Great information from the speakers in the Do You Really Know What Your Users Can Do session just now. Jaime Ramos, from Symantex explained how they implemented a comprehensive approach to securing and monitoring user access with the help of Oracle’s GRC Advanced Controls. You can learn more about this and the other speakers stories, including from Facebook and Navillus, by downloading the presentations from here.
17. DO YOU REALLY KNOW WHAT YOUR USERS CAN DO, OR MAYBE HAVE DONE?
Daryl Geryol –Partner
www.navillusllc.com
@NavillusLLC@DarylGeryol
18. 19
About Navillus Partners
International professional services and solutions firm headquartered in Boston, Massachusetts
Established in2009, Navillus has experienced on average 40% growth year over year in Oracle Advanced Controls professional services
Oracle Gold Level Partner specializing in Oracle Advanced Controls & E-Business Suite / PeopleSoft professional implementation and advisory services
Recognized as the #1 Oracle Commercial and Federal Advanced Controls Partner
The first in the industry to hold Oracle Advanced Controls Specialization accreditation
Is an Oracle authorized training partner
Navillus is a privately held company that has been profitable consistentlyboth from a cash and accrual basis since the 4thmonth of operations with zero external debt outstanding.
Our team’s collective experience includes:
168 years working in the information technology industry
177 years implementing the Oracle e-Business Suite ERP package
76 years implementing the Oracle GRC applications
More than 512 GRC implementations to the team’s credit to date
19. 20
Navillus Partners is A World Leader
More than 500 combined Oracle Advanced controls implementations
34+ skilled and experienced Advanced Controls professionals averaging more than 10 years of experience worldwide
Functional & technical experience across nearly all Oracle e-business applications (HRMS, Financials, Supply Chain Management, CRM, other)
Multiple consultants with Oracle accredited specializations
Experience
GlobalDelivery
Centers
of Excellence
Right-shore Delivery capabilities for Oracle Advanced Controls including utilization of our experienced Chennai, India team, well beyond installation & technical responsibilities
Navillus provides training to customers and other implementation partners worldwide
International experience in more than 10 countries
Navillus’ Center of Excellence (CoE) is a solution center that works closely with Oracle OAC Product & Product Strategy and promotes and trains the extended team on new product features and techniques
Provides new and innovative delivery techniques from in-field feedback and experience to continuously enhance our NAViGATE Methodology
Works with Oracle’s product group on new features and enhancements
20. 21
Risk-Everything is related
Access and Security--How do user’s gain access (Entrance, Accessible Areas, Exit) the ERP system?
Provisioning and Deprovisioning
Privileged Access
Segregation of Duties
Emergency Access
Operational–How do they do it?
Usability
Security
Optimization
Automation
Configuration --What did they change?
Pre and Post Patching
Change Control and Validation
Critical Configurations
Consistency
Transactional –Is what happened within Policy?
Within tolerance
Fraudulent
Correctness
Access & Security
Operational
Configuration
Transactional
21. 22
Advanced Controls
It’s a Journey-Controls will evolve
Controls are related and typically work together with a focus on Increasing Value while Reducing Risk
Controls may validate one another –such as a Transactional control reporting that Operational controls limiting certain transactions by amount are indeed effective
Controls should have a balance and work together to help ensure a secure, sound, effective and efficient system
E-Business Suite
Access Controls
E-Business Suite
Preventive Controls
E-Business Suite
Transaction Controls
24. Do you really know what your users can do, or maybe have done?
David Claytor, facebook IT Global Apps
Atul Gupte, Navillus Partners-Advanced Controls Architect
25. 1
ITGC Approach, Teaming with Navillus Partners
2
Self Service Application and DB User Requests, Preventative SOD
3
Quarterly User Audit Automation (Managers & BPO’s)
4
Utilizing CCG to shift CSA’s from Business to IT
5
Summary
Background
26. Getting Serious about ITGC’s
▪With company mottos like ‘Move Fast and Break Things’, we knew we had to get serious about intelligent audit automation and detection
▪After managing ITGC CSA’s for a quarter, became obvious we needed to automate user provisioning, quarterly audit and SOD processes
▪Determined we needed help building an integrated solution. Met with various vendors based on Oracle’s recommendations, went with Navillus Partners
▪Went down a path of creating easy to use workflows for our end users
▪Then began to shift CSA’s from business to IT owned controls, via CCG. This also required out of the box thinking, to pinpoint the alerting.
27. Self Service Access Management via OAF
▪Custom OAF pages for:
▪Users to request access, and on behalf of any user
▪Users to revoke their access
▪Managers to revoke their team’s access
▪Systematic quarterly application access review, for managers and business process owners
▪Integration with GRC AACG, to enforce preventative SOD
▪Lookup table determines:
▪If the access request is passed through GRC for SOD Audit
▪If the access is reviewed quarterly by Manager and / or BPO’s
▪If the max grant duration is enforced (all setup and admin related access is granted for 7 days or less)
30. Transitioning CSA’s to IT System Controls
▪CFO pushed to automate & transition business owned CSA’s to IT system controls. We will have moved 50 CSA’s by the end of 2014, in 2 primary ways:
▪Introduced second variant of systematic quarterly user audit, where BPO’s (also the access approvers) review and revoke access as needed, for key functions like Journal Entry, Receiving & AP Payments
▪Monitoring key application setups via CCG, and pairing up change alerts with valid change tasks
31. Summary
▪Once we built the user access pages in OAF, realized detective SOD was insufficient. Out of the box, GRC (AACG) only works with the java form based access request. This is where the Navillus Partners technical consultants were key, given their deep understanding of the product, as many of them came from LogicalApps. They also helped us systematically tackle managing GRC development instance refreshes, which presented it’s own challenges.
▪As we implemented CCG to shift CSA’s from business to IT owned, realized it only monitored core forms and even then we could not drill into specific areas of those forms for pin pointed monitoring. Again, the Navillus Partners team was a key partner in determining how to add content without introducing too much risk or upgrade headaches using their Navillus CCG content.
32. 33
Do you really know what your users can do, or maybe have done?
Jaime Ramos, Symantec IT Global Apps -DaVinci GRC team
Project da Vinci – Symantec
Richard Goddard, Navillus Partners -Director of Delivery
33. Agenda
•History of GRC at Symantec
•The DaVinciInitiative
•Challenges
•Approach
•Managing SOD conflicts in an RBAC system
•Go-Live Activities
•Critical Success Factors, Lessons Learned.
Project da Vinci – Symantec 34
34. History of GRC at Symantec
•In 2008 Symantec implemented the LogicalAppsproducts, Form rules (PCG precursor) and AppsAccessfor Segregation of Duties
•Symantec’s custom Self service responsibility provisioning system was integrated with the SOD system to prevent Users from requesting combinations of responsibilities deemed inappropriate.
•In 2013 Symantec decided to use the GRC suite of Applications as part of its DaVinciinitiative to implement R12.1 EBS.
Project da Vinci – Symantec 35
35. The DaVinciInitiative
•EBS R12.1 for 30,000 worldwide Users
•Customer Data Hub (CDH) and Product Data Hub PDH in their own instances
•Five separate System environments -DEV, QA, Training, UAT and Production instances (5 GRC systems managing 5 x 3 EBS/CDH/PDH systems)
•Full Oracle Advanced Controls GRC suite implementation (PCG, ACG, TCG, CCG, eGRCMand GRC Intelligence)
•ACG 140+ SOD and Sensitive Access policies including Module configuration versus Module Transactions for each EBS of the 33 application
•CCG was implemented for continuous monitoring of changes for 12 key controls in the EBS Financial applications
•PCG / TCG were used to automate control testing for items such as identification of Journals > $5m, Workflow Approval of Recurring Journals, Enforce comments and attachments for Manual Journals per Symantec policy , Mask Project Rates derived from actual Salary information.
Project da Vinci – Symantec 36
36. Challenges
•Scalability -SOD rules tracking for more than 30,000 Users and 3000+ function combinations including custom and localization functions
•RBAC role based security, more than 400 unique roles
•Cross Platform SOD for Users with accounts in the EBS, Product Data Hub and Customer Data Hub systems. Each GRC system had 3 data sources using email address as the identifier of the same
•AACG reports don’t contain RBAC role information, only responsibility names –How can we determine SOD conflicts within a role?
Project da Vinci – Symantec 37
37. Approach
•SOD rules definition and analysis was prioritized to ensure Security design was as effective as possible before go-live. AACG rules were defined to implement SOD policies and track which roles/responsibilities had access to critical system functions – Add User, Modify responsibility, Close GL Period etc.
•PCG and TCG were used to solve specific requirements for identifying unusual activity.
•CCG configuration monitoring was deployed in a limited way to support SOX key controls where module configurations have significant impact to Oracle Financials
•eGRCMimplementation was deferred to allow Internal Audit to define EBS R12 specific Processes, Risks and Controls-eGRCMis now currently in process
•OIM –ACG integration to enforce SOD policies when User’s request system access was deferred to after go –live.
Project da Vinci – Symantec 38
38. Managing SOD for each Role
•We created 400 test users and assigned them each 1 role using UMX
•We completed Access analysis using only our “Test User Accounts” by setting global conditions
•We used the Access Incident detail report to identify Conflicts within a single responsibility and within a single role (Intra and Inter Responsibility Conflicts)
•We consolidated a list of ‘unique’ role violations for a management decision
•We held a series of meetings for Business Process Owners and module SMEs to make decisions where roles violate SOD policy. After the changes were made the Access was re-analyzed and the residual problems analyzed and presented
Project da Vinci – Symantec 39
39. Go-Live Activities
•User Accounts were loaded via OIM into a pre-production environment for SOD pre- check before cutover, Internal Audit reviewed and accepted go-live SOD violations.
•The go–live cutover support teams were provided access with future end dated access for the initial Hyper-Care support period.
•On going SOD reviews are conducted in AACG
•CCG controls are used to identify all changes to Security definitions -roles, responsibilities, menus, functions Etc.
Project da Vinci – Confidential … GRC Overview for Phase 2 40
40. Critical Success Factors / Lessons Learned
•Without the Advanced Controls applications it would not have been possible to design SOD compliant roles and responsibilities within the project timeline.
•Involve Internal Audit, External Audit and Module SME’s in SOD policy design
•Review SOD results and eliminate noise, identify and present unique access decisions for decision makers
•Start early! Security design often happens late in the project timeline and final UAT may be the first attempt to test Security roles and responsibilities. It is an iterative process!
•EBS Security, Module SMEs and GRC teams need to work closely together.
•Last minute Security change requests must be evaluated for SOD impact before they are accepted and implemented.
Project da Vinci – Symantec 41