Post on 22-Aug-2020
Leverage Technology:Turn Risk into Opportunity™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
LearntostreamlineUserProvisioningprocessinOracleApplicationswithworkflows
Monthly Educational Webinar SeriesAdil Khan, Managing Director
Feb 16, 2017
www.fulcrumway.comPage 2Copyright © FulcrumWay
Streamline User Provision in Oracle Apps
IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay
Streamline User Provision in Oracle Apps
IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 4Copyright © FulcrumWay
FulcrumWay™ InsightGlobal Thought Leadership
Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Mar 23rd – Continuous Controls Monitoring Oracle Cloud – Australia – March – GRC Round Table, Sydney, AustraliaCollaborate 17 – April 2-6 Las Vegas GRC Open HouseEducational Webinar – April 20th – Internal Audit Management with Advanced Control Analytics Oracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa
Proven Expertise
www.fulcrumway.comPage 5Copyright © FulcrumWay
FulcrumWay Client Studies Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 6Copyright © FulcrumWay
Streamline User Provision in Oracle Apps
IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 7Copyright © FulcrumWay
Current Challenges
Portal
Help Desk
Provisioning
Paper form
IT Admin
User ProvisioningProcess
ProcessHundreds of user add, change, deletes requests every day…Inconsistent, ad-hoc and manual processes – platform dependent…Disparate provisioning tools and workflows…Many human touch points: business managers, help desk, IT, etc…
ChallengesNo consistent policy enforcementNo common controls or audit trailVery difficult to ensure compliance and assess risk
www.fulcrumway.comPage 8Copyright © FulcrumWay
#1 area requiring remedial actionUser Access –Common Source of Internal AbuseA Top Focus for IT Audits
Gartner survey: 44% of IT audit deficiencies are IAM-related
Ernst & Young: 7 of Top 10 control deficiencies relate to user access control
PROTECTEDInformation
Entitlement Creep• Accumulated privileges • Potential toxic combinations• Increased risk of fraud
Privileged Users• Users with “keys to kingdom”• Poor visibility due to shared
accounts
Rogue Accounts• Fake accounts created by criminals • Undetected access and activity• Data theft, fraud, and abuse
Orphan Accounts
• Poor de-provisioning• High risk of sabotage, theft, fraud
User ProvisioningProcess
www.fulcrumway.comPage 9Copyright © FulcrumWay
Streamline User Provision in Oracle Apps
IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 10Copyright © FulcrumWay
Role Definition – Privliges
10
Access Policy
www.fulcrumway.comPage 11Copyright © FulcrumWay
Components of access policy
11Source: Fusion Applications - Role Based Security, Kiran Mundy, Nigel King, Oracle Fusion
Access Policy
www.fulcrumway.comPage 12Copyright © FulcrumWay
Responsibility
Form
Complicated Security ModelHigh Risk of Access Control Deficiencies
Menu
Function
UserEvaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD
Rule Sets
Access Policy
www.fulcrumway.comPage 13Copyright © FulcrumWay
Compliance ChecklistInability to translate corporate governance into actionable IT policy
– Segregation of Duties– Data Privacy policy
Access Controls Testing– Email or spreadsheet-based– Human error, inconsistencies– Data is hard to obtain, missing
No ability to manage identity through a business lens
– Lack of transparency– IT / Identity data not understood
by the business
Management Control Assessmentq Is ERP system access protected?q Do we conform to access policy?q Are we responding to risk Incidents?
Access Policy
www.fulcrumway.comPage 14Copyright © FulcrumWay
Streamline User Provision in Oracle Apps
IntroductionUser Provisioning OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 15Copyright © FulcrumWay
Oracle EBS Access ProvisioningUser Security Assignment
OracleEBSUser
PasswordPolicy
UserisassignedtotheHRRecord
Active/InactiveUser
Oneormoreresponsibilitiesassignedtoa
User
AResponsibilityhasmanyMenusandSub-Menus
Menuhasmanyfunctions/
forms
www.fulcrumway.comPage 16Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_EntryFunction: Invoice Batches
User: Mike JonesPayables Users
Responsibility: Payables Supervisor
Responsibility: Payables UserMenu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility: Payables User
Access Policy Violations are costly to remediate after provisioning
What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?
Root Cause Analysis is required for remediation!
User Security Assignment
www.fulcrumway.comPage 17Copyright © FulcrumWay
Self Service User Provisioning in Oracle
IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 18Copyright © FulcrumWay
www.fulcrumway.comPage 19Copyright © FulcrumWay
Risk Based Approach to Access ManagementUser ProvisioningProcess
ProvisioningLife-cycle
SelfServiceActions
PolicyEvaluation
Tacking&Reporting
RegulatoryReporting
Business
Security
Help Desk
Users
RiskModel?
• Provisioning&
Directory✗• Access Analytics
• Roles Management• Violation Monitoring
• Workflow for user provisioning
process
www.fulcrumway.comPage 20Copyright © FulcrumWay
Self Service Access ManagementUser ProvisioningProcess
Move from fragmented approaches to centralized visibility and controlAutomate identity controls and business processesA business-friendly layer linking business users and processes to underlying technology and technical usersActively measures and monitors risk associated with users and resources
www.fulcrumway.comPage 21Copyright © FulcrumWay
Self Service User Provisioning in Oracle
IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 22Copyright © FulcrumWay
A Leading Global Auto Manufacturer Improves User Access Management across multiple ERP instances
OurClientAleadingglobalsupplierofdrivetrain,mobility,brakingandaftermarketsolutionsforcommercialvehicleandindustrialmarketWithmorethana100-yearlegacyofprovidinginnovativeproductstocustomersaroundtheworld
ChallengesReplacemultiplelegacysystemswithoneERPsolutionImprovedSegregationofDutycontrolswithinmissioncriticalapplicationsMaintainconsistentERPsystemaccessrolesacrossthesubsidiariesleveragingthesharedservicesmodelIncreaseexternalauditor’srelianceonERPAccessControlsMonitoring
SolutionsRolesManager/AdvancedSelfService
Results:ReduceUserprovisioningtimebyidentifyingandeliminating80%manualstepsresultinginover$50,000annualcostsavingsinAuditandRemediationCostsCreatedaccesspoliciestoensurecomplianceduringuserprovisioningprocess.LoweredERPTotalCostofOwnershipbyreducingSoDremediationtimeandcostsbyensuringthatallusersaassignedonlythepre-approvedRolesImproveSoDandAccessControlstestingtimebyprovidingauditorstheaccesslogreportsshowingallUpdate,ReviewandApproveRoledesignchanges.AcceleratedERPAccessApprovaltimebyidentifyingvalidSODconflictsbeforetheRolesareassignedtoUsers.
Case Study
www.fulcrumway.comPage 23Copyright © FulcrumWay
User Provisioning Challenges
DotheERPRolesmeetrequirements
forallusers?
DoesUserprovisioning
preventsecuritypolicyviolations?
Howdoyoumonitor“super-user”activities?
Doyouobtainuseraccessverificationfrommanagers,periodically?
HowdoyoudetectSegregationofDutypolicyviolations?
Isaccesstosensitivedataand
functionsprotected?
DoyoumaintainaudittrailonERPconfigurationcontrols?
CanyoupreventunauthorizedMasterDatachanges?
Howdoyouensurethatterminatedemployeescan’taccessERP?
Case Study
www.fulcrumway.comPage 24Copyright © FulcrumWay
A Risk Based Approach to User Provisioning
UserRegistration
Request Roles
Add/Update
User
MonitorApplication
Access
Employee/Manager
List
Network User
List (AD)
TestAccess Policy
Add/Update
Role
Requesters / ApproversIS Security/
Audit/Compliance
IS Security
ActiveEmployee
UsersiAccess Rules Manager Workflow
Application Administrator
iAccess
Rules ManagerDataProbe ETL
Process ApprovalRequest
Dashboard
ApplicationAccess Rules
DataProbe ETL
www.fulcrumway.comPage 25Copyright © FulcrumWay
Discover User Activities and Improve Productivity
Enhance security, improve helpdesk productivity, reduce support costs
Analyze User Access RightsDesign and Manager User RolesConfigure Application Security Control Data AccessDeploy Role ConfigurationProvision Roles to UsersGrant Emergency Access (Fire Fighter ID)Certify User-Role Assignment
Case Study
www.fulcrumway.comPage 26Copyright © FulcrumWay
SafePaaS CapabilitiesSOD Rules
Can be developed or deployed from FulcrumWay’s Controls Catalogue
www.fulcrumway.comPage 27Copyright © FulcrumWay
UserRegistrationUser Provisioning
www.fulcrumway.comPage 28Copyright © FulcrumWay
UserRegistrationUser Provisioning
www.fulcrumway.comPage 29Copyright © FulcrumWay
UserRegistrationUser Provisioning
www.fulcrumway.comPage 30Copyright © FulcrumWay
UserRegistrationUser Provisioning
www.fulcrumway.comPage 31Copyright © FulcrumWay
UserApplicationRoleRequestUser Provisioning
www.fulcrumway.comPage 32Copyright © FulcrumWay
UserApplicationRoleRequestUser Provisioning
www.fulcrumway.comPage 33Copyright © FulcrumWay
UserApplicationRoleRequestUser Provisioning
www.fulcrumway.comPage 34Copyright © FulcrumWay
UserApplicationRoleRequestUser Provisioning
www.fulcrumway.comPage 35Copyright © FulcrumWay
AnalyzeERPRiskswithAnalytics
Use Adhoc Reporting to establish scope, analyze issues, remove false positives and exceptions
Risk Analytics
www.fulcrumway.comPage 36Copyright © FulcrumWay
SafePaaS CapabilitiesRoles Redesign
www.fulcrumway.comPage 37Copyright © FulcrumWay
Self Service User Provisioning in Oracle
IntroductionIdentity Governance OverviewAccess Policy Compliance Oracle User Security Assignment Self Service User Provisioning ProcessCase StudyQ&A
Agenda
www.fulcrumway.comPage 38Copyright © FulcrumWay
Sign-up for FREE 14 Days EvaluationQ & A
Register online to try out SafePaaS