Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implement SoD Automation Within Weeks

Published byKaren Lloyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Implement SoD Automation Within Weeks"— Presentation transcript:

1 Implement SoD Automation Within Weeks
Using Oracle ERP Cloud Barry Greenhut Muthuvel Arumugam Sujay Bandyopadhyay Tue Oct 23, 1:45pm Moscone South, Room 156

2

3 Oracle Product Development
Presenters Barry Greenhut Oracle Product Development Muthuvel Arumugam Sujay Bandyopadhyay

4 Contributors Chris Doxey Doxey Inc. Marty Reiff Oracle

5 The dream

6 Good is a must-have for SoD
Get SoD right the first time, or redo later Redoing requires: Many participants – all stakeholders in policies, security, processes Large expense and effort Reassess policies Rework processes and/or security Update data and configurations Re-train users, re-test automation, re-go-live

7 Good AND Fast Learn Prepare Deploy

8 Learn Get Started shows you: What you could do

9 What you could do: Secure Role Design
Design Role Analyze Role Secure Role design

10 What you could do: Secure Role Assignment
Assign Roles to ERP users Analyze assignments Secure assignment rules, Role design

11 Learn Get Started shows you: What you could do When to get started
Factors that affect project duration

12 During ERP Cloud implementation After ERP Cloud go-live
When to get started During ERP Cloud implementation Design Secure Roles Assign Roles Securely Go Live with ERP After ERP Cloud go-live Check & Improve Role Designs Check & Improve Role Assignments

13 Learn Get Started shows you: What you could do When to get started
Factors that affect project duration How to find the right stakeholders Who to involve in planning

14 Learn Get Started shows you: What you could do When to get started
Factors that affect project duration How to find the right stakeholders Who to involve in planning What to deploy first How to plan your project and go-live

15 Learn  Prepare Define Process Set Scope Gather Data

16 Prepare: Define Process
Set Scope Gather Data Prepare: Define Process Process steps & participants (from Get Started) Fast baseline process – focus on Role Design: Choose SoD Models Analyze high-risk Roles Respond to issues Perform steps in parallel – minimize impact of waiting b & c for each role Participants People who can understand the information arising in the process, then act on it The fewer, the better – minimize complexity, training, support

17 Prepare: Set Scope In the time available
Define Process Set Scope Gather Data Prepare: Set Scope In the time available …make sure your most avid audience …will get a satisfying result Fast examples: 3-5 SoD models 2-3 riskiest Roles 1 business unit

18 Prepare: Gather Data Analyst Roles, Perspectives SoD Models
Define Process Set Scope Gather Data Prepare: Gather Data Analyst Roles, Perspectives Fast examples: Pooled responsibility SoD Models Pre-built SoD Models

19 Learn  Prepare  Deploy
Configure Train Go Live

20 Deploy: Configure Initial setup Import SoD models Verify analyses
Train Go Live Deploy: Configure Initial setup Import SoD models Verify analyses

21 Configure Train Go Live Deploy: Train Users Administrators Support

22 Configure Train Go Live Deploy: Go Live Good AND Fast

23 How do I set scope? How can I tell whether I’m biting off more than I can chew? Example: 5 SoD models x 3 riskiest Roles = 15 analyses’ worth of issues

24 How do I choose SoD models?
Address risks that are shared by all ERP Cloud users Many to choose from

25 How do I configure Risk Management?
Get Started support.oracle.com/epmos/ faces/DocumentDisplay?id= Get Training cloudcustomerconnect.oracle.com/posts/9a12402d9b Get Help oracle.com/support oracle.com/consulting

26 How-to: Secure by Design
Muthuvel Arumugam, Sujay Bandyopadhyay

27 How-to: Secure by Design
Secure the designs of highest-risk Roles Secure the assignment of highest-risk Roles to users Go Live Further secure Roles and assignments

28 How-to: Secure by Design
Secure the designs of highest-risk Roles What are Roles? How do I identify the riskiest ones? Secure the assignment of highest-risk Roles to users Go Live Further secure Roles and assignments

29 Role Based Access Control
Users have roles Roles grant access to functions and data Users can have any number of roles Functions and data that can be accessed is determined by the combination of roles User Linda Swift Role HR Specialist Vision Operations Role Employee Role Line Manager

30 Job Roles Job roles represent the job that you hire a worker to perform. Procurement Manager is an example of a predefined job role. You can also create custom job roles.

31 Duty Roles Duty roles represent logical groups of tasks that are performed in a job. Procurement manager has Buyer Duty Role. Buyer has Purchase Order Inquiry Duty Role. You can create custom duty roles. You do not assign duty roles to users.

32 Privileges Roles contain privileges.
Privileges provide access to functionality in the application Payables Invoice Processing Role contains the Manage Payable Invoices Privilege You can assign privileges to roles

33 Resources Privileges contain resources
Resources represent various application artifacts Tasks, Menu items, Buttons, Regions etc. Manage Payables invoices Privileges is associated with a set of resources You cannot manage resources

34 How do I identify the riskiest Roles?
By Process Identify business process with highest risk Identify pre-built SoD analyses for that process Identify roles in that process that allow the riskiest actions By SoD Policy Identify pre-built AAC policies with highest risk Identify users in scope of those policies Identify the roles those users will have

35 Secure Role Design Design Role Analyze Role Secure Role design

36 Secure Role Design NO YES Security Console Advanced Access Controls
If role is new, assign to test user Role ready to be assigned to business users NO Did analysis find conflicts within role? Import pre-built models Run model analysis Change role design to eliminate conflicts YES Security Console Advanced Access Controls

37 Secure Role Design (minimize intra-role SoD conflicts)
Gather data Initial analysis Further analyses Select 3-5 pre-built Advanced Access Controls models In AAC: Import first SoD model. Add condition to focus on highest-risk Role. In AAC: Import next SoD model. Add same condition as 3a (to focus on Role). Initial setup In one of your non-production environments: If role is new: In Security Console: Create test user, and assign highest- risk Role to that user In AAC: Run access analysis; review results, determine remedy Repeat 4a-b for remaining Models Verify that Risk Management has been activated In AAC: Run global user synchronization; run access analysis In Security Console: create another test user and assign next high-risk Role. Then in AAC: Assign AAC roles to implementation & administration users (Implementation user: privileges for designing models and running model analysis; Admin user: privileges for running global user synchronization) In AAC: Review results, use Visualization to determine remedy: Adjust first Model’s condition to focus on this Role instead of first one. In AAC: Adjust Model to minimize false positives (e.g., no-risk privileges) Run global user synchronization and access analysis again; adjust Model and/or Role design. In Security Console: Adjust Role design to minimize true positives (e.g., change role definition, change nested components) Complete essential AAC setup (Global User Identification, Global User Synchronization) Repeat 4d.i-ii for remaining Models Repeat 4d.i-iii for remaining high-risk Roles Document compensating controls if needed

38 Demonstration Sujay Bandyopadhyay

39 DEMO: We imported a prebuilt SoD model, then added an Access Condition to focus on one role

40 DEMO: Let’s see the conflicts…

41 DEMO: Here’s the raw analysis…

42 DEMO: Let’s Visualize that…

43 DEMO: The user needs Create Payable Invoice and View Supplier, not Import/Maintain/Create Supplier, so let’s fix the Supplier Profile Duty

44 DEMO: Let’s fix the Supplier Profile Duty

45 DEMO: After we re-run Model Analysis…

46 DEMO: …we’ll see that we’ve eliminated the conflicts

47 Secure Role Assignment
Assign Roles to ERP users Analyze assignments Secure assignment rules, Role design

48 Secure Role Assignment
Assign roles to ERP users Role assignments are appropriate Change role assignment rules NO Did the analysis find users with conflicts? Run model analysis Remediate Remove user role assignment YES Plan compensating AFC Controls Security Console, Role Mappings, HCM Data Loader, IDM, etc. Advanced Access Controls

49 Secure Role Assignment (minimize inter-role SoD conflicts)
Analyze all abilities In AAC: In each Model, remove condition that focused on highest-risk Role In HCM: If standard users have not been created yet, create/import them In Security Console, Role Mappings, HCM Data Loader, IDM, etc.: If high-risk Roles have not been assigned to standard users, assign them according to user onboarding policies In AAC: Run global user synchronization and access analysis again For each Model: Review results, use Visualization to determine remedy Adjust Model conditions and/or Role assignments and/or Role designs Document compensating controls as needed

50 Further secure Roles and assignments
Deploy Controls Create perspectives for routing Incidents to remediators Convert Models to Controls Schedule analysis for periodic execution Remediate incidents Optional: Define OTBI dashboards for monitoring Go live with ERP Cloud Remediate additional incidents as they arise Expand coverage Analyze more Roles Import/tune/deploy more Models/Controls

51 Case study: Expand Coverage
Chris Doxey

52 Segregation of Duties Concepts
AUTHORIZATION Reviewing and Approving transactions RECONCILIATION Assurance that transactions are proper RECORD KEEPING Creating and Maintaining records ASSET CUSTODY Access to and/or control of assets Examples of SoD Conflicts Authorizing purchases and receiving goods purchased from a single transaction Setting up a supplier, executing the payment and voiding or modifying the transaction.

53 Example Segregation of Duties Conflicts Matrix

54 Additional SoD Support and Information
What’s Available: A library of SoD Conflict Matrices System Access and SoD Policies and Procedures SoD Process Reviews Contact:

55 Additional Improvement & Acceleration: Mission Critical Support
Marty Reiff

56 Complete Support for SaaS
Flexible Support to Leverage the Potential of your SaaS Applications Bundle or standalone SLA-based services Single point of contact Business Help Desk for SaaS Regression Testing Extensions and Integrations Critical Process Management Mission Critical Support for SaaS Specific version available for requirements of US Government and Federal Agencies

57 Customer Benefits of Mission Critical Support for SaaS
Faster Adoption Faster user adoption Higher user satisfaction Higher productivity Strong Business Focus Improved overall business satisfaction Increased agility Business process continuity when it matters with end- to-end process focus and proactive oversight Single point of contact Leveraging the Potential of SaaS Seamless support across multiple SaaS workloads Fast uptake of regular SaaS updates Efficient management of cloud process flows and integrations Get it right, keep it right with expert support by Oracle Reduced TCO Cost savings through best practices, operational efficiency, and continuous improvements Planable budget with clearly defined service packages Mitigating the risk of resource turnover

58 What’s Next?

59 Oracle Risk Management User Forums
conference presentations, product updates, training materials, Q&A etc. cloudcustomerconnect.oracle.com

60 Oracle Risk Management – Learn More
Get started, documentation, release notes, training. Guided Tours Path to Success Training Personal Guidance User Documentation Release Readiness Forum

61

Download ppt "Implement SoD Automation Within Weeks"

Similar presentations

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services 704-814-0004.

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Using Approvals Management Engine (AME) for Requisitions in R12

Using Approvals Management Engine (AME) for Requisitions in R12
Software Quality Assurance Plan

Software Quality Assurance Plan
ITIL: Service Transition

ITIL: Service Transition
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
ECM Project Roles and Responsibilities

ECM Project Roles and Responsibilities
Smart HR Need a subtitle Presented by Marc Levinson & Swetha Lingala.

Smart HR Need a subtitle Presented by Marc Levinson & Swetha Lingala.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Presentation Title Mohan Dutt Hyperion Solutions Corporation

Presentation Title Mohan Dutt Hyperion Solutions Corporation
Rutgers Integrated Administrative System RIAS Phase III – HRMS, Budgeting, and Enterprise Reporting Treasurer’s Luncheon December 2, 2008.

Rutgers Integrated Administrative System RIAS Phase III – HRMS, Budgeting, and Enterprise Reporting Treasurer’s Luncheon December 2, 2008.
Module 2.1 Finance and Administration Cabinet Organizational Changes and Agency Impact March 16-18.

Module 2.1 Finance and Administration Cabinet Organizational Changes and Agency Impact March
Test Organization and Management

Test Organization and Management
Software Testing Life Cycle

Software Testing Life Cycle
Segregation of Duties for Infor-Lawson Software 1.

Segregation of Duties for Infor-Lawson Software 1.
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.

Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

Similar presentations

Ads by Google