more than sod
TRANSCRIPT
![Page 1: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/1.jpg)
#JDEINFOCUS
Linda NelsonAugust 21, 2018
Security ComplianceMore Than Just Segregation of Duties
![Page 2: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/2.jpg)
#JDEINFOCUS
Compliance
What to Look For
Specifics
Wrap Up43
21
Agenda
![Page 3: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/3.jpg)
#JDEINFOCUS
Security
Roles
Best Practice in JDE
Risk Management
Task Views
![Page 4: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/4.jpg)
#JDEINFOCUS
Who is ALLOut Security?Security Management
Efficient Role ManagementAll Security Records in GridsAutomatically resolve security conflicts
User Management
One Click ProvisioningManage unused user IDs
Menu ManagementManage Menus in a GridVersion Management in a GridSecurity Management by Menu
ReportingUser, Security and MenuAudit HistoryDelivered, Simple and Auditable
ComplianceSegregation of Duties, SOX and JSOX ReportingGDRP SupportSection 404 List
Sample Project AutomationOpen to Close or Deny All Set UpUpgradesNet New Implementation
![Page 5: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/5.jpg)
![Page 6: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/6.jpg)
#JDEINFOCUS
What is Compliance?
![Page 7: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/7.jpg)
#JDEINFOCUS
Compliant with What?
![Page 8: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/8.jpg)
#JDEINFOCUS
Compliance Management
![Page 9: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/9.jpg)
#JDEINFOCUS
Main Challenges Implementing Compliancy?
Budget
Time
Staff/Experience and Team Effort
Planning and implementing
Maintenance
![Page 10: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/10.jpg)
#JDEINFOCUS
Tips on Achieving Compliance
Develop Awareness
Review your systems, your business and your future.
Examine & find solutions
Find value Develop a plan Lean on your community
![Page 11: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/11.jpg)
#JDEINFOCUS
ERP System
• Comprehensive System• Sharing Data Effectively• Eliminates Integrations• Accelerates Efficiencies• Better Information
![Page 12: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/12.jpg)
#JDEINFOCUS
Resulting ERP System Risks• Reporting Access• Technical Personnel With Too Much Access• Timeline Constraints and Prioritization on Implementations
• Security Concerns Lost in the Shuffle• Serious Gaps in Security and Controls Not Identified Before Go-
Live• Result in Post Go-Live Remediation Projects
Weak ERP security can ultimately lead to not just operational bottlenecks, but fraud, loss of assets, misstatement of financial results, and data privacy compromises.
![Page 13: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/13.jpg)
![Page 14: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/14.jpg)
#JDEINFOCUS
ALLOut ToolsAccess
Reporting
SOD Reporting
Audit Trail Report
SOD Locking
Change Control
Mitigating
Controls
Requests &
Approvals
Controlled Roles
Manage Unused Access
SecurityPlus
CombiRoles
ProfilePlus
MenuPlus
Risk Reporting
Risk Management
![Page 15: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/15.jpg)
#JDEINFOCUS
Answering to Auditors• Segregation of Duties – More Frequently• Critical Access Reporting• Managing Users Not Accessing the System• Quarterly User Access Reviews
Where ALLOut Can Help• Risk Management – Preventative Control• Testing and approving security changes within the tool and
promoting to PD• Tools to remove access not used• Automate critical access reporting• Automate user access reviews
![Page 16: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/16.jpg)
#JDEINFOCUS
More to Consider
Include External System AccessImplement Mitigating ControlsReview OMW Projects for New Programs with
Access Implication Ensure Risk Assessments are Still Organizationally
Relevant
![Page 17: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/17.jpg)
#JDEINFOCUS
User Access• Test ID's are Disabled in Production • Ensure All Users are Included in User Reviews • Review for Users Not Signing In • Ensure users Excluded from Review are Disabled in
Production• Remove Users with No Security Roles • Ensure System Admins Have No Other Access • Identify Individual Users With Information For Those Not
Compliant with Global Policies • Restrict Inquiry Roles From Submitting Batch Processes
![Page 18: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/18.jpg)
#JDEINFOCUS
Inactive User Report
![Page 19: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/19.jpg)
#JDEINFOCUS
EU General Data Protection Regulation (GDPR) • List of Programs that have access to
personal data• Identification of access paths
Access Reporting
• All roles that have access to personal data• ALL users that have access to personal
data
Critical Access Report
• Any changes to the personal data access• Any changes to programs considered for
accessAudit History
• Tracking of approvals and documentation within E1 for granting access to roles with access to personal data.
Role assignment request process
![Page 20: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/20.jpg)
![Page 21: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/21.jpg)
#JDEINFOCUS
Unauthorized Access
• Nonconformity With Security or Regulatory Requirements• Access to Sensitive data
• Banking• Payroll• Product
![Page 22: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/22.jpg)
#JDEINFOCUS
Critical Data Access
• Review Users with Advanced Access Such as Table Level Access
• Use Encryption on Key Data • Block Access to Critical Data at a Table Level for
*Public/*All
![Page 23: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/23.jpg)
#JDEINFOCUS
Column (Security Type 2)Column security to grant/restrict access/update to columns of data (i.e. data items) You can control Add/Change/View access.• Table: Access/update can be restricted to a data item for one or
all tables. When applied to *ALL this affects all tables and applications that use the relevant data item.
• Program: Access/update can be restricted for a data item (field) in a specific application. This allows you to deny view or update ability to particular fields in an application. It can be limited to a specific form or version.
![Page 24: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/24.jpg)
#JDEINFOCUS
Standard Address Book View
![Page 25: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/25.jpg)
#JDEINFOCUS
Apply Column Security
![Page 26: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/26.jpg)
#JDEINFOCUS
Can Still See
![Page 27: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/27.jpg)
#JDEINFOCUS
Add Column Security
![Page 28: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/28.jpg)
#JDEINFOCUS
Address Book Personal Data Security• Alternative for this example• 7 standard fields protected• Can add others by modifying B0100095 (Up to 8)• Impacts Address Book and other applications, Data Browser,
UTB and UBE’s• Multiple Steps
• Activate – Address Book Constants• Create Permission Lists - What - Address Book Data Permissions program (P01138)• Create Relationships – Who - Permission List Relationships program (P95922)
• For more information:https://docs.oracle.com/cd/E17984_01/doc.898/e14717/adressbook_security.htm
![Page 29: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/29.jpg)
![Page 30: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/30.jpg)
#JDEINFOCUS
Process StepsNeed for
Change ArisesRequest is Submitted
Request Reviewed
Change is Approved
Change is Completed
Change is Communicated
Change is Tested
Documentation is Retained
Self Monitor Process is Audited
![Page 31: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/31.jpg)
#JDEINFOCUS
Security Change Approvals Documentation
![Page 32: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/32.jpg)
#JDEINFOCUS
E1 Auditing Tools
• Interactive Application or UTB
• System Profile Reports
![Page 33: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/33.jpg)
#JDEINFOCUS
Limitations• JDE Tools
• Interactive – Inquire only• Reporting tools – limited
• Insufficient information• Only JDE Events does not enable a complete Compliance Audit
• User Access• Environment access (F0093)• Menu Filtering (F9006)
• Menu Access• Menus changes (F9000/1)
![Page 34: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/34.jpg)
#JDEINFOCUS
ALLOut Audit Additional Events•Distinguishes Admin changes (F98OWSEC) – i.e. *Enabled/*Disabled
User Changes
•User/Role Environment Relationships (F0093)•User to Role Relationships Expiry (F95921)
Assignment Changes
•Menu Filtering (F9006)
Security Changes
•Tasks (F9000), Task Relationships & Favorites (F9001)
Menu Changes
•SoD Rules/Lists•SoD Role Rules•Mitigating Controls•ALLOut Defaults & Configuration•Xe Solution Explorer Roles (UDC)
Compliance Changes – ALLOut specific
![Page 35: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/35.jpg)
#JDEINFOCUS
Variety of Standard Reports
• User Changes Auditing• Role Changes Auditing• Assignment Changes Auditing• Security Changes Auditing• Menu Changes Auditing• Compliance Changes Auditing• Audit Configuration Changes Auditing
![Page 36: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/36.jpg)
#JDEINFOCUS
Uses In The Change Management Process Monitoring of the Process
Provide Information to Auditors
Communicate Changes
Capture Approvals
Variety of Non-Process Uses
![Page 37: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/37.jpg)
![Page 38: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/38.jpg)
#JDEINFOCUS
Best Practice• Say what you will do and do what you say• Defined• Repeatable• Separate approval and performance of change• Communication is key• Auditable
• “Written” Request and Approval• Track changes• Process to monitor
• Independence is Key• Focus on risk• Keep it simple
![Page 39: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/39.jpg)
#JDEINFOCUS
Wrap Up
Balancing Act Don’t over ComplicateManaging Material RisksContinually Adjust
Change is the Normal in a Healthy BusinessAlign Security Control Strategies with Business Processes to Ensure Adherence Network Access and Database Security is Also Required
![Page 40: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/40.jpg)
#JDEINFOCUS
ALLOutSecurity Tools
- “Prove It”Change
ManagementEnterprise Risk Management
Wrap Up
![Page 41: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/41.jpg)
#JDEINFOCUS
Additional Ways to Learn More
http://education.oracle.com
http://www.iso.org
https://www.rims.org
www.acfe.com
https://www.isaca.org
Feel free to ask us…
Ask your fellow JDEdwards users
![Page 42: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/42.jpg)
#JDEINFOCUS
Questions
![Page 43: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/43.jpg)
#JDEINFOCUS
Contact Us
Tuesday 11:15 – 12:15103150Security Speed Race
Tuesday 1:30 – 2:30104360
Security compliance for SOX, JSO and GDPR: More Than Just SOD
Wednesday 9:15-10:15103550
A Midsummer Night’s Security Dream a.k.a. Leveraging Best Practice JDE
Security
Booth
Sessions this week:
Don’t hesitate to ask!
Websitewww.alloutsecurity.com
![Page 45: More Than SOD](https://reader031.vdocuments.site/reader031/viewer/2022020621/61ea222d1fd9e26cb37ac6a4/html5/thumbnails/45.jpg)
#JDEINFOCUS
A 55,000+ member user community for Oracle Cloud, JD Edwards and PeopleSoft customers.
What the Quest JD Edwards Community offers:
Customized digital content
Official JD Edwards newsletter
Customer success stories
Virtual and face-to-face events
JD Edwards networking groups
Visit www.QuestDirect.org for more information!
Who is the Quest Community?