Oracle E-Business Suite Controls: Application Security Best Practices

Size: px

Start display at page:

Download "Oracle E-Business Suite Controls: Application Security Best Practices"

Opal Collins
9 years ago
Views:

1 Table of Contents Table of Contents vi Acknowledgements 1 Foreword 2 What Makes This Book Different 3 Who Should Read this Book 3 Organization of this Book 4 Chapter 1: Introduction 5 Chapter 2: Introduction to ERP Systems 11 Impact of ERP Systems Technical Architecture 11 EBS Technical Architecture: Audit Trail Implications 16 Application Controls 19 Change Management 21 Privileged User Access and Monitoring 22 Chapter 3: Goals of Application Security Design and Impact of RBAC Standards 23 Application Security Design Goals 23 The RBAC Standard and its Impact on Application Security Design 25 Chapter 4: Introduction to Oracle Application Security: Function Security 31 Function Security 31 Users 31 Responsibilities 38 Page vi

Management 21 Privileged User Access and Monitoring 22 Chapter 3: Goals of Application Security Design and Impact of RBAC Standards 23 Application Security Design Goals 23 The RBAC

2 Menus 42 Request Groups 45 Form Functions 47 Function Security Conclusions 51 Chapter 5: Change Management Best Practices and their impact on Application Security 52 Change Management, Prior to ERP Systems 52 Change Management, Impact of ERP Systems 53 Protecting the BUSINESS process 54 IT Change Management Best Practices 56 Change Management Conclusions 62 Chapter 6: Developing a Proper Audit Trail for your EBS Environment 64 Standard Application Audit Information 64 Sign-on Audit Information 65 Snapshot-based Technologies 67 Advanced Application Audit Trail Methodologies 71 Log-based Technologies 71 Trigger-based Technologies 73 EBS System Administrator Advanced Auditing; Trigger-Based 75 Evaluating Advanced Application Auditing Technologies 76 What to Audit 76 Audit Trail Conclusions 77 Chapter 7: Application Users Best Practices 78 User Provisioning Process 78 Establishing a User in Oracle EBS 81 User Password Controls 81 Monitoring of User Activity and Logins 83 Page vii

Trail for your EBS Environment 64 Standard Application Audit Information 64 Sign-on Audit Information 65 Snapshot-based Technologies 67 Advanced Application Audit Trail Methodologies 71 Log-based

3 User Termination Process 84 Use and Care of Generic User Accounts 85 Application Users Conclusions 88 Chapter 8: Application Support Principles and Their Impact on Application Security 90 Assessing Risk Related to Privileged Users 91 Application Support Security Design 93 Application Support Processes 95 Application Support Principles Conclusions 96 Chapter 9: Data Security and Its Impact on Application Security 98 Project Approach to Addressing Risks Associated with Access to Sensitive Data 99 Data Security Conclusions 105 Chapter 10: Assessing Risk for User Access Controls and Segregation of Duties 106 What a Risk Assessment Process Should Contain 106 When Should a Risk Assessment Be Performed? 112 Who Should Perform a Risk Assessment? 113 Risk Assessment Methodology 113 Risk Assessment Process Results 118 Risk Assessment Conclusions 125 Chapter 11: Workflow Security Implications 126 Worklist Access 127 Delegation of Notifications in the Application 130 Vacation Rules 133 Notifications Via 136 Page viii

Application Security 98 Project Approach to Addressing Risks Associated with Access to Sensitive Data 99 Data Security Conclusions 105 Chapter 10: Assessing Risk for User Access Controls and

4 Workflow Administrator 137 Workflow Security Conclusions 138 Chapter 12: User Management Module and Security Design 140 Role Definition 143 Role Hierarchies 149 Data Level Security 152 User Management Versus Function Security 153 Mandatory Use of UMX and Related Monitoring 154 Administrative Features 155 Delegated Administration 155 Provisioning Services 157 Self-Service and Approvals 157 User Management Conclusions 159 Chapter 13: Application Security in Non-Production Environments 160 Protection of Sensitive Data 160 Instance-Specific Security Requirements 162 Password Encryption Risks 163 Other Recommendations 164 Non-Production Instances Application Security Conclusions 165 Chapter 14: Upgrade Risks 166 Common Application Security Implementation Practices 166 Upgrade Risk 173 Use of Standard Menus and Submenus and Related Risks 173 Upgrade Risks Conclusions 182 Chapter 15: Release 12 Impact on Application Security Design 184 Manage Proxies 184 Page ix

157 User Management Conclusions 159 Chapter 13: Application Security in Non-Production Environments 160 Protection of Sensitive Data 160 Instance-Specific Security Requirements 162 Password

5 Multi-Org Access Control (MOAC)/ Security Profiles 189 Chapter 16: Auditors Toolkit 192 Oracle Diagnostics Tool 192 Using Oracle Forms to Access the Application for Audit Purposes 200 Standard Oracle Reports 201 SQL Queries 201 Appendix A Common Controls Related to Application Security 204 Users 204 Security Design 204 Change Management 205 Appendix B Other Resources 206 ERP Seminars Hosted Websites 206 Other Websites 207 Books 208 Companies with EBS Expertise 208 Appendix C Terminology 210 Appendix D Tips and Tricks 212 Page x

to Application Security 204 Users 204 Security Design 204 Change Management 205 Appendix B Other Resources 206 ERP Seminars Hosted

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

Chapter 6: Developing a Proper Audit Trail for your EBS Environment In Chapter 2, we looked at the inherent architecture of EBS and some implications regarding the lack of a detailed audit trail. Three