Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.

Slides:

Advertisements

Similar presentations

Implementation of ShipManagement Systems Project Management Prepared by Lana Al-Salem Director of Projects Management SpecTec Ltd.

Advertisements

Configuration Management

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.

Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.

Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

OAUG SOX Panel Krista Ladd Oracle Applications Manager Silicon Image, Inc.

Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.

Copyright © 2003 Americas’ SAP Users’ Group Authorizations in the Finance & Controlling Modules Ranvir Singh, Sherman Wright Business Analysts, LSI LOGIC.

Release Management in SAP David Osborne, Planning & Release Management, Canada Customs and Revenue Agency May 20, 2003 Session 2909.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

© 2002 Association of Certified Fraud Examiners. All rights reserved. The Certified Fraud Examiners’ Fraud Prevention Checkup - An Introduction Toby J.F.

Implementation Audit and Control Background Internal Audit Role Go-Live Criteria Audit Approach - Systems Audit Approach - People Summary Agenda.

Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers.

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.

Managing Segregation of Duties (SOD) in R3 Session Code: 808 Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Computer Security: Principles and Practice

SAP An Introduction October 2012.

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Copyright © Panaya Oracle ® E-Business Suite Testing: How to Get Your Business Users On-Board Amir Farhi Director, Product Marketing.

© 2011 Financial Operations Networks LLC AP Policies and Internal Controls for Running a Tight Ship Panel: Susan Tinkler-Muller Mike Iverson Rob Rogers.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

IT:Network:Microsoft Applications

Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.

Miguel Nunes Information Systems Project Management IS Project Resources.

Effective Methods for Software and Systems Integration

Integrated Security Solutions © 2006 TK Consulting, LP realtime Confidential March 11, 2007 APM Demo.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.

NASC Presentation – March 2014 An Overview of Pennsylvania’s Internal Controls By: Anna Maria Kiehl, CPA State Comptroller/Chief Accounting Officer Governor’s.

Information Systems Security Computer System Life Cycle Security.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Lec#3 Project Quality Management Ghazala Amin. 2 Quality Specialist-Job responsibility Responsibilities Reports monitoring and measurement of processes.

Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, th Continuous Assurance and Auditing Symposium Newark,

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Segregation of Duties for Infor-Lawson Software 1.

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Online | classroom| Corporate Training | certifications | placements| support CONTACT US: MAGNIFIC TRAINING INDIA USA :

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

Auditing Information Systems (AIS)

10-January-2003cse Context © 2003 University of Washington1 What is a development project? CSE 403, Winter 2003 Software Engineering

1 Authority on Demand Provide high authority “as-needed” with full Audit Trail.

An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc. HIPAA Summit V October 30 – November 1, 2002.

PRESENTATION TITLE Presented by: Xxxx Xxxxx. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Microsoft Dynamics NAV: Tips and tricks for security methodologies Andy Snook and Nate Boettcher Fastpath, Inc.

Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.

Tips and Tricks: Stress Free Security in Dynamics AX Chris Haley, Microsoft.

SAP GRC(Governance Risk and Compliance)/SECURITY ONLINE TRAINING  Magnific Name : SAP GRC/SECURITY 24*7 Technical support  faculty : Real time Experience.

Phases of ERP Implementation Lifecycle By ControlERP

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.

Review of IT General Controls

SAP GRC(Governance Risk and Compliance) online tutorial

Configuration Management

Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,

SAP Access Violation Management by Greenlight

QAD Enterprise Edition Segregation of Duties

Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS

SAP GRC EOH GRC Solutions Divisional divider Option 1.

Protect data in core business applications

OU BATTLECARD: Oracle Identity Management Training

Presentation transcript:

Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical Company Kathy Landers, Rockwell Collins

Goals of this session: Shooting The Moving Target Typical SOD Scenario Key SOD/Controls Challenges SOD a Moving Target SOD/Controls Solutions Ongoing SOD/Controls Compliance Questions

Shooting The Moving Target Violating so many controls? This is ugly … Why can’t you ever get your act together?? Users Auditors Management Security/Controls Team I need SAP_ALL Why don’t you let me do my job? Damn it!! I need XK01 now! ASAP!!!

Typical SOD Scenario: Shooting The Moving Target Security implemented as an afterthought Lack of time to address SOD/Controls right from the outset Lack of understanding (and tendency to avoid issues) results in generous authorizations & more SOD issues

Typical SOD Scenario (continued): Shooting The Moving Target External Auditors run utilities, report SOD issues (mostly low hanging fruit) Security Team’s common defense; situation not as bad,looking at object level Some action items to satisfy management

Typical SOD Scenario (continued): Shooting The Moving Target Most fixes (s_tabu_dis,s_program…) No preventive SOD maintenance Companies wasting tons of money on expensive audits and consultants Problems/issues just don’t go away

Common Misconceptions: Shooting The Moving Target We trust our employees Our system is clean (Our programs, tables are protected & password is 5 characters!) We have external audits every year We are different & we have no risk We don’t have time/resources to worry about SOD yet, we will handle it later

Common Challenges: Shooting The Moving Target Defining (finding) good SOD Rules –Significant effort for building & customization –SOD at Authorization Object level (too many permutations & combinations) Defining & Documenting Mitigating Controls –Mitigating Control Approvers –Mitigating Controls Monitors –Mapping to Users/Roles, SOD Rules

Common Challenges (continued): Shooting The Moving Target Adhoc or home-grown Solutions –Incomplete functionality –Not fully automated –Don’t work with online data –Can’t keep pace with SAP SAP Security is complex Poor training –Authorizations Made “Difficult” –SOD/Controls Made “Difficult”

Shooting The Moving Target Phase Cost Most of the clients detect SOD issues here Definition Development Testing RISK FOR FRAUD Production Role Owner User Role Owner Security Admin End Users Auditors Role Owner Security Admin The later you resolve the problem, costlier it will be.

Key Challenge: SOD a Moving Target…. Shooting The Moving Target Constantly changing – Roles – User Access – SOD Rules – Mitigation Controls SAP Releases (3.1I…4.7) New Modules (e.g HR) Laws & Regulations

SOD/Controls Solutions: Shooting The Moving Target Well designed Process & Strategy –Rule building/upgrade methodology –Security/Controls Process Reengineering Who will define Mitigating Controls Who will approve, monitor Mitigating Controls Proactive SOD checks during User Access & Role changes –Training for all players including Role Owners

SOD/Controls Solutions (continued): Shooting The Moving Target SOD/Audit Tool –Comprehensive functionality/reports –Complete automation (including Simulation) –Analysis on live data (even SU24 checks) –Analysis at the earliest phase possible –Appropriate change management capabilities (e.g. for Rules) & access levels

SOD/Controls Solutions (continued): Shooting The Moving Target SOD/Audit Tool –Collaborative features (for all key players) –Reports with complete inside picture –All issues elimination in one cycle –User,Role,Profile,Composites,Job,Position.. –Easy to maintain & use

SOD/Controls Solutions (continued): Shooting The Moving Target Additional Features/Functionality –Automate building Rules –Automate upgrading Rules –Supplementary Analysis –Complimentary Utilities e.g. Validate Controls –Dynamic Rule selection for analysis – Negative SOD Testing

Ongoing SOD/Controls Compliance: Shooting The Moving Target Simulation (“What If” Scenarios) Must be real time, online with live data Fully automated For all changes (Roles,Users,Profiles etc) Available in all environments Available across Environments

Critical Success Factors: Shooting The Moving Target Optimum Rules Powerful Tools Sound Processes & Methodology Proactive ongoing SOD Compliance to reduce day-to-day maintenance & eliminate reinvention of the wheel Networking (Best Practices)

If you wish to contact us: Shooting The Moving Target Jasvir Gill: Donnie R. Looper: Kathy Landers

Questions: Shooting The Moving Target

Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 503