1 / 29

Session 15 – ERP Security

Session 15 – ERP Security. Objectives Oracle ERP Overview Oracle ERP Security Oracle Workflow and Security How to Secure Oracle Applications Security and Controls Considerations by Business Cycle Segregation of Duties. 1. Objectives. Become familiar with Oracle terminology and concepts

aline-chapman
Download Presentation

Session 15 – ERP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 15 – ERP Security • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  2. 1. Objectives • Become familiar with Oracle terminology and concepts • Understand security and control features within Oracle Applications • Discuss leading practices to secure Oracle Applications • Realize importance of segregation of duties

  3. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  4. 2. Oracle ERP Overview • Human Resources • Payroll • Human Resources • Training Administration • Time Management • Advanced Benefits • CRM • Marketing (3 modules) • Sales (5 modules) • Service (5 modules) • Call Center (5 modules) • Manufacturing • Engineering • Bills of Material • Master Scheduling / MRP • Capacity • Work in Process • Quality • Cost Management • Process (OPM) • Rhythm Factory Planning • Rhythm Advanced Scheduling • Project Manufacturing • Flow Manufacturing • Finance • General Ledger • Financial Analyzer • Cash Management • Payables • Receivables • Fixed Assets • Human Resources • Front Office • Applied • Technology • Finance • Manufacturing • Projects • Supply Chain • Management • Projects • Project Costing • Project Billing • Personal Time & Expense • Activity Management Gateway • Project Connect • Self-Service • Supply Chain Management • Order Entry • Purchasing • Product Configurator • Supply Chain Planning • Supplier Scheduling • Inventory • Self-Service • Web Customers • Web Suppliers • Web Employees • Applied Technology • Workflow • Alert (Business Agents) • Applications Data Warehouse • EDI Gateway

  5. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  6. Oracle ERP Security Issues • Oracle Applications is huge and complex • More than 100 modules • Millions of lines of coding • Hundreds of configurations (settings) • Acquisition of other major ERPs • PeopleSoft, JDE, Siebel, etc…… • Multiple Technologies involved • Multiple technologies like Networks, OS, Web server, Application Server, Database, Reporting, etc..

  7. Oracle ERP Security Issues (cont’d) • Many seeded account passwords and seeded configuration settings that are not secure • Multiple access avenues: • Applications - any account with Sysadmin responsibility • Process Tab – ANZ Menus • Database – system, sys, apps, applsys • UNIX - root, oracle, applmgr

  8. Oracle ERP Security Issues (cont’d) • Complex regulatory environment • Customization and Extensions to Oracle Applications • Security and Controls should be on the “critical path” during implementations

  9. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  10. Oracle Workflow and Security What does it Do? • Oracle Workflow automates standard business processes, allowing for transparency and a recorded history of process transactions • Oracle Workflow is highly customizable and is used to drive processes through the system from start to finish. Who uses it? • Workflow Specialist configures workflow during install • End Users • Workflow Administrator

  11. Oracle Workflow and Security (cont’d) Most Commonly Used Seeded Workflows General Ledger Journal Entry Approval iExpense Expense Report Approvals Terminated Employees Accounts Payable Invoice Approval Process Pay (Positive Pay) Message Receivables Credit Memo Approvals Credit Application Approval Order Management Order and Return Processing Schedule, ship and pack delivery Purchasing Requisition and PO Document Approval Auto Document Creation Receipt Confirmation Exceeding of Price/Receipt Tolerances Projects Projects Approval Project Accounting iTime Timecard Approval

  12. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties • Configurable Controls

  13. Control Structure Internal and External Control Structure ORACLE Downstream Upstream Suppliers EDI E - Commerce Customers EDI E - Commerce Linked Systems Interfaces Data Feeds Interfaces Data Feeds IT Infrastructure External Controls Internal Controls Internal Controls External Controls Interfaces Data Feeds Interfaces Data Feeds Business Processes Non-Linked Suppliers Non-Linked Suppliers Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls

  14. Business Process Team Oracle Apps Functionality Oracle Apps (User Responsibility Profiles) Controls & Security Team Control Requirements & Oracle Security Expertise Change Management (Stakeholder) Business Requirements Application Security Managing Risk by Ensuring that Key Controls are Adequately Implemented Over APPLICATION SECURITY: • Security Administration - managed by appropriate management within the organization • Security Impact Assessment - on business processes and user environment • Security Design - current and future needs are assessed and implemented with high priority controls environment • Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment • Segregation of Duties - controls over business process are adequate and implemented • Security Functionality - comprehensively utilized and maintained • On-going Security Administration - managed and maintained by appropriate management within the organization

  15. Some Leading Practices to Secure Oracle (Cont’d) • Restrict ‘Back-end’ access to the Database • Review of standard reports to access signon, unsuccessful signon, responsibility usage, form usage and concurrent request usage. • Enabling Auditing on certain Tables • Oracle Alerts

  16. Some Leading Practices to Secure Oracle (Cont’d) Profile Options – Signon / Suggested settings • Signon Password No Reuse – “180” • Signon Password Length – “6-8” • Signon Password Hard to Guess – “Y” • Signon Password Failure Limit – “3”

  17. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  18. Security and Controls Considerations by Business Cycle A ‘configurable control’ is • Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps • Profile options • Transaction type settings • Financial options • Payment options • Invoice options • Different from ‘inherent’ controls, which are pre-programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non-numeric characters)

  19. Security and Controls Considerations by Business Cycle The following key cycles will be discussed in the next few slides • Order to Cash • Procure to Pay • General Ledger/Financial Close

  20. Security and Controls Considerations by Business Cycle 1. Order to Cash • OM Transactions type Setting • Holds: Operational and Financial • Processing Constraints Rules • Payment Terms • Credit Limit and Credit Check What is security implication?

  21. Security and Controls Considerations by Business Cycle 2. Procure to Pay • Document Types – PO, Requisitions, etc • Approval Limits and Approval Groups • Tolerances • Invoice Matching • Banks setup What is security implication?

  22. Security and Controls Considerations by Business Cycle 3. General Ledger/Financial Close • GL Chart of Accounts, Security rules, Cross-validation rules • Journal Approval and Posting • Consolidation Mapping Rules • Translation and Exchange Rates • Suspense Posting and Dynamic insert option What is security implication?

  23. Agenda • Objectives • Oracle ERP Overview • Oracle ERP Security • Oracle Workflow and Security • How to Secure Oracle Applications • Security and Controls Considerations by Business Cycle • Segregation of Duties

  24. Segregation of Duties What is ‘Segregation of Duties’ (SOD)? • The principle of separating incompatible functions from an individual • Designed to prevent, rather than detect • Reduces risk, as circumventing a well designed SOD environment requires collusion • SOD includes system level segregation as well as segregation of manual processes

  25. Segregation of Duties What must be segregated? Record Keeping Custody of Assets Authorization Reconciliation

  26. Segregation of Duties Segregation of Duties and restricted access is a multi-dimensional challenge. Tools may be used to assist in the initial analysis of segregation of duties and the design of Roles and Responsibilities. In addition, other dimensions of the ERP application security should be understood to assess the full nature of segregation of duties weaknesses.

  27. Segregation of Duties In a practical way, SOD is enforced in Oracle through responsibilities! • A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run • Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable • A user can be assigned more than one responsibility • Role Based Access Control (RBAC)

  28. Applications User User Name Password Responsibility Security Segregation of Duties Main Menu Menu Forms Menu Forms Request Security Group Responsibility Reports Request Sets Concurrent Programs Role Based Access Control - RBAC Security Rules Flexfield Values Report Parameters

  29. Summary • Oracle automated controls include: • Configurable parameters and settings • User access controls and responsibilities • Review of Oracle configurations and access levels are always as of a ‘point-in-time’ • Segregation of Duties is critical • Requires use of right tool to perform the review • Manual review not recommended

More Related