Symantec, Facebook and Navillus - a comprehensive approach to securing & monitoring user access with...

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2


Do you really know what your users can do, or maybe have done?Session ID: CON8200

Mark Stebelton, CPA, CFE (Oracle) – Director of GRC Product ManagementDaryl Geryol (Navillus) - PartnerDavid Claytor (Facebook) – IT Global ApplicationsJaime Ramos (Symantec) – IT Global Applications

@OracleAdvCntrlsFollow us on Twitter


MANAGE RISK | REDUCE COSTS | IMPROVE CONTROLS


0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Strategic Priorities Survey________________

Finance Executives SURVEYED

263

Reaching New Heights: The Dividends of Collaboration between

Finance and Procurement is published by CFO Publishing LLC, May 2012

Survey question: Where does the procurement function need to get stronger?

SUMMARY:________________________________

Better Controls & Efficiencies Needed

#1#2

#3

#4

#5

Audit/Control of Procurement

Risk Analysis

CashFlow

PayableExposure

Compliance

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6

BOTTOM LINE: Document/Email Approaches Challenge GRC

53%

Spreadsheets, Documents & Email

17%

Solutions Built In-house by IT

24%

Commercial GRC Solution

6%

2+ CommercialGRC Solutions

The lack in modern

technology makes achieving

goals challenging

OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

The impact on FTE’s is particularly significant

One financial services organization stated that 80% of their GRC staff

resources were nothing more than document reconciles for

reporting. […] A mess they are aggressively trying to correct.

of GRC professionals reported that they use Spreadsheets, Emails, Custom reports apps.

70%

http://www.OCEG.org


Oracle GRC Product Strategy

PLATFORM

ENTERPRISE

GRC

COMPLETE

One, UnifiedPlatform

The #1 PlatformWith intelligence, advanced controls

& management capabilities


Comprehensive Risk & Controls Mgmt.

Detect and Fix Issues

Continuous Improvement and Monitoring

Assess Risk & Compliance

Close the

LOOP

Identification

Analysis

Evaluate

1. BUSINESS RISKS

Document

Assessments

Reviews

2. CONTROL OBJECTIVES

Author

Execute

Investigate

3. CONTINUOUS MONITORS


Meeting Mission Critical Goals

1OneUnified Platform

2Big Data Techniques for Advanced Analytics

MASTER DATA

3

Embedded ControlsExtensive API Library

FINISHED


Enterprise Graph

__________________

ALL USERS

_____________

ALL SYSTEMS

__________________

ALL TRANSACTIONS

INTUITIVE | FLEXIBLE | COMPLETE

SECURITY

SETUP

MASTERDATA

TRANSACTIONS

_______________________________________

__________________________________BILLIONS OF NODES & RELATIONSHIPS


Big Data Analytics

USERS

SYSTEMSTXN

TXN

ROLES

SET UP

ROLES

USERS

SETUP

MASTER DATA


Standard Controls

User Roles

3-Way Match

Approval Hierarchies

StandardControls

Social Media Policy

E-learningEthics Policy


Standard + Advanced Controls

Sentiment Analysis

Split Purchase

OrdersHide

Displays of Sensitive

DataDuplicate Payments

Transaction Threshold Amounts

Duplicate Vendors

Fine-grained User Access

ConfigurationSnapshots &

Audit Trial

Transaction Pattern Analysis

Fuzzy Logic, ‘similar values’

User Roles

3-Way Match

Approval Hierarchies

Advanced Controls

StandardControls

Social Media Policy

E-learning Ethics Policy


Government/Education

Technology/Services

Retail

Energy

Communication Industrial

Logistics

Healthcare Services

Mining/Exploration

Customer By Industry

http://www.tjx.com/default.asp

http://www.tjx.com/default.asp

http://images.google.com/imgres?imgurl=http://pnt.gov/membership/dot-large.jpg&imgrefurl=http://pnt.gov/membership/dot.shtml&usg=__ZYOuYeBtj3L1fm9LTPL7THeyIig=&h=335&w=337&sz=27&hl=en&start=1&um=1&tbnid=k4fEQ3d3NRcUpM:&tbnh=118&tbnw=119&prev=/images?q=department+of+transportation&um=1&hl=en&sa=N

http://images.google.com/imgres?imgurl=http://pnt.gov/membership/dot-large.jpg&imgrefurl=http://pnt.gov/membership/dot.shtml&usg=__ZYOuYeBtj3L1fm9LTPL7THeyIig=&h=335&w=337&sz=27&hl=en&start=1&um=1&tbnid=k4fEQ3d3NRcUpM:&tbnh=118&tbnw=119&prev=/images?q=department+of+transportation&um=1&hl=en&sa=N

http://www.csx.com/

http://www.csx.com/

http://www.fedex.com/gb/

http://www.fedex.com/gb/


Advanced Controls Partner SpecialistsOracle recommends using partners and consultants who are Advanced Controls specialists:

Specialized Partner

Implementation Specialist

Pre-Sales Specialist

Sales Specialist

• Can plan, design, deliver, support successful solutions

• Has all specialists shown below

• Demonstrated track record of success

• Can design detailed solutions

• Passed rigorous Oracle examination

• Can describe introductory solutions

• Completed ten hours of study and self-assessment

• Can identify need for Advanced Controls

• Completed ten hours of study and self-assessment

Oracle Confidential – Internal/Restricted/Highly Restricted 16


Specialized PartnersIncrease your Return On Investment

• Get more from Advanced ControlsSpecialists address more of your needs with Advanced Controls’ many capabilities

• Increase your organization’s effectiveness Specialists help you embed Advanced Controls in your business processes

• Accelerate your implementationSpecialists guide and support you during planning, implementation and go-live

Oracle Confidential – Internal/Restricted/Highly Restricted 17

DO YOU REALLY KNOW WHAT YOUR USERS

CAN DO, OR MAYBE HAVE DONE?Daryl Geryol – Partner

www.navillusllc.com@NavillusLLC @DarylGeryol

http://www.navillusllc.com/

https://twitter.com/NavillusLLC

https://twitter.com/DarylGeryol

19

About Navillus Partners

International professional services and solutions firm headquartered in Boston, Massachusetts

Established in 2009, Navillus has experienced on average 40% growth year over year in Oracle

Advanced Controls professional services

Oracle Gold Level Partner specializing in Oracle Advanced Controls & E-Business Suite / PeopleSoft

professional implementation and advisory services

Recognized as the #1 Oracle Commercial and Federal Advanced Controls Partner

The first in the industry to hold Oracle Advanced Controls Specialization accreditation

Is an Oracle authorized training partner

Navillus is a privately held company that has been profitable consistently both from a cash and accrual

basis since the 4th month of operations with zero external debt outstanding.

Our team’s collective experience includes:

168 years working in the information technology industry

177 years implementing the Oracle e-Business Suite ERP package

76 years implementing the Oracle GRC applications

More than 512 GRC implementations to the team’s credit to date

20

Navillus Partners is A World Leader

More than 500 combined Oracle Advanced controls implementations

34+ skilled and experienced Advanced Controls professionals averaging more

than 10 years of experience worldwide

Functional & technical experience across nearly all Oracle e-business applications

(HRMS, Financials, Supply Chain Management, CRM, other)

Multiple consultants with Oracle accredited specializations

Experience

Global

Delivery

Centers

of Excellence

Right-shore Delivery capabilities for Oracle Advanced Controls including

utilization of our experienced Chennai, India team, well beyond installation &

technical responsibilities

Navillus provides training to customers and other implementation partners

worldwide

International experience in more than 10 countries

Navillus’ Center of Excellence (CoE) is a solution center that works closely with

Oracle OAC Product & Product Strategy and promotes and trains the extended

team on new product features and techniques

Provides new and innovative delivery techniques from in-field feedback and

experience to continuously enhance our NAViGATE Methodology

Works with Oracle’s product group on new features and enhancements

21

Risk- Everything is related

Access and Security -- How do user’s gain access (Entrance, Accessible Areas, Exit) the ERP system?

Provisioning and Deprovisioning

Privileged Access

Segregation of Duties

Emergency Access

Operational– How do they do it?

Usability

Security

Optimization

Automation

Configuration -- What did they change?

Pre and Post Patching

Change Control and Validation

Critical Configurations

Consistency

Transactional – Is what happened within Policy?

Within tolerance

Fraudulent

Correctness

Access & Security

Operational

Configuration

Transactional

22

Advanced Controls

It’s a Journey- Controls will evolve

Controls are related and typically work together with a focus on Increasing Value while

Reducing Risk

Controls may validate one another – such as a Transactional control reporting that

Operational controls limiting certain transactions by amount are indeed effective

Controls should have a balance and work together to help ensure a secure, sound,

effective and efficient system

E-Business SuiteAccess Controls

E-Business SuitePreventive Controls

E-Business SuiteTransaction Controls

23

Advanced Controls Approaches

24

Navillus presents……Customers on the Journey

Dave Claytor, IT Global Apps

Jaime Ramos, IT Global Apps - DaVinci GRC Team

Do you really know what your users can do, or maybe have done?

David Claytor, facebook IT Global Apps Atul Gupte, Navillus Partners- Advanced Controls Architect

1 ITGC Approach, Teaming with Navillus Partners

2 Self Service Application and DB User Requests, Preventative SOD

3 Quarterly User Audit Automation (Managers & BPO’s)

4 Utilizing CCG to shift CSA’s from Business to IT

5 Summary

Background

Getting Serious about ITGC’s

▪ With company mottos like ‘Move Fast and Break Things’, we knew we

had to get serious about intelligent audit automation and detection

▪ After managing ITGC CSA’s for a quarter, became obvious we needed

to automate user provisioning, quarterly audit and SOD processes

▪ Determined we needed help building an integrated solution. Met with

various vendors based on Oracle’s recommendations, went with

Navillus Partners

▪ Went down a path of creating easy to use workflows for our end users

▪ Then began to shift CSA’s from business to IT owned controls, via

CCG. This also required out of the box thinking, to pinpoint the

alerting.

Self Service Access Management via OAF

▪ Custom OAF pages for:

▪ Users to request access, and on behalf of any user

▪ Users to revoke their access

▪ Managers to revoke their team’s access

▪ Systematic quarterly application access review, for managers and business process owners

▪ Integration with GRC AACG, to enforce preventative SOD

▪ Lookup table determines:

▪ If the access request is passed through GRC for SOD Audit

▪ If the access is reviewed quarterly by Manager and / or BPO’s

▪ If the max grant duration is enforced (all setup and admin related access is granted for 7 days or less)

Utilizing OAF for Self Service Access Requests

Automating Quarterly ITGC User Audits

Transitioning CSA’s to IT System Controls

▪ CFO pushed to automate & transition business owned CSA’s to IT system

controls. We will have moved 50 CSA’s by the end of 2014, in 2 primary ways:

▪ Introduced second variant of systematic quarterly user audit, where BPO’s (also the access approvers) review and revoke access as needed, for key functions like Journal Entry, Receiving & AP Payments

▪ Monitoring key application setups via CCG, and pairing up change alerts with valid change tasks

Summary

▪ Once we built the user access pages in OAF, realized detective SOD was

insufficient. Out of the box, GRC (AACG) only works with the java form based

access request. This is where the Navillus Partners technical consultants were

key, given their deep understanding of the product, as many of them came

from LogicalApps. They also helped us systematically tackle managing GRC

development instance refreshes, which presented it’s own challenges.

▪ As we implemented CCG to shift CSA’s from business to IT owned, realized it

only monitored core forms and even then we could not drill into specific areas

of those forms for pin pointed monitoring. Again, the Navillus Partners team

was a key partner in determining how to add content without introducing too

much risk or upgrade headaches using their Navillus CCG content.

33

Do you really know what your users can do, or maybe have done?

Jaime Ramos, Symantec IT Global Apps - DaVinci GRC team

Project da Vinci – Symantec

Richard Goddard, Navillus Partners - Director of Delivery

Agenda

• History of GRC at Symantec

• The DaVinci Initiative

• Challenges

• Approach

• Managing SOD conflicts in an RBAC system

• Go-Live Activities

• Critical Success Factors, Lessons Learned.

34Project da Vinci – Symantec

History of GRC at Symantec

• In 2008 Symantec implemented the LogicalApps products, Form rules (PCG precursor) and AppsAccess for Segregation of Duties

• Symantec’s custom Self service responsibility provisioning system was integrated with the SOD system to prevent Users from requesting combinations of responsibilities deemed inappropriate.

• In 2013 Symantec decided to use the GRC suite of Applications as part of its DaVinciinitiative to implement R12.1 EBS.


The DaVinci Initiative

• EBS R12.1 for 30,000 worldwide Users

• Customer Data Hub (CDH) and Product Data Hub PDH in their own instances

• Five separate System environments - DEV, QA, Training, UAT and Production instances (5 GRC systems managing 5 x 3 EBS/CDH/PDH systems)

• Full Oracle Advanced Controls GRC suite implementation (PCG, ACG, TCG, CCG, eGRCM and GRC Intelligence)

• ACG 140+ SOD and Sensitive Access policies including Module configuration versus Module Transactions for each EBS of the 33 application

• CCG was implemented for continuous monitoring of changes for 12 key controls in the EBS Financial applications

• PCG / TCG were used to automate control testing for items such as identification of Journals > $5m, Workflow Approval of Recurring Journals, Enforce comments and attachments for Manual Journals per Symantec policy , Mask Project Rates derived from actual Salary information.


Challenges

• Scalability - SOD rules tracking for more than 30,000 Users and 3000+ function combinations including custom and localization functions

• RBAC role based security, more than 400 unique roles

• Cross Platform SOD for Users with accounts in the EBS, Product Data Hub and Customer Data Hub systems. Each GRC system had 3 data sources using email address as the identifier of the same

• AACG reports don’t contain RBAC role information, only responsibility names – How can we determine SOD conflicts within a role?


Approach

• SOD rules definition and analysis was prioritized to ensure Security design was as effective as possible before go-live. AACG rules were defined to implement SOD policies and track which roles/responsibilities had access to critical system functions –Add User, Modify responsibility, Close GL Period etc.

• PCG and TCG were used to solve specific requirements for identifying unusual activity.

• CCG configuration monitoring was deployed in a limited way to support SOX key controls where module configurations have significant impact to Oracle Financials

• eGRCM implementation was deferred to allow Internal Audit to define EBS R12 specific Processes, Risks and Controls- eGRCM is now currently in process

• OIM – ACG integration to enforce SOD policies when User’s request system access was deferred to after go – live.


Managing SOD for each Role

• We created 400 test users and assigned them each 1 role using UMX

• We completed Access analysis using only our “Test User Accounts” by setting global conditions

• We used the Access Incident detail report to identify Conflicts within a single responsibility and within a single role (Intra and Inter Responsibility Conflicts)

• We consolidated a list of ‘unique’ role violations for a management decision

• We held a series of meetings for Business Process Owners and module SMEs to make decisions where roles violate SOD policy. After the changes were made the Access was re-analyzed and the residual problems analyzed and presented


Go-Live Activities

• User Accounts were loaded via OIM into a pre-production environment for SOD pre-check before cutover, Internal Audit reviewed and accepted go-live SOD violations.

• The go–live cutover support teams were provided access with future end dated access for the initial Hyper-Care support period.

• On going SOD reviews are conducted in AACG

• CCG controls are used to identify all changes to Security definitions - roles, responsibilities, menus, functions Etc.

40Project da Vinci – Confidential … GRC Overview for Phase 2

Critical Success Factors / Lessons Learned

• Without the Advanced Controls applications it would not have been possible to design SOD compliant roles and responsibilities within the project timeline.

• Involve Internal Audit, External Audit and Module SME’s in SOD policy design

• Review SOD results and eliminate noise, identify and present unique access decisions for decision makers

• Start early! Security design often happens late in the project timeline and final UAT may be the first attempt to test Security roles and responsibilities. It is an iterative process!

• EBS Security, Module SMEs and GRC teams need to work closely together.

• Last minute Security change requests must be evaluated for SOD impact before they are accepted and implemented.



Oracle GRC – Enterprise Risk and Controls Foundation

A Unified Platform

Enterprise Risk & Controls Foundation

Dashboards, Reports and AlertsNotificationsWorklists Email PerspectivesSearch

Risk, Controls & Compliance ManagementReviewsDocumentation Assessments RemediationSurveys

Continuous Controls & Risk MonitoringSetupsAccess Master Data Audit TestsTransactions

User Authored ControlsData Connectors Fraud & Error Patterns

Ro

le B

ase

d A

cce

ss S

ecu

rity

We

b S

erv

ice

s &

AP

Is Flexible

• Graphical Authoring• Detect and Prevent• Access, Transactions, Setups

Data Driven

• 100% of Transactions• Manage by Exception• Pattern Analysis

Comprehensive

• Multiple GRC Projects• From Documentation to Test• Closed Loop Approach


Roadmap: Investment Areas

Enterprise Risk & Controls Foundation

Dashboards, Reports and AlertsNotificationsWorklists Email PerspectivesSearch

Risk, Controls & Compliance ManagementReviewsDocumentation Assessments RemediationSurveys

Continuous Controls & Risk MonitoringSetupsAccess Master Data Audit TestsTransactions

User Authored ControlsData Connectors Fraud & Error Patterns

Ro

le B

ase

d A

cce

ss S

ecu

rity

We

b S

erv

ice

s &

AP

Is

Pre-Built Controls

Pre-Built Business Objects

Investment Areas

Pre-Built Integrations

Platform Features

Extensibility


Oracle GRC Advanced Controls - Sessions

IDWestin

3rd & MarketSpeakers

Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance

8208Thu, 10:15

Olympictext text text

Controlling for Multiple ERP Systems with Oracle Advanced Controls

8154Thu, 12:45

Olympictext text

How Your Vendor Master File is Critical to Governance, Risk Management and Compliance

8213Thu, 2:45Olympic

----

44


Oracle GRC Advanced Controls - MTE and Demo Grounds

IDDay, TimeLocation

Host

Meet the Governance, Risk, and Compliance Experts

MTE8487

Wed, 5:00Westin at 3rd & Market St

Metropolitan III

Demo Station: Oracle Fusion Governance, Risk, and Compliance Advanced Controls

4250

Mon 9:45 – 6:00Tue 9:45 – 6:00Wed 9:30 – 3:45

Moscone West Station WCL-003

45


DEMOgrounds: Moscone West Station ID WCL-003

46


@OracleAdvCntrls

Oracle GRC Advanced Controls

Join Our Linkedin Group

Follow us on Twitter

Symantec, Facebook and Navillus - a comprehensive approach to securing & monitoring user access with...

Business

Transcript of Symantec, Facebook and Navillus - a comprehensive approach to securing & monitoring user access with...