Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon.

Similar presentations


Presentation on theme: "Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon."— Presentation transcript:

1 Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon Image Cameron Larner – President, Absolute Technologies A Case Study at Silicon Image

2 Copyright © 2004 Absolute Technologies, Inc. Profile of Silicon Image Founded in January 1995 Fabless Semiconductor $173 Million Annual Revenue for Employees Live on Oracle Apps - May Upgraded Oracle Apps - July 2004 to Audit Firm - PWC Audit Guidance – Horn, Murdock & Cole

3 Copyright © 2004 Absolute Technologies, Inc. To establish mechanisms that identify high risk or unauthorized transactions within the company’s Oracle database and associated applications. These mechanisms have the objective of ensuring that Separation of Duties (SOD) procedures and enforcement have been properly established with respect to database activity across both end users and business analysts. Goal

4 Copyright © 2004 Absolute Technologies, Inc. Company ABC had an analyst (Bob) that really wanted Sysadmin access to Oracle applications. His request was denied by the manager of IT per SOD compliance protocol. So, Bob discovered a way to grant access to himself. Example of the Issue How did he do it?

5 Copyright © 2004 Absolute Technologies, Inc. Bob considered asking his DBA friend, but decided to do it himself by writing a simple Oracle Alert like the example below: How Bob got Sysadmin access

6 Copyright © 2004 Absolute Technologies, Inc. Catalyst to Action PWC threatened a material deficiency! Why? DBA had shared role as developer Analysts had superuser access to major applications (one analyst supports multiple modules) DBA and Analysts had APPS SQL access to update Oracle tables without detection

7 Copyright © 2004 Absolute Technologies, Inc. Course of Action Determined high risk tables to be monitored. Implemented Oracle alerts on these tables to check for records where Last_updated_by = the Analyst’s user id. Took APPS database access away from analysts. Evaluated tools that could provide configurable audit trails and reporting across specified financial transactions and setups.

8 Copyright © 2004 Absolute Technologies, Inc. Intro to Absolute Technologies Why Absolute? We already use Absolute’s BBB Intelligence solution for booking, backlog and billing reporting. Their product enables us to get backlog figures for anytime in the past and provides a history of changes to booked orders. And, it’s configurable, so it tracks only what I wanted to track. After sharing our audit requirements with them, they informed us of their latest product offering, Application Auditor for Oracle. We decided to give it a try.

9 Copyright © 2004 Absolute Technologies, Inc. How is data being accessed and changed? Application End User Access Logins, Responsibilities & Forms Help>Tools>Examine Oracle Alert Direct SQL Access SQL*Plus Toad SQL*Navigator, etc… Scope of Audit

10 Copyright © 2004 Absolute Technologies, Inc. What, When and Who are making changes? Types of Database Transactions: DML: Insert, Update or Delete Records DDL: Create, Alter or Drop Objects Scope of Audit - Continued

11 Copyright © 2004 Absolute Technologies, Inc. We evaluated the following: Oracle Database – Audit Feature eBusiness Suite – Row Who Columns eBusiness Suite – End User Access eBusiness Suite – Audit Trail eBusiness Suite – Oracle Alert Absolute Technologies – Application Auditor Auditing Options for Oracle Applications

12 Copyright © 2004 Absolute Technologies, Inc. In the init.ora file, set the audit_trail parameter to true and restart the database. From the SYSTEM user in SQL*Plus, execute the SQL AUDIT commands that coincide with your requirements. Audit almost any type of db transaction, from a session login to the creation or alteration of any schema object to the execution of a SQL statement. Transactions Captured in the SYS.AUD$ table. Oracle Database – Audit Feature

13 Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Does not provide before and after values for column changes. b.Audits are at the SQL statement level, they do not reflect the resulting impact to individual records and columns within a table. c.Provides no standard reporting or access to data from a form. d.Resulting data in the SYS.AUD$ table is not “end user” ready. e.Because the table is owned by SYS, cannot provide an event based alert or notification to a user. (Cannot define a trigger on SYS tables.) Oracle Database – Audit Feature

14 Copyright © 2004 Absolute Technologies, Inc. CREATION_DATE Date and Time row was created CREATED_BY Oracle Applications user ID from FND_USER LAST_UPDATE_LOGIN Login ID from FND_LOGINS LAST_UPDATE_DATE Date and Time row as last updated LAST_UPDATED_BY Oracle Applications user ID from FND_USERS This information can be easily accessed through the application or SQL. Within the applications, select Help > Record History from the main menu to view the information for the current record. E Business Suite – Row Who Columns

15 Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Only the initial creation, last updated date and user are stored. b.A complete audit trail of changed values is not stored, thus the date or user of any updates occurring between the creation and last update of the record are lost. c.There is no visibility to the before and after values of changed columns. d.The information is not updated if the database record is inserted, updated or deleted by a user or process external to the security of Oracle Applications. e.Information is stored in the subject table itself. There is no standard reporting or centralized table to provide for ease of reporting. E Business Suite – Row Who Columns

16 Copyright © 2004 Absolute Technologies, Inc. The system profile option “Sign-On: Audit Level” controls the level of end user access auditing. The valid settings are None, User, Responsibility, and Form. This profile option should always be set to “Form” to enable the most auditing. The following are the standard reports for end-user auditing: Signon Audit Users Signon Audit Responsibilities Signon Audit Forms Signon Audit Concurrent Requests Signon Audit Unsuccessful Logins E Business Suite – End User Access

17 Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Only audits end user usage of specified forms. b.Does not audit changes at the database level. c.Does not audit any form activity or database transaction that may be of interest to ensure compliance. Only user access. E Business Suite – End User Access

18 Copyright © 2004 Absolute Technologies, Inc. Send notification of pre-defined high risk transactions. Periodically, or On an Event (Creates a db trigger) E Business Suite – Oracle Alert

19 Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Periodic Alerts only capture a snapshot of data. b.Don’t provide before and after values of changed columns. c.Too many Alerts can clog up the concurrent manager. d.Alerts do not provide ad hoc reporting, just notification. e.On Event Alerts fire upon any change to a record within a defined table, capturing unwanted transactions and impacting system performance. They do not allow individual column changes to be tracked. f.Don’t provide after delete capabilities. g.Don’t utilize stored procedures in pl/sql body of trigger to optimize performance. Even create multiple triggers. E Business Suite – Oracle Alert

20 Copyright © 2004 Absolute Technologies, Inc. Set the System Profile Option AuditTrail:Activate to Yes. As System Administrator, select Security -> AuditTrail -> Install. Define applications, groups, tables and columns to audit. Run Audit Trail Update Tables program to activate auditing. The following will be created for each table: Shadow Table Trigger Views: One view containing all audited columns and one view for each column audited. E Business Suite – Audit Trail

21 Copyright © 2004 Absolute Technologies, Inc. Limitations: a.No single audit table for ease of reporting. b.Can’t apply a condition to the trigger. c.Audit Trail Update Tables program has no parameters – must modify group’s “state” to disable, then run program. d.Can’t toggle an audit on/off for a single table. e.Can’t capture data outside the scope of the audited table, like foreign table column values for ease of reporting. f.No revision control mechanism. g.No mechanism to support migration across database instances. h.No standard reporting. i.No single record holds the before and after detail of changed column values. j.No error handling visibility to end user. E Business Suite – Audit Trail

22 Copyright © 2004 Absolute Technologies, Inc. Provides a single mechanism to audit changes to any database table/column. Change tracking can be configured, activated or deactivated within minutes for a single table. Configuration reports provide a record of all Audit setups. Single or multiple audit table(s) store defined change details across audited tables. Some examples are: Before and After column values When, Who & Where details Additional reference column values from within the same table Additional column values from related tables Absolute Technologies - Application Auditor

23 Copyright © 2004 Absolute Technologies, Inc. Shares the E Business Suite database instance. Audit tables on any Oracle database in the environment. Uses standard Oracle Developer tools. Stored Procedure used in triggers for optimized performance. Audits the Auditor – Tracks changes to DB Objects in the AA schema. (If AA user disables an audit trigger, etc…) Revision control. Migrate/copy audit configurations within or across DB instances. Forms provide visibility to: Audit Configurations Compiled Objects Compilation and Object Errors Audit Transactions Absolute Technologies - Application Auditor

24 Copyright © 2004 Absolute Technologies, Inc. Application End User Access Standard “Sign on” reports for end-user auditing. (Only really used for failed login attempts.) Discoverer reports for current users and responsibilities granted. Not using Oracle Audit Trail. (Too many issues.) Absolute Application Auditor 9 Setup tables FND_USER FND_RESPONSIBILITY, etc… 13 Financial impacting tables AP_INVOICES_ALL AP_CHECKS_ALL GL_JE_LINES, etc… Audit the Auditor (Changes AA Schema Objects) Audit to determine if DML executed via SQL Audit Business Analyst activity against high risk tables The Silicon Image Approach

25 Copyright © 2004 Absolute Technologies, Inc. Standard Database Auditing (SQL Audit Command) Changes to db user accounts Changes to db links Changes to system audit commands/parameters Periodic Alert on sys.aud$ to notify audit manager of issues The Silicon Image Approach - Continued

26 Copyright © 2004 Absolute Technologies, Inc. Current Status PWC was satisfied with Audit tracking results. A big key to this was we heavily involved them in the discussions about what columns in what tables would be tracked. Complete implementation and setup of all table was achieved in under a week. Because all audit records are going to one table Audit reporting was very simple. Feedback from Silicon Image

27 Copyright © 2004 Absolute Technologies, Inc. Feedback from Silicon Image - Continued Challenges Solutions Challenges Solutions 1.nvl(userenv('TERMINAL'), 'unknown') not in ( 'unknown' ) or new.LAST_UPDATED_BY IN (1040, 1041, 1042, 1080, 0)TERMINAL 2.Complete implementation and setup of all table was achieved in under a week. 3.Because all audit records are going to one table Audit reporting was very simple.Audit reporting was very simple 1.Needed to be able to tell when an update was done from SQL or applications. 2.We needed this implemented very fast 3.Needed flexible reporting

28 Copyright © 2004 Absolute Technologies, Inc. Manage carefully what you audit because the auditors will always want more. Make sure you have a way to track comments on your audit records so they can be reportable for when your audit firm comes back. comments Lessons Learned

29 Copyright © 2004 Absolute Technologies, Inc. Table: WF_ROUTING_RULES Purpose: To identify unauthorized changes to signing authority. Event: A user with Sysadmin assigned the CFO’s signing authority to another employee. A record was inserted into the audit table. Step one: Audit triggered to be sent to Director of IS and Change control help desk. Step two: Director of IS researched issue, entered explanation of transaction into the help desk and awaited approval from the director of Finance. Step three: After receiving approval, the audit record is updated to reflect the status of the issue. The example above occurred in production. Afterwards, we decided to change the audit so that it would only execute when the re-assignment was to one of the IS business analysts. Example of Financial Impacting Audit #1

30 Copyright © 2004 Absolute Technologies, Inc. Table: HZ_PARTIES Purpose: Identify unauthorized update or creation of a customer. Event: In the form, an analyst updated 15 customer records to modify the territory column, but also mistakenly updated the the customer name on one of the records. An audit record was generated. Step one: Audit triggered to be sent to Director of IS and Change control help desk. Step two: Director of IS researched issue and entered explanation and resolution of transaction into the help desk and awaited approval from the director of Finance. Step three: After the review and approval, the audit record is updated to reflect the status of the issue. Needless to say this was embarrassing to explain, but it was very helpful that we had everything we needed, before and after values, to change it back. Example of Financial Impacting Audit #2

31 Copyright © 2004 Absolute Technologies, Inc. Table: OE_ORDER_LINES_ALL Purpose: Audit schedule, request and promise date changes. Event: The GOP module auto schedules sales orders. We also have a program that auto updates promise dates. Step one: Customer service called IS to complain that the promise date or schedule ship date on a sales order was not correct. Step two: Analyst reviewed audit history for the sales order to see the entire history of date changes. Step three: Analyst informed customer service that the date in question had originally been provided correctly by GOP, but had been subsequently modified several times by her user. Example of Operational Audit - GOP

32 Copyright © 2004 Absolute Technologies, Inc. SOX Separation of Duties Compliance Prepared by Whitepaper available at

33 Copyright © 2004 Absolute Technologies, Inc. Back Tools Examine Example

34 Copyright © 2004 Absolute Technologies, Inc. Alert example Back

35 Copyright © 2004 Absolute Technologies, Inc. Audit Transaction Example Back

36 Copyright © 2004 Absolute Technologies, Inc. Report Examples Back

37 Copyright © 2004 Absolute Technologies, Inc. Comments Examples Back


Download ppt "Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon."

Similar presentations


Ads by Google