Segregation of Duties and Sensitive Access as a Service
Description
This webinar highlighted the key risks in your PeopleSoft Applications, including PII, Sensitive Data, and Segregation of Duty Risks. We took a look at the key Application controls, from Components/Pages to User Preferences and Workflow Approval. If you are approaching Audit season, we also covered our unique Access Review as a Service, with no software to deploy in exchange for powerful and insightful reports as to the effectiveness of your current controls.
Finally, we took a look at PII's use in your Applications and the process of governing this access in light of legislation such as GDPR and CCPA.
4. Introductions
• Lewis Hopkins – working with Security and
Controls in Oracle Applications since 2003.
• Designing and implementing solutions for
Segregation of Duties, Sensitive Access and
Audit/Internal Controls
6. Poll
Do you currently perform Security Analysis over PeopleSoft?
• We don’t
• Manual
• Query/SpreadSheet based
• Semi Automated
• Fully Automated
7. Cohesion
Communication – Typically Business Users don’t understand the
Application. Technical Users don’t understand the Risks.
Business Users Technical Users
Responsibility and Ownership
“Foxes watching the
Hen House”
8. ‘Super User’ Access
• Don’t rely on PSADMIN or VP1 generic logins without controls
Options for management:
• Break Glass
• Individual User Logins
9. Individual User Logins
Employee’s request access to
Production, Sys Admin unlocks
their account and grants the
Roles required for diagnosis.
At the end of the process,
the User’s account is locked again.
10. One more thing…
Always worth Auditing User Profiles, Roles/Permission
Lists in PeopleSoft.
Low transaction, high impact
11. Role Assignments
Too many Roles = too many Risks/too difficult to answer who
has access to what
We’ve seen:
160+ Roles per User
12-24 months before Security is regarded as a
mess
Are Role Assignments going through a change request?
12. Access Definitions
Security too complex – not ‘Business friendly’
Ensure new/copied Security is easy to
read
Re-Use where possible, for example: Sign on process
Delivered Roles have Security issues and please secure ALLPAGES!!
14. Data Security
• Row Security limited in PeopleSoft
• What to do about PCI or PII?
• Field Security, Tokenization, restrict Fields in the Pages,
Database Level Security?
15. Poll
How do you report on Sensitive or Personal Information in
PeopleSoft?
• We don’t
• Manually
• Haven’t been able to
• Use Scripts to pull data
17. Opportunities for Securing Data
For Query:
Create Roles/Permission Lists for accessing this Data
Secure them against the Fields you use & the Queries for accessing this information
• Pros: Accountability – track the Roles that have access
• Cons: Can leave out other data required from a table
For Access:
Use Database level Security to Secure or Obfuscate the Data
• Pros: Total Security at the Data level
• Cons: May need each User to have a DB level User
If one DB User, what about Self Service Users?
18. Production Do’s and Don’ts
• Data Mover and Configuration/Development processes–
secure them!
• Submission of Jobs
• Copy of Production for testing and simulation
– Who wants to refresh every day?
• Don’t rely on Auditing
– The Horse may have bolted already!
19. Production Do’s and Don’ts
• Separate Configuration from Transactions
• Segregation of Duties and Access Analysis
– OMB
– NIST
– SOX
Compliance is forcing Organizations to change their Approach to
ERP Security and Controls
21. Access and SoD Subscription
• Analysis of Security for efficiency
• Power User & Third Party access
• Segregation of Duties
• PII and Sensitive Data Access
• Reports, Recommendations and Project
Management
23. Rules
CPA staff maintain ruleset and provide advisory
Rule Maintenance and Controls Assessment
through subscription
24. Access and SoD Reporting as a Service
Extract Data
from PeopleSoft
Import into
Smart ERP
Run Analysis
No PII or Sensitive
Data is taken
25. Access and SoD Reporting
• Users and their SoD Violations
• Power User Access
• Sensitive Access
• PII Access
Reports and Remediation
26. Benefits
• Report on who has access to what in plain
‘English’
• Identify and Remediate Users with too
much access
• Enforce strong Data Security Policies
• Comply with legislation and reduce costs
Reporting and Data Security as it should be..
27. Exceptions
Sometimes Users need to break the rules…
VP’s, Power Users, Limited Staff, etc
All Exceptions are stored for future reference, and
Reports available
28. Achieve Best-In-Class Security and Controls
Solutions
• Segregation of Duties/Access
Reporting
• Access Provisioning
• Transaction Monitoring
• Configuration Monitoring
Services
• Security and Configuration ‘Scans’
• Security Design and
Implementation
• Training & Review