Understanding ERP Architectures, Security and Risk

Similar documents
Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Risk Management in Role-based Applications Segregation of Duties in Oracle

Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT

Oracle E-Business Suite Controls: Application Security Best Practices

Risk and Controls 101

Minimize Access Risk and Prevent Fraud With SAP Access Control

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Leverage T echnology: Move Your Business Forward

Oracle Role Manager. An Oracle White Paper Updated June 2009

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Auditing Applications. ISACA Seminar: February 10, 2012

Course Duration: 3.5 Days. CPE Hours Available: 32 CPE. Knowledge Level: Intermediate. Field of Study: Auditing. Prerequisites: None

To Cross-Validate or Not? Best Practices to Enforce Valid GL Combinations. Helene Abrams CEO eprentise

Security Trends and Client Approaches

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

<Insert Picture Here> Working Effectively with Oracle Support

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

Best Practices Report

How to Audit the Top Ten E-Business Suite Security Risks

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E

appmdmtm MASTER DATA MANAGEMENT

OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT

<Insert Picture Here> Looking to Reduce Operating Costs? Automate Your Expense Processing with PeopleSoft Travel and Expenses 9.1

Governance, Risk & Compliance for Public Sector

Feature. Multiagent Model for System User Access Rights Audit

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Budgeting in Municipal Governments with Oracle Hyperion Public Sector Planning & Budgeting

Senior Oracle Developer Call us today to schedule this resource. CENDIEN CORP: (214)

Advisory Services Oracle Alliance Case Study

Leveraging advanced controls with E-Business suite implementation and upgrade projects

Integrigy Corporate Overview

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Harnessing Oracle Governance, Risk, and Compliance Applications to Improve Your PeopleSoft 9 Upgrade

State of Oregon. State of Oregon 1

Application Monitoring for SAP

R12 Surprises in User Management

End-To-End Invoice Processing Automation at Land O Lakes. Session #705. Natalie Hawley, Applications Developer

Security and Control Issues within Relational Databases

Identity & Access Management Gliding Flight. Paolo Ottolino PMP CISSP ISSAP CISA CISM OPST ITIL

RSA Identity Management & Governance (Aveksa)

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

RFP# CONSULTING SERVICES FOR ORACLE E-BUSINESS SUITE R12 UPGRADE QUESTION AND ANSWER RFP Reference Question GSFA Response

The Information Systems Audit

Oracle Approvals Management (AME) Case Studies for AP, PO and HR

Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

Lessons from McKesson s Approach to Maintaining a Mature, Cost-Effective Sarbanes-Oxley Program

State of South Carolina Policy Guidance and Training

CareGiver Remote Support Information Technology FAQ

University of Missouri. Travel & Expense System FAQ

SAP GRC Superuser Privilege Management

FDQM Financial Data Quality Management Fundamentals - Tips & Tricks Gary Womack, May 8th, 2013

Easy Flow-Based Reporting Procure to Pay, Order to Cash etc.

Suite. How to Use GrandMaster Suite. Exporting with ODBC

Application Security Review

Too Critical To Fail Cyber-Attacks on ERP, CRM, SCM and HR Systems

Install and Configure Fusion Applications - DBA perspective. Masthan Babu Phani Kottapalli AST Corporation August 14, 2014

How Accenture is taking SAP NetWeaver Identity Management to the next level. Kristian Lehment, SAP AG Matthew Pecorelli, Accenture

Imaging, Workflow and OCR: The Road to AP Productivity

Software Arrangements Revenue Recognition Best Practice Business Process

T3 - Auditing Oracle Financials. November 9, 2011

IT Service Continuity Management PinkVERIFY

Business Capability Model A Starting Point for Enterprise Architecture

Application controls testing in an integrated audit

Approvals Management Engine R12 (AME) Demystified

New Security Features in Oracle E-Business Suite 12.2

Top Ten Fraud Risks in the Oracle E Business Suite

Transportation Solutions Built on Oracle Transportation Management. Enterprise Solutions

AIA Integration CRM On Demand to Quoting. NorCal OAUG Presentation January 21, 2009

Intelligent Security Design, Development and Acquisition

PCI Compliance in Oracle E-Business Suite

Dell One Identity Manager Scalability and Performance

Segregation of Duties

Automating the Audit July 2010

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

EDUCATION, LEARNING AND TEACHING. I have never let my schooling interfere with my education. Mark Twain ( ) American writer.

The Requirements Compliance Matrix columns are defined as follows:

PMS 288 Blue or CMYK = C100-M85-Y0-C43 PMS 1255 Ochre / Yellow or CMYK = C0-M35-Y85-C30. Tax Technology

Enterprise Financial Management: ERP for Small and Mid-market Companies

WHITE PAPER. Ready, Set, Go Upgrade to ERP Cloud Release 10

PeopleSoft Upgrade Post-Implementation Audit

JD Edwards EnterpriseOne Payroll for Canada Rel 9.x

The Top Ten Most Commonly Used Metrics in IT Development

Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

Automating New Market Entry Rollout

Guardium Change Auditing System (CAS)

ADC9521: Surviving Regulatory Compliance in the Virtual Infrastructure

AR326: Accounts Receivable - Funds Receipts. Instructor Led Training

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

Transcription:

Understanding ERP Architectures, Security and Risk Brandon Sprankle, Director, PwC In-Depth Seminars D31 CRISC CGEIT CISM CISA

Agenda 1.Introduction 2.Overview of ERP security architecture 3.Key ERP security models 4.Building and executing ERP security audit plan 5.ERP security audit example Oracle e- business suite R12 6.Summary 7.Questions 2

INTRODUCTION CRISC CGEIT CISM CISA 3 9/24/2013 3

OVERVIEW OF ERP SECURITY ARCHITECTURE CRISC CGEIT CISM CISA 9/24/2013 4

ERP Security Architecture Overview Each layer has separate security Some layers can pass through security to other layers ERP Database Operating System Network 5

ERP Security ERP security depends on the application for specifics, but overall each share the major traits in common: User accounts superuser, admin Roles / responsibilities functions, forms, data, reports Permissions allowable functions within or outside roles 6

ERP Security Example 7

Other ERP Security Principles Responsibilities usually cannot cross modules Multiple paths to same function Customizations typically effective security Verify how third-party modules/applications interact with ERP 8

KEY ERP SECURITY MODELS CRISC CGEIT CISM CISA 9/24/2013 9

Security Model - PeopleSoft 10

Security Model Oracle EBS User Organization Ledger 1 Ledger 2 Responsibility GL Controller AR Inquiry AP Payment Supervisor Menu Sub-Menu Forms and Functions 11

Security Model SAP User master record SAP Authorization Structure Profiles (simple vs composite) User Authorizations (with field value) Authorization objects (with fields) Profile Authorization class Authorization 12

BUILD AND EXECUTE AN ERP SECURITY AUDIT PLAN CRISC CGEIT CISM CISA 9/24/2013 13

Why Do Issues Exist with ERP Security? Many ERP implementers focus on the following: Operational Efficiency Long-term Sustainability Flexibility to Support Change Missing is Internal Control Compliance 14

Key ERP Security Documents Menu/responsibility design matrices Role and responsibility design matrices Responsibility-to-Role mapping User-to-Role mapping Documented User Acceptance Test (UAT) scenarios and scripts Documentation of procedures for maintaining roles/responsibilities Configured segregation of duties (SOD) compliant roles/responsibilities 15

Example Design Document 16

ERP ERP Security Architecture Database Operating System Closer to data represents more risk ERP and database Understand if pass through security is enabled Example: OS controls security for database Does network security directly interact with ERP? Example: Internet sales Network 17

ERP Security Audit Considerations Type of ERP is important ensure you understand how security is designed Workflow in ERPs can override or modify standard security very few tools evaluate it Consider all access assigned to user accounts, not just individual responsibilities Consider tools that automate security analysis difficult to effectively evaluate security manually 18

Building the ERP Security Audit Plan Leverage technical resources and security design documents Consider all access points and infrastructure For complex ERPs (i.e. Oracle, PeopleSoft, SAP) consider use of tools or ACL Understand all modules implemented and inscope for review 19

Executing the ERP Security Audit Plan Start with a listing of user accounts Determine what responsibilities each user account is assigned Assess the access for each individual responsibility and across responsibilities Review any additional access outside of responsibilities (permissions) 20

Executing the ERP Security Audit Plan Continued Obtain user accounts owners job descriptions to determine appropriate access Identify excessive access and/or segregation of duties points Discuss with system administrators, process owners, data owners, etc. if access is appropriate Consider other controls impact (manual controls, review controls) 21

ERP Security Audit Lessons Learned Remember analysis is point-in-time understand processes for continuous security False positives typically are not false Consider determining if excessive access was used powerful analysis Collaboration with security administrators is critical 22

ERP SECURITY AUDIT EXAMPLE ORACLE E-BUSINESS SUITE R12 CRISC CGEIT CISM CISA 9/24/2013 23

Oracle EBS R12 Security Architecture Key Concepts Users: Each application user has an unique user ID and password. Responsibilities: Link a user ID to a main menu and control how a user gains access to menus, forms, functions, subfunctions, and data. Menus: Hierarchical arrangements of application forms and sub-functions. Functions: Part of an application s functionality. Form functions are commonly known as forms Non-form functions are commonly known as sub-functions 24

Oracle EBS R12 Security Architecture Continued Key Concepts Menu/Function Exclusions: Restrict application functionality accessible to a responsibility. A function exclusion excludes all occurrences of that function from the responsibility s menu A menu exclusion excludes all occurrences of that menu s entries (i.e. all functions, and menus of functions that it selects) from the responsibility Profile Options: Affect the operation of the applications and set according to the needs of the user community. 25

Oracle EBS R12 Security Architecture Continued Key Concepts Flexfield Security Rules: Restrict the accounts users may post transactions to and run reports against. Request Security Groups: Define programs and reports (or request sets) that may be run by a responsibility. Permissions and Permission Sets: Smallest unit of securable action (maps to a menu item/function) Role Based Access Control (RBAC): Users are assigned multiple responsibilities through a single role. 26

Security Overview Oracle EBS R12 Organization Ledger 1 Ledger 2 Responsibility GL Controller AR Inquiry AP Payment Supervisor Menu Sub-Menu Forms and Functions 27

Oracle R12 Security Audit Company Background US-based company technology company with limited international transactions Approximately $1B in annual revenue 2,500 employees Oracle R12 modules installed were: System Administration, GL, Purchasing, AP, AR, Projects, Assets Third party application used for revenue recognition directly interfaces to Oracle R12 28

Oracle R12 Security Audit Obtained listing of data from Key Concepts slides and put into Access database Joined the various fields to perform analysis over user account security 82 user accounts with approximately 350 responsibilities took 350 hours to analyze Tool did analysis in approximately 10 hours Identified multiple issues 29

Oracle R12 Security Audit Issues 37 user accounts had excessive access Multiple segregation of duties issues identified False positives became reality due to backdoor access Following slides list more interesting issues 30

Issues Encountered Delegated Administration Privilege model that: Enables assigning of required access right to manage a specific subset of the organization's users and roles Enables delegation to local administrator at division or department level or even to administrators of external organization(s) Following administrative privilege categories can be delegated: User Administration Privileges Role Administration Privileges Organization Privileges 31

How Identified Delegated Administration Risk: Admin privileges may be granted inappropriately or excessively to Oracle users = risk of data security and violation of segregation of duties rules. Control: Delegated administrative access is assigned to only authorized employees based on company policy and such scope of such access is based on their job responsibilities. Testing procedures: Determine if 1. Delegated administration roles are defined according to company policy. 2. Users are assigned to delegated administration roles according to company policy and their job responsibilities. 32

Issues Encountered Proxy User Delegation Oracle EBS users can nominate another user (proxy user) to act on their behalf users no longer need to share passwords This gives all-or-nothing delegation capability Start and end dates can be defined to limit the duration of proxy access Users with Manage Proxy access can have following functions: Setting up Proxy Users Delegating Proxy User Privileges Acting as a Proxy User Running the Proxy User Report 33

How Identified Proxy User Delegation Risk: Proxy users access may be granted inappropriately or excessively to Oracle users resulting in risk of data security issue and/or violation of segregation of duties. Control: Proxy user related privileges are granted only on an exceptional basis based on proper approval and there is a procedure to monitor the proxy user activity. Such access delegation should also end-dated by the delegating user. Testing procedures: Determine if 1. The ability to delegate proxy privileges to other users is restricted and monitored following company policy. 2. The procedure is in place to review the proxy user activity by the delegating user. 34

Remediation Efforts Company accepted all findings after discussion Access issues were remediated in approximately two months Decided to implement Oracle GRC going forward to actively monitor security 35

SUMMARY CRISC CGEIT CISM CISA 9/24/2013 36

Remember These Items Technical knowledge is critical to a successful ERP audit Ensure a holistic understanding of security layers and other applications interfacing ERP Tools may be more efficient and effective consider them for larger reviews 37

Questions? Thank you for your time 38

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information