Lewis Hopkins, a senior applications consultant with 12 years of experience in governance, risk, and compliance, emphasizes the importance of security in PeopleSoft applications during his presentation. He outlines the challenges organizations face regarding fraud, user access, and the complexity of security measures, advocating for better roles and permission management. The presentation also highlights opportunities for data security, compliance with regulations like SOX, and the benefits of professional services in analyzing security and access control.

2. Today’s Presenter
Lewis Hopkins
Senior Applications Consultant
Lewis has been working in governance, risk, and compliance for the last 12 years, providing solutions and guidance to over
200 Organizations. He is a Board Member of the Governance, Risk and Compliance User Group and regularly speaks at
industry events.

5. SmartERP Solutions | Global Expertise with Local Presence
UAE
Dubai
Bangalore
Hyderabad
INDIA
• Toronto
• Boston
• Chicago
• Texas
• Atlanta
HQ
Pleasanton, CA
Chennai
Founded in 2005
by former Oracle
Executives, Architects,
and Consultants
Implementation Partner
Oracle Cloude, NetSuite,
PeopleSoft, EBS and JDE
Solutions and Services
A unique blend of
Solutions and services
300+ Clients
Worldwide clients for life
across various industries
350+ Employees
Certified experts around the
world – 24x7x365

6. Samples of our Cross-Industry Client Successes
Manufacturing, Hi-Tech, Fin-Tech and Healthcare
Industrial, Hi-Tech and Semi-Con Lifesciences, Pharma, Bio-Tech and Healthcare
Wholesale Distribution and Retail
Building, Solar, Furniture, Electronics, Wine, Food and
Beverage
Professional Services & General Bus.
Staffing, Legal, Education, Engineering and Construction

7. The Bad News

8. Current Figures
5% of revenue is lost every year to Fraud
(Accounting Today)
33% of Bankruptcies down to Employee fraud
Average of 6 frauds per Organization per year
Internal fraud is as prevalent as External (PWC
Global Fraud Survey)

9. PeopleSoft Challenges for Risk
& Control

10. Cohesion
Communication – Typically Business Users don’t understand the
Application. Technical Users don’t understand the Risks.
Business Users Technical Users
Responsibility and Ownership
“Foxes watching the
Hen House”

11. Access Definitions
Security too complex – not ‘Business friendly’
Ensure new/copied Security is easy to
read
Re-Use where possible, for example: Sign on process
Delivered Roles have Security issues and please secure ALLPAGES!!

12. Who owns the Access/SoD
Reviews in your organization?
1. Security
2. Audit
3. Functional Users/Managers
4. A combination of the above
5. None of the above

13. ‘Super User’ Access
• Don’t rely on PSADMIN or VP1 generic logins without controls
Options for management:
• Break Glass
• Individual User Logins

14. Individual User Logins
Employee’s request access to
Production, Sys Admin unlocks
their account and grants the
Roles required for diagnosis.
At the end of the process,
the User’s account is locked again.

15. One more thing…
Always worth Auditing User Profiles, Roles/Permission Lists
in PeopleSoft.
Low transaction, high impact

16. Data Security
• Row Security limited in PeopleSoft
• What to do about PCI or PII?
• Field Security, Tokenization, restrict Fields in the Pages, Database Level
Security?

17. Opportunities for Securing Data
For Query:
Create Roles/Permission Lists for accessing this Data
Secure them against the Fields you use & the Queries for accessing this information
• Pros: Accountability – track the Roles that have access
• Cons: Can leave out other data required from a table
For Access:
Use Database level Security to Secure or Obfuscate the Data
• Pros: Total Security at the Data level
• Cons: May need each User to have a DB level User
If one DB User, what about Self Service Users?

18. Production Do’s and Don’ts
• Data Mover and Configuration/Development processes– secure them!
• Submission of Jobs
• Copy of Production for testing and simulation
• Who wants to refresh every day?
• Don’t rely on Auditing
• The Horse may have bolted already!

19. Production Do’s and Don’ts
• Separate Configuration from Transactions
• Segregation of Duties and Access Analysis
• OMB
• NIST
• SOX
Compliance is forcing Organizations to change their Approach to ERP Security
and Controls

20. Role Assignments
Too many Roles = too many Risks/too difficult to answer who has access to what
We’ve seen:
160+ Roles per User
12-24 months before Security is regarded as a mess
Are Role Assignments going through a change request?

21. How do you currently manage
security analysis and SoD?
1. Third-party solution
2. Manual-based process
3. No solution in place
4. Don’t know

22. Smart ERP Security as a Service

23. Access and SoD Subscription
• Analysis of Security for efficiency
• Power User & Third Party access
• Segregation of Duties
• PII and Sensitive Data Access
• Reports, Recommendations and Project
Management

24. Access Levels Evaluated
Users/OPRIDs Roles Permission
Lists
Components
Pages Buyers
User
Preferences
Workflow
Approval

25. Rules
CPA staff maintain ruleset and provide advisory
Rule Maintenance and Controls Assessment
through subscription

26. Access and SoD Reporting as a Service
Extract Data
from PeopleSoft
Import into
Smart ERP
Run Analysis
No PII or Sensitive
Data is taken

27. Access and SoD Reporting
• Users and their SoD Violations
• Power User Access
• Sensitive Access
• PII Access
Reports and Remediation

28. Benefits
• Report on who has access to what in plain
‘English’
• Identify and Remediate Users with too
much access
• Enforce strong Data Security Policies
• Comply with legislation and reduce costs
Reporting and Data Security as it should be..

29. Exceptions
Sometimes Users need to break the rules…
VP’s, Power Users, Limited Staff, etc
All Exceptions are stored for future reference, and
Reports available

30. Upcoming Webinar
REGISTER: bit.ly/smartcanonwebinar
Wednesday, March 31, 11 AM PST | 2 PM EST

31. A. Just Smart Form I-9 (Free)
B. Both Smart Form I-9 and E-Verify (Free)
C. Smart Applications with Smart Onboarding ($)
D. Full Suite with HR Integration ($)
E. Full Suite with HR Integration plus other apps ($)
F. Not Sure?
Use the question feature in your Zoom application

32. For More Information
info@smarterp.com
smarterp.com
smartonboarding.com
smarterpanalytics.com
smarttalentprocurement.com
smarteverify.com
925-271-0200 | Information: info@smarterp.com