Leverage T echnology: Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Learn to Iden+fy and Eliminate False Posi+ves from your Segrega+on of Duty Audit Report
Monthly Educational Webinar Series
Adil Khan, Managing Director
May 28th, 2015
www.fulcrumway.com Page 2 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 3 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 4 Copyright © FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
International Presence: in Auckland, Chennai, Dubai, Johannesburg, London, Mexico City
FulcrumWay
www.fulcrumway.com Page 5 Copyright © FulcrumWay
FulcrumWay Clients Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural Resources
Manufacturing
Retail
High Tech Media/Entertainment Life Sciences
www.fulcrumway.com Page 6 Copyright © FulcrumWay
FulcrumWay™ Insight Thought Leadership
Co-Authored GRC Book: First book on GRC for Oracle Applications SROAUG GRC Solution Lab - February 27th – Los Angels: GRC Case Studies and Best Practices
Innovate 15 – March 19th – Iselin, NJ -GRC Case Studies and Best Practices
Collaborate 15 – GRC Client Appreciation Dinner April 13th, 2015 Las Vegas IIA/ISACA GRC Conference – August 17th - 19th, 2015 - Presentations – GRC Case Studies and Best Practices
Educational Webcasts – Every 3rd Thursday of the Month – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on October 26th, 2015 - San Francisco, CA
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
Proven Expertise
www.fulcrumway.com Page 7 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 8 Copyright © FulcrumWay
Is your Segregation of Duties Audit Accurate? Inherent False+
www.fulcrumway.com Page 9 Copyright © FulcrumWay
Responsibility
Form
Complicated Security Model Contains many overriding security attributes
Menu
Function
User Evaluate User Access • Test by User • Test by Privilege
Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
Inherent False+
www.fulcrumway.com Page 10 Copyright © FulcrumWay
What Are False Positives ? Users and Responsibilities
Inac&ve Users
Expired Users
Terminated Employees s&ll ac&ve in EBS
End-‐Dated Users
End-‐Dated Responsibility Assignments
Menus without Prompts
Inherent False+
www.fulcrumway.com Page 11 Copyright © FulcrumWay
Without Grant Flag user can not access the Sub-‐
Menu or Func&on
Menu without prompts disables user to see and
navigate
A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menu defines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted.
What Are False Positives ? Oracle Menus Inherent False+
www.fulcrumway.com Page 12 Copyright © FulcrumWay
If you specify the parameter
QUERY_ONLY=YES, the form opens in query-‐only mode.
Inherent False+ What Are False Positives ? Oracle Functions
www.fulcrumway.com Page 13 Copyright © FulcrumWay
The Form Personaliza&on feature allows you to declara&vely alter the behavior of Forms-‐based screens, including changing proper&es, execu&ng buil&ns, displaying messages, and adding menu entries.
Inherent False+ What Are False Positives ? Oracle Form Personalization
www.fulcrumway.com Page 14 Copyright © FulcrumWay
A profile is a set of changeable op&ons that affect the way your applica&on looks and behaves. You can set user profile op&ons at different levels: site, applica&on,
responsibility, user, server, and organiza&on, depending on how the profile op&ons are defined.
Inherent False+ What Are False Positives ? Oracle Profile Options
www.fulcrumway.com Page 15 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 16 Copyright © FulcrumWay
Application Access Controls Governor False+ Checklist Filter False+
Form Extensions
Table Audit
Condi&onal Func&on Access
Data Access
Func&on Access
Read-‐Only Access
Func&on Limits
Filter False+
Menu Access
Menu / Sub-‐Menu / Grants / Prompts
Data / Func&on Access
Disabled Oracle Responsibility Access
Enabled Oracle Responsibility Access
Read-‐Only RBAC Access
RBAC (Role Based Access Control)
Filter False+
Func&on Limits
Ledger Data Access
Custom Forms/Pages
Ledger Set Access
Mul&-‐Org Access
IT Support Access
Menu Grant Flag
www.fulcrumway.com Page 17 Copyright © FulcrumWay
Application Access Controls Governor False+ Checklist Filter False+
User Access to Sub-‐Menu
Inac&ve Users
Privileged User (Interface, etc)
User Responsibility Access Inac&ve
User Responsibility Access Ac&ve
User Access enabled
Form Customiza&on
Filter False+
Data Access Group (Shared Services)
GL Access Limit
Opera&ng Unit Access
Oracle security Profile
www.fulcrumway.com Page 18 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 19 Copyright © FulcrumWay
Risk Based Access Management
Detect/ Analyze Findings
Implement Corrective
Actions
Monitor Controls
Scope
Application Controls
Sample ERP Data
Manage Exceptions
Implement Controls
Risk Advisors/ ERP Managers/ Control Owners
Risk Advisors/ Control Owners
Control Owners/
ERP Managers
Establish Test
Environment Assess Risk Identify Risk
Design Controls
Advanced Controls Experts/
ERP Managers
Approach
Residual False Posi&ves
Inherent False Posi&ves
www.fulcrumway.com Page 20 Copyright © FulcrumWay
Application Access Controls Governor
User Global Condi&ons to filter “inherent” False Posi&ves like:
Inac&ve Users Inac&ve Responsibili&es
Read-‐only Access
Approach
www.fulcrumway.com Page 21 Copyright © FulcrumWay
Application Access Controls Governor
Filter Condi&ons can be setup to exclude SOD viola&ons from
results
Approach
www.fulcrumway.com Page 22 Copyright © FulcrumWay
Application Access Controls Governor
Local “Path” Condi&ons can be used to manage special cases such as privileged/IT users
Approach
www.fulcrumway.com Page 23 Copyright © FulcrumWay
System Filters
False+ Filters
Data Security
Read-‐Only
Custom
INV INV
User OU
Form Profile
Role
Filters Type Condi+ons Results Excluded
Inac&ve User Global End-‐Date Users
Inac&ve Role Global End-‐Date Roles
Business Unit Global Org Name Organiza&on
View Only Local Func&on Path Func&ons
Data Security Local Data Group Groups
Personaliza&on Local Form/Page Forms
Approach
Role User OU
www.fulcrumway.com Page 24 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Advanced Analytics to Identify False+
Pre-‐built Risk Analy+cs. Risk Reports available for client review
Risk Advisors identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report
SOD Analytics
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Advanced Analytics to Identify False+ SOD Analytics
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Advanced Analytics to Identify False+ SOD Analytics
www.fulcrumway.com Page 28 Copyright © FulcrumWay
Eliminate False Positives from your Segregation of Duty Audit Report
Introductions Inherent False Positives in Oracle EBS Checklist of Global False Positives Systematic Approach for Identifying False Positives SOD Analytics for Remediation Analysis Case Study Q&A
Agenda
www.fulcrumway.com Page 29 Copyright © FulcrumWay
Fortune 500 Global Manufacturer Improves
Segregation of Duty Controls across multiple ERP instances Our Client Fortune 500 company, manufactures and distributes
coa+ngs, specialty materials, and glass products. Business Runs on mul+ple Oracle EBS, SAP systems Over 40,000 employees world-‐wide
Challenges Replace mul+ple legacy systems with one ERP
solu+on Improved Segrega+on of Duty controls within
mission cri+cal applica+ons Maintain consistent ERP system access roles
across the subsidiaries leveraging the shared services model
Increase external auditor’s reliance on ERP Access Controls Monitoring
Solu+ons Oracle Access Controls Governor FulcrumWay Advanced Access Analy+cs
Results: Reduce ERP SOD Remedia+on +me by iden+fying and
elimina+ng 80% False Posi+ves resul+ng in over $50,000 annual cost savings in Audit and Remedia+on Costs
Created over 100 Segrega+on of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.
Lowered ERP Total Cost of Ownership by reducing SoD remedia+on +me and costs by ensuring that all users a assigned only the pre-‐approved Roles
Improve SoD and Access Controls tes+ng +me by providing auditors the access log reports showing all Update, Review and Approve Role design changes.
Accelerated ERP Access Approval +me by iden+fying valid SOD conflicts before the Roles are assigned to Users.
Case Study
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Enterprise Controls Platform
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with ready-made controls library
• Mitigate risk of inappropriate user access with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
Advanced Controls
Application Access Controls Embed Controls Natively in Enterprise Apps
Case Study
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Leader in Risk Based Management Controls Q & A
Visit Resources to get started with Security Assessment and Role Design