session 15 – erp security

Session 15 – ERP Security

1. Objectives

2. Oracle ERP Overview

3. Oracle ERP Security

4. Oracle Workflow and Security

5. How to Secure Oracle Applications

6. Security and Controls Considerations by Business Cycle

7. Segregation of Duties

1. Objectives

• Become familiar with Oracle terminology and concepts

• Understand security and control features within Oracle Applications

• Discuss leading practices to secure Oracle Applications

• Realize importance of segregation of duties

Agenda

1. Objectives








Human Resources

Finance

Projects

Self-Service

Supply Chain Management

Manufacturing

Front Office

Applied

Technology

FinanceGeneral LedgerFinancial Analyzer Cash ManagementPayablesReceivablesFixed Assets

ManufacturingEngineeringBills of MaterialMaster Scheduling / MRPCapacityWork in ProcessQualityCost ManagementProcess (OPM)Rhythm Factory PlanningRhythm Advanced SchedulingProject ManufacturingFlow Manufacturing

Supply Chain ManagementOrder EntryPurchasingProduct ConfiguratorSupply Chain PlanningSupplier SchedulingInventory

ProjectsProject CostingProject BillingPersonal Time & ExpenseActivity Management GatewayProject Connect

CRMMarketing (3 modules)Sales (5 modules)Service (5 modules)Call Center (5 modules)

Human ResourcesPayrollHuman ResourcesTraining AdministrationTime ManagementAdvanced Benefits

Applied TechnologyWorkflowAlert (Business Agents)Applications Data WarehouseEDI Gateway

Self-ServiceWeb CustomersWeb SuppliersWeb Employees

Agenda

1. Objectives







Oracle ERP Security Issues

• Oracle Applications is huge and complex – More than 100 modules– Millions of lines of coding– Hundreds of configurations (settings)

• Acquisition of other major ERPs– PeopleSoft, JDE, Siebel, etc……

• Multiple Technologies involved– Multiple technologies like Networks, OS, Web server,

Application Server, Database, Reporting, etc..

Oracle ERP Security Issues (cont’d)

• Many seeded account passwords and seeded configuration settings that are not secure

• Multiple access avenues:– Applications - any account with Sysadmin

responsibility– Process Tab – ANZ Menus– Database – system, sys, apps, applsys– UNIX - root, oracle, applmgr

Oracle ERP Security Issues (cont’d)

• Complex regulatory environment

• Customization and Extensions to Oracle Applications

• Security and Controls should be on the “critical path” during implementations

Agenda

1. Objectives







Oracle Workflow and Security

What does it Do?• Oracle Workflow automates standard business processes,

allowing for transparency and a recorded history of process transactions

• Oracle Workflow is highly customizable and is used to drive processes through the system from start to finish.

Who uses it?• Workflow Specialist configures workflow during install• End Users• Workflow Administrator

Oracle Workflow and Security (cont’d)

General Ledger

Journal Entry Approval

iExpense

Expense Report Approvals

Terminated Employees

Accounts Payable

Invoice Approval

Process Pay (Positive Pay) Message

Receivables

Credit Memo Approvals

Credit Application Approval

Order Management

Order and Return Processing

Schedule, ship and pack delivery

Purchasing

Requisition and PO Document Approval

Auto Document Creation

Receipt Confirmation

Exceeding of Price/Receipt Tolerances

Projects

Projects Approval

Project Accounting

iTime

Timecard Approval

Most Commonly Used Seeded Workflows

Agenda

1. Objectives







8. Configurable Controls

Control Structure

Non-LinkedSuppliers

Upstream

Internal and External Control Structure

Downstream

Suppliers

EDIE -

Commerce

Customers

EDIE -

Commerce

InterfacesData Feeds



Business Processes

InternalControls

InternalControls

ExternalControls

ExternalControls


Non-LinkedSuppliers

IT Infrastructure

ORACLEORACLE

Linked Systems

Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls

Application Security

BusinessProcessTeam

Controls & SecurityTeam

ChangeManagement(Stakeholder)

Oracle AppsFunctionality

ControlRequirements &Oracle Security Expertise

Business Requirements

Oracle Apps(User ResponsibilityProfiles)

• Security Administration - managed by appropriate management within the organization

• Security Impact Assessment - on business processes and user environment

• Security Design - current and future needs are assessed and implemented with high priority controls environment

• Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment

• Segregation of Duties - controls over business process are adequate and implemented

• Security Functionality - comprehensively utilized and maintained

• On-going Security Administration - managed and maintained by appropriate management within the organization

Managing Risk by Ensuring that Key Controls are Adequately Implemented Over

APPLICATION SECURITY:

Some Leading Practices to Secure Oracle (Cont’d)

• Restrict ‘Back-end’ access to the Database

• Review of standard reports to access signon, unsuccessful signon, responsibility usage, form usage and concurrent request usage.

• Enabling Auditing on certain Tables

• Oracle Alerts

Some Leading Practices to Secure Oracle (Cont’d)

Profile Options – Signon / Suggested settings• Signon Password No Reuse – “180”• Signon Password Length – “6-8”• Signon Password Hard to Guess – “Y”• Signon Password Failure Limit – “3”

Agenda

1. Objectives







Security and Controls Considerations by Business Cycle

A ‘configurable control’ is

• Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps– Profile options– Transaction type settings– Financial options– Payment options– Invoice options

• Different from ‘inherent’ controls, which are pre-programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non-numeric characters)


The following key cycles will be discussed in the next few slides

• Order to Cash• Procure to Pay• General Ledger/Financial Close


1. Order to Cash– OM Transactions type Setting– Holds: Operational and Financial– Processing Constraints Rules– Payment Terms– Credit Limit and Credit Check

What is security implication?


2. Procure to Pay– Document Types – PO, Requisitions, etc– Approval Limits and Approval Groups– Tolerances– Invoice Matching– Banks setup



3. General Ledger/Financial Close– GL Chart of Accounts, Security rules, Cross-validation

rules– Journal Approval and Posting– Consolidation Mapping Rules– Translation and Exchange Rates– Suspense Posting and Dynamic insert option


Agenda

1. Objectives







Segregation of Duties

What is ‘Segregation of Duties’ (SOD)?

• The principle of separating incompatible functions from an individual

• Designed to prevent, rather than detect

• Reduces risk, as circumventing a well designed SOD environment requires collusion

• SOD includes system level segregation as well as segregation of manual processes


What must be segregated?

Record Keeping Custody of Assets

Authorization Reconciliation


Approval Hieararchy

Roles and Responsibilities

Organizations

General Ledger Security

Business Units / Sets of Books

Workflow

Accounting Transactions

Custom Code

Segregation of Duties and restricted access is a multi-dimensional challenge.

Tools may be used to assist in the initial analysis of segregation of duties and the design of Roles and Responsibilities. In addition, other dimensions of the ERP application security should be understood to assess the full nature of segregation of duties weaknesses.


In a practical way, SOD is enforced in Oracle through responsibilities!

• A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run

• Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable

• A user can be assigned more than one responsibility

• Role Based Access Control (RBAC)


ApplicationsUser

User Name

Password

Responsibility

Main Menu

Menu

Forms

Menu

Forms

Request Security Group

Reports

Request Sets

Concurrent Programs

Security Rules

Flexfield Values

Report Parameters

Responsibility SecurityResponsibility Security

Role Based Access Control - RBAC

Summary

• Oracle automated controls include:• Configurable parameters and settings

• User access controls and responsibilities

• Review of Oracle configurations and access levels are always as of a ‘point-in-time’

• Segregation of Duties is critical– Requires use of right tool to perform the review– Manual review not recommended

session 15 – erp security

Documents