search and Browse through catalog of
Roles for Oracle EBS R12
Select the Access Monitor Icon.
Then click on the Maintain Access Roles Tab
Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls
Designed into the configuration to give you a jump start
23. Role Design
Access to Roles Manager
Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role.
Assign Reviewers and Approvers for the role
Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business
activities inherent in the EBS Responsibility configuration
24. Role Design
Access to Roles Manager
Select/ Deselect business activities to update Role configuration automatically
Reduce Role design time and effort by selecting business activities to drive the
configuration of Oracle Responsibilities.
25. ERP User Provisioning
Save Precious Time Verifying User Provision Request
Prevent Unauthorized Systems Access
Reduce the Risk of Internal Fraud
Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
Automate manual access request processes
Ensure there are no unauthorized users
Detect and prevent disallowed access attempts
26. Remediate Access
Risks
Monitor User Access Requests
Monitor controls over the user provisioning process. Maintain audit log
Reduce SOD violations by monitoring User Access Requests at Helpdesk and
perform SOD analysis before access is granted
27. ERP User Access Monitor
Save Precious Time Verifying User Access
Detect Unauthorized Systems Access
Automate User Access Review
Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
Ensure there are no unauthorized users
Maintain universal access security compliance
28. Remediate Access
Risks
Remove False Positives and inactive
users/roles
Send user access verification reuqest to application control owners using
“passkey” to verif ot terminate access
Monitor User Access to Responsibility/Role and Functions
29. ERP User Access Monitor
Fast Forward SOD Corrective Actions
Notify manager of business activity risks
Enforce corrective actions
Reduce Compliance Costs
We enable Security/ERP Administrators:
Automate corrective action requests
Ensure timely resolution of SOD incidents
Maintain universal access security compliance
30. Remediate Access
Risks
Send Corrective Actions to implement
approved changes
Send SOD conflict information at the business activity level to correct violations
Correction Action
Request is sent to
Managers for
Review and
Approval via email
survey
Application Owner
Verifies Access to
Business Activity
Reduce cost and effort for remediation.
31. ERP Controls Management
Apply Continuous Monitoring to ERP Controls
Minimize Process Errors and Losses
Maintain compliance with regulations and internal policies
Reduce the Cost of Risk and Audit
We enable Business and IT Managers:
Meet your organizational control objectives
Complete your controls monitoring repository
Apply policies and rules to each business cycle
32. Select ERP
Controls
FW Controls Catalog with over 1,000
advance controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process
optimization opportunities
33. Monitor Data
Changes
Authoritative Master Data Across the
Enterprise
Ensure reliable mission critical data. Improve data governance with complete
audit trail. Make informed, fact-based timely business decisions
Detect who, when, what changes are made to master data such as
organziations, suppliers, customers, employees, items, assets and other key
records.
34. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top SOD Challenges in EBS R12
Overview of SOD Controls Assessment
Roles Design Techniques
Case Study
Q&A
35. Client case
Global car and equipment rental company, improves
Our Client
Leader in the car and equipment rental businesses
worldwide
Providing quality car rental service for over 90 years.
Over 30,000 employees
Challenges
Replace multiple legacy systems with one ERP
solution
Improved Segregation of Duty controls within
mission critical applications
Maintain consistent ERP system access roles across
the subsidiaries leveraging the shared services
model
Increase external auditor’s reliance on ERP Access
Controls Monitoring
Solutions
ERP Controls Catalog
ERP Roles Monitor
employee productivity
Results:
Reduce ERP Role design, build, testing and
implementation time by 80% resulting in over $200,000
cost savings during ERP system implementation and
global roll-out.
Created over 100 Segregation of Duty compliant Roles
by business segment with two weeks from FulcrumWay
Role Templates within the controls catalog.
Lowered ERP Total Cost of Ownership by reducing SoD
remediation time and costs by ensuring that all users a
assigned only the pre-approved Roles
Improve SoD and Access Controls testing time by
providing auditors the access log reports showing all
Update, Review and Approve Role design changes.
Accelerated ERP testing and deploying time by
identifying SOD conflicts before the Roles are assigned
to Users.
36. Agenda
Implement Effective Access Controls within
your Oracle ERP System
Introductions
Top SOD Challenges in EBS R12
Overview of SOD Controls Assessment
Roles Design Techniques
Case Study
Q&A
37. Q&A
Download DataProbe
Leader in Risk Based Enterprise Controls
One-on-One with Experts
Follow FulcrumWay on LinkedIn for ERP Risk and Controls