Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 ISACA Conference ISACA Conference San Francisco, CA May 18, 2005 Oracle Applications Security and Controls Presented By: Brijen Joshi.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 ISACA Conference ISACA Conference San Francisco, CA May 18, 2005 Oracle Applications Security and Controls Presented By: Brijen Joshi."— Presentation transcript:

1 Slide 1 ISACA Conference ISACA Conference San Francisco, CA May 18, 2005 Oracle Applications Security and Controls Presented By: Brijen Joshi

2 Slide 2 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

3 Slide 3 ISACA Conference 1.Objectives Become familiar with Oracle terminology and concepts Understand security and control features within Oracle Applications Discuss leading practices to secure Oracle Applications Realize importance of segregation of duties

4 Slide 4 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

5 Slide 5 ISACA Conference 2. Oracle ERP Overview Human Resources Finance Projects Self-Service Supply Chain Management Manufacturing Front Office Applied Technology Finance General Ledger Financial Analyzer Cash Management Payables Receivables Fixed Assets Manufacturing Engineering Bills of Material Master Scheduling / MRP Capacity Work in Process Quality Cost Management Process (OPM) Rhythm Factory Planning Rhythm Advanced Scheduling Project Manufacturing Flow Manufacturing Supply Chain Management Order Entry Purchasing Product Configurator Supply Chain Planning Supplier Scheduling Inventory Projects Project Costing Project Billing Personal Time & Expense Activity Management Gateway Project Connect CRM Marketing (3 modules) Sales (5 modules) Service (5 modules) Call Center (5 modules) Human Resources Payroll Human Resources Training Administration Time Management Advanced Benefits Applied Technology Workflow Alert (Business Agents) Applications Data Warehouse EDI Gateway Self-Service Web Customers Web Suppliers Web Employees

6 Slide 6 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

7 Slide 7 ISACA Conference Oracle ERP Security Issues Oracle Applications is huge and complex –More than 100 modules –Millions of lines of coding –Hundreds of configurations (settings) Acquisition of other major ERPs –PeopleSoft, JDE, Siebel, etc…… Multiple Technologies involved –Multiple technologies like Networks, OS, Web server, Application Server, Database, Reporting, etc..

8 Slide 8 ISACA Conference Oracle ERP Security Issues (cont’d) Many seeded account passwords and seeded configuration settings that are not secure Multiple access avenues: –Applications - any account with Sysadmin responsibility –Process Tab – ANZ Menus –Database – system, sys, apps, applsys –UNIX - root, oracle, applmgr

9 Slide 9 ISACA Conference Oracle ERP Security Issues (cont’d) Complex regulatory environment Customization and Extensions to Oracle Applications Security and Controls not on the “critical path” during implementations

10 Slide 10 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

11 Slide 11 ISACA Conference Oracle Workflow and Security What does it Do? Oracle Workflow automates standard business processes, allowing for transparency and a recorded history of process transactions Oracle Workflow is highly customizable and is used to drive processes through the system from start to finish. Who uses it? Workflow Specialist configures workflow during install End Users Workflow Administrator

12 Slide 12 ISACA Conference Oracle Workflow and Security (cont’d) General Ledger Journal Entry Approval iExpense Expense Report Approvals Terminated Employees Accounts Payable Invoice Approval Process Pay (Positive Pay) Message Receivables Credit Memo Approvals Credit Application Approval Order Management Order and Return Processing Schedule, ship and pack delivery Purchasing Requisition and PO Document Approval Auto Document Creation Receipt Confirmation Exceeding of Price/Receipt Tolerances Projects Projects Approval Project Accounting iTime Timecard Approval Most Commonly Used Seeded Workflows

13 Slide 13 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties 8.Configurable Controls

14 Slide 14 ISACA Conference Control Structure Non-Linked Suppliers Upstream Internal and External Control Structure Downstream Suppliers EDI E - Commerce Customers EDI E - Commerce Interfaces Data Feeds Interfaces Data Feeds Interfaces Data Feeds Business Processes Internal Controls Internal Controls External Controls External Controls Interfaces Data Feeds Non-Linked Suppliers IT Infrastructure ORACLE Linked Systems Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls

15 Slide 15 ISACA Conference Application Security Business Process Team Controls & Security Team Change Management (Stakeholder) Oracle Apps Functionality Control Requirements & Oracle Security Expertise Business Requirements Oracle Apps (User Responsibility Profiles) Security Administration - managed by appropriate management within the organization Security Impact Assessment - on business processes and user environment Security Design - current and future needs are assessed and implemented with high priority controls environment Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment Segregation of Duties - controls over business process are adequate and implemented Security Functionality - comprehensively utilized and maintained On-going Security Administration - managed and maintained by appropriate management within the organization Managing Risk by Ensuring that Key Controls are Adequately Implemented Over APPLICATION SECURITY:

16 Slide 16 ISACA Conference Some Leading Practices to Secure Oracle Improvisation Vs Perfection Enable / Use standard Oracle Applications features in System Administration module Change Default Installation Passwords and disable unused default Oracle Applications Accounts –Default database administration schemas –Schemas belonging to optional database features neither used nor patched by E-Business Suite –Schemas belonging to optional database features used but not patched by E-Business Suite –Schemas belonging to optional database features used and patched by E-Business Suite –Schemas common to all E-Business Suite products –Schemas associated with specific E-Business Suite products

17 Slide 17 ISACA Conference Some Leading Practices to Secure Oracle (Cont’d) Restrict ‘Back-end’ access to the Database Review of standard reports to access signon, unsuccessful signon, responsibility usage, form usage and concurrent request usage. Enabling Auditing on certain Tables Oracle Alerts Keep watching ‘Security Alerts’ from Oracle for latest security patches and other sources like Computerworld, ITToolbox.com, etc.

18 Slide 18 ISACA Conference Some Leading Practices to Secure Oracle (Cont’d) Profile Options – Signon / Suggested settings Signon Password No Reuse – “180” Signon Password Length – “6-8” Signon Password Hard to Guess – “Y” Signon Password Failure Limit – “3” Sign on:Audit Level – “Form” Sign on: Notification – “Y”

19 Slide 19 ISACA Conference Some Leading Practices to Secure Oracle (Cont’d) Other Security Related Profile options Profile Option / Suggested setup AuditTrail:Activate – “Y” Concurrent:Report Access Level - “User” FND:Diagnostics - “No” Utilities:Diagnostics – “No”

20 Slide 20 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

21 Slide 21 ISACA Conference Security and Controls Considerations by Business Cycle A ‘configurable control’ is Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps –Profile options –Transaction type settings –Financial options –Payment options –Invoice options Different from ‘inherent’ controls, which are pre- programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non- numeric characters)

22 Slide 22 ISACA Conference Security and Controls Considerations by Business Cycle The following key cycles will be discussed in the next few slides Order to Cash Procure to Pay General Ledger/Financial Close

23 Slide 23 ISACA Conference Security and Controls Considerations by Business Cycle 1. Order to Cash –OM Transactions type Setting –Holds: Operational and Financial –Processing Constraints Rules –Payment Terms –Credit Limit and Credit Check

24 Slide 24 ISACA Conference Security and Controls Considerations by Business Cycle 2. Procure to Pay –Document Types – PO, Requisitions, etc –Approval Limits and Approval Groups –Tolerances –Invoice Matching –Banks setup

25 Slide 25 ISACA Conference Security and Controls Considerations by Business Cycle 3. General Ledger/Financial Close –GL Chart of Accounts, Security rules, Cross-validation rules –Journal Approval and Posting –Consolidation Mapping Rules –Translation and Exchange Rates –Suspense Posting and Dynamic insert option

26 Slide 26 ISACA Conference Agenda 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications 6.Security and Controls Considerations by Business Cycle 7.Segregation of Duties

27 Slide 27 ISACA Conference Segregation of Duties What is ‘Segregation of Duties’ (SOD)? The principle of separating incompatible functions from an individual Designed to prevent, rather than detect Reduces risk, as circumventing a well designed SOD environment requires collusion SOD includes system level segregation as well as segregation of manual processes

28 Slide 28 ISACA Conference Segregation of Duties What must be segregated? Record Keeping Custody of Assets AuthorizationReconciliation

29 Slide 29 ISACA Conference Segregation of Duties Segregation of Duties and restricted access is a multi- dimensional challenge. Tools may be used to assist in the initial analysis of segregation of duties and the design of Roles and Responsibilities. In addition, other dimensions of the ERP application security should be understood to assess the full nature of segregation of duties weaknesses.

30 Slide 30 ISACA Conference Segregation of Duties In a practical way, SOD is enforced in Oracle through responsibilities! A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable A user can be assigned more than one responsibility Role Based Access Control (RBAC) - new feature in 11.5.10

31 Slide 31 ISACA Conference Segregation of Duties Applications User User Name Password Responsibility Main Menu Menu Forms Menu Forms Request Security Group Reports Request Sets Concurrent Programs Security Rules Flexfield Values Report Parameters Responsibility Security Role Based Access Control - RBAC

32 Slide 32 ISACA Conference Segregation of Duties Potential traps with SOD reviews Oracle standard menus / forms Custom pll’s Customised forms or functions IT users with superuser responsibilities Process Tab

33 Slide 33 ISACA Conference Segregation of Duties Finally… Baseline testing of user access is a critical step The strength of the change control environment will impact the ability to rely on the baseline of segregation of duties and user access

34 Slide 34 ISACA Conference Summary Oracle Security is complex and needs appropriate handling –Right kind of people –Use of tools like LogicalApps, Applimation, Oracle ICM Oracle automated controls include: Configurable parameters and settings User access controls and responsibilities Review of Oracle configurations and access levels are always as of a ‘point-in-time’ Segregation of Duties is critical –Requires use of right tool to perform the review –Manual review not recommended

35 Slide 35 ISACA Conference Contact Information Email: brijen.m.joshi@us.pwc.com

Download ppt "Slide 1 ISACA Conference ISACA Conference San Francisco, CA May 18, 2005 Oracle Applications Security and Controls Presented By: Brijen Joshi."

Similar presentations

© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.

© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.
The most comprehensive Oracle applications & technology content under one roof Procure to Pay Automation Bevan Wright Fusion5 NZ Oracle User Group.

The most comprehensive Oracle applications & technology content under one roof Procure to Pay Automation Bevan Wright Fusion5 NZ Oracle User Group.
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
Enterprise Systems.

Enterprise Systems.
M0254 - ERP (Enterprise Resources Planning) M0254 - ERP (Enterprise Resources Planning) Session 8 - ERP Modules Ir. Ekananta Manalif, MM, MKom (D2664)

M ERP (Enterprise Resources Planning) M ERP (Enterprise Resources Planning) Session 8 - ERP Modules Ir. Ekananta Manalif, MM, MKom (D2664)
Migration Director Engineered for Change.

Migration Director Engineered for Change.
---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.

---Confidential 1 Order Management Training. ---Confidential 2 Introduction Three cycles in Oracle Applications Plan to make. Order to cash Procure to.
Introduction to SAP R/3.

Introduction to SAP R/3.
SAP R/3 Materials Management Module

SAP R/3 Materials Management Module
SAP An Introduction October 2012.

SAP An Introduction October 2012.
Experts in e xtending Oracle e -Business Suite e nrich IT 1/16/2004VMI1 Vendor Managed Inventory (VMI) Presenter: Arul Murugan, CPIM.

Experts in e xtending Oracle e -Business Suite e nrich IT 1/16/2004VMI1 Vendor Managed Inventory (VMI) Presenter: Arul Murugan, CPIM.
Slide 1 Session 15 – ERP Security 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications.

Slide 1 Session 15 – ERP Security 1.Objectives 2.Oracle ERP Overview 3.Oracle ERP Security 4.Oracle Workflow and Security 5.How to Secure Oracle Applications.
Pinnacle Seven Technologies - Gateway to Solutions Pinnacle Seven Technologies - Gateway to Solutions.

Pinnacle Seven Technologies - Gateway to Solutions Pinnacle Seven Technologies - Gateway to Solutions.
Presentation Title Mohan Dutt Hyperion Solutions Corporation

Presentation Title Mohan Dutt Hyperion Solutions Corporation
Accounting systems design & evaluation

Accounting systems design & evaluation
Kevin Hudson Oracle Corporation October 2001. Evolution of Oracle from Application to Infrastructure.

Kevin Hudson Oracle Corporation October Evolution of Oracle from Application to Infrastructure.
Chapter 2 – Enterprise Systems

Chapter 2 – Enterprise Systems
Shared Entities and Integration

Shared Entities and Integration
SUBTITLE TEXT. Optimal Solutions What is E- Business Suite Oracle E-Business Suite is the most comprehensive suite of integrated, global business applications.

SUBTITLE TEXT. Optimal Solutions What is E- Business Suite Oracle E-Business Suite is the most comprehensive suite of integrated, global business applications.
Increasing Internal Controls with Applimation Integra.

Increasing Internal Controls with Applimation Integra.

Similar presentations

Ads by Google