Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strengthen Security using Advanced ERP & HCM Controls [CAS 5823]

Published byDina Willems Modified over 6 years ago

Similar presentations

Presentation on theme: "Strengthen Security using Advanced ERP & HCM Controls [CAS 5823]"— Presentation transcript:

1 Strengthen Security using Advanced ERP & HCM Controls [CAS 5823]
Avinash BharathSingh, Deloitte Dharma Shanmugam, McDermott Yong Sung (Patrick) Kwon, KPMG Aman Desouza, Oracle October 23, 2018

2 Patrick (Yong Sung) Kwon
Introductions Get to know your panelists Avinash BharathSingh Manager Cyber Risk Services Deloitte & Touche LLP Dharma Shanmugam ERP Director, McDermott Patrick (Yong Sung) Kwon Manager KPMG LLP

3 Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4 Program Agenda 1 Introduction Orientation & Context McDermott: Business Study Oil & Gas: Case Study Q&A 2 3 4 5

5 Built-in Risk Management for ERP & HCM Cloud
Financials Procurement Risk Management Human Capital Management Project Portfolio Management Continuous security, transaction & configuration analysis • Audit & compliance workflows Common User Experience & Interface Common User Security, Data Model, Application Administration, Updates & Patches Common Extensibility Tools – Page Composer & Flex Fields Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 5

6 Risk Management Solutions
Accelerate ERP & HCM deployments Continuous security & compliance monitoring Get started in hours Eliminate manual analysis tasks Activate library of 100+ packaged rules Certify users with sensitive access SOD, Security, Privacy and User Access Controls Fraud Detection – AP, expenses & payroll Controls Configuration Change Tracking – suppliers, bank# etc. SOX certifications & GDPR Compliance Management Secure Role Design Dashboards & Alerts Deep SOD Analysis Compliance Workflows User Access Certifications Certify Before Go-live Advanced Configuration Controls Advanced Access Controls Advanced Transaction Controls Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 6

7 Program Agenda 1 Introduction Orientation & Context McDermott: Business Study Oil & Gas: Case Study Q&A 2 3 4 5

8 Patrick (Yong Sung) Kwon
Manager, KPMG Advisory Services Patrick is a Manager in KPMG’s Advisory Services practice with 6 years of Enterprise Resource Planning (ERP) implementation experience with the focus in security and controls. Patrick has took part in number of ERP security & control assessments and implementations with a concentration on Oracle Cloud especially with Human Capital Management, PeopleSoft and Oracle Advanced Controls. Patrick’s current and past clients include some of the leading entities in a variety of market sectors that include healthcare, real estate, utility, consumer products, state and federal governmental entities.

9 Strengthening Controls – Process & Controls
2.0 Set Up Project Online I Data Integration R Reports T Indirect Tax Off system activity C Control Reference 2.1 Define Task Codes Project Analyst Input Project related info and assign access to teams Define Project Details Start Project Accountant 1 2 Develop Work Breakdown structure and align to existing portfolio of projects if required Create Task codes and align to existing portfolio of projects if required Create Oracle Cloud Financial Plan (Cost breakdown structure) Align mapping to Cost breakdown structure C2.1.1 3 4 C2.1.3 Finance Business Partner team Review task codes and Work breakdown structure Sign-off task codes and work breakdown structure End Project Accountant C2.1.2 Project Task Code and Work breakdown structure defined 5 R2.1.1 6 7 8 9

10 Strengthening Controls – Controls in Depth

11 Effective Risk Management
Financial Reporting Compliance Cloud Effective Risk Management Strengthen Internal Controls CFOs & Controllers CIOs & CISOs Auditors Process Owners Advanced Financial Controls Cloud Automate Detection of Error, Fraud & Waste Enforce Financial Reporting Integrity RISK MANAGEMENT CLOUD In other words….we automate controls around who gets in to your systems and how cash leaves the organization Advanced Access Controls Cloud Monitor Access to Sensitive Data Prevent Unauthorized Access

12 Program Agenda 1 Introduction Orientation & Context McDermott: Business Study Oil & Gas: Case Study Q&A 2 3 4 5

13 Dharma Shanmugam ERP COE Leader
ERP Director, McDermott ERP COE Leader Managing different ERP Clouds - Procurement, Finance, Project and HCM Leading one of the most complex Oracle Cloud Implementations in Oil & Gas Industry domain 20 years into implementing and supporting ERP projects across the globe Led ERP’s in Deloitte, Oracle Consulting, and GE prior to McDermott

14 McDermott Overview A premier $10 billion1 global, fully vertically integrated onshore-offshore EPCI provider with a market- leading technology portfolio Diversified capabilities, well positioned globally in attractive high-growth markets with a $14 billion2 backlog 40,000 employees worldwide with a culture focused on safety, fixed-price lump-sum contracting and customer engagement REVENUE PROFILE BY GEOGRAPHY BY MARKET BY CONTRACT TYPE Complementary geographic portfolio drives diversity and provides enhanced revenue stability Mix of onshore and offshore diversifies exposure and provides more cyclical balance Project control through vertical integration, combined with rigorous risk management, provides differentiation as a best-in-class fixed-price operator 1Revenue is the sum of McDermott and CB&I LTM revenue as of 12/31/17 and does not reflect any pro forma adjustments. 2Backlog is the sum of McDermott and CB&I remaining performance obligations of $12.8 billion and backlog from equity method investments of $1.1 billion as of 3/31/18. Backlog is a non-GAAP measure defined as remaining performance obligations plus backlog from equity method investments, which we believe provides a better indication of the total unearned value of our new awards.

15 Global Presence and Local Execution
Operates in 56 countries & Grouped into 4 areas North, Central and South America Europe, Africa, Russia and Caspian Middle East and North Africa Asia Pacific Product Lines Offshore and Subsea Downstream LNG Power Industrial Storage Pipe Fabrication

16 McDermott ERP Cloud Journey
5 year Roadmap to get to ‘One ERP’ with CB&I

17 Current SoD Practice ~50 custom roles – Conflict Matrix user-role level privilege level) Analysis done in excel and implemented manually 18

18 McDermott SOD & AAC SOD Requirements - Need a tool/application that
Provides a framework for managing SOD conflicts Is flexible to adapt to the changing Oracle landscape – Patching and Release Management Has pre-built content for conflict policy/matrix that can be modified to suit MDR needs Approach Reviewed Oracle AAC along with the stand alone solutions available in the market Offline Solution need to ❶ Extract Security Data > ❷ Analyze offline > ❸ Remove False Positives > ❹ Provide recommendation as a doc > ❺ Implement the recommendation > ❻ Rerun the analysis Selected Oracle AAC and in the process of implementing this application Learning so far Align AAC implementation with initial purchase (not available at that time) or with an upgrade Make sure AAC is enabled in all the DEV/TEST instances 19

19 Program Agenda 1 Introduction Orientation & Context McDermott: Business Study Oil & Gas: Case Study Q&A + Wrap-up 2 3 4 5

20 Avinash BharathSingh Manager, Cyber Risk, Deloitte Advisory Avinash is a Manager in Deloitte’s Cyber Risk practice with 6 years of Enterprise Resource Planning (ERP) implementation experience with the focus in security and controls. Avinash has implemented Oracle Application Security and Controls in both on-premises and cloud SaaS environments to meet compliance requirements. This includes application security design, role design, and segregation of duties (SOD) for finance, supply Chain and human resources. Avinash’s current and past clients span a variety of market sectors including public sector, financial services, consumer & industrial products and life sciences.

21 Oracle Advanced Access Controls Use Case
Background Context Finance implementation with custom roles Point in time role level segregation of duties (SOD) analysis before go-live Reasons for Subscribing Audit performed on live system Need to systematically report out on and prove SOD Compliance Manual SOD checks are technically challenging and time consuming

22 Oracle Advanced Access Controls Use Case
SOD Analysis Challenges USER = Application User Access Points OTHER IMPORTANT ATTRIBUTES: Business Unit Data Access Set ERP/HCM Data Role JOB ROLE DATA ROLE Abstract Role Data Dimensions DUTY ROLE Functional Privileges Data Dimensions

23 Oracle Advanced Access Controls Use Case
Sample AAC SOD Rule SOD Rule: Hire Employee and Pay Employees Business Activities: Manage Employee X Manage Payroll Manage Employee Entitlement X Manage Payroll Entitlement

24 Oracle Advanced Access Controls Use Case
Implementation Advanced Access Controls Project Scope Configure SOD ruleset and Privilege mapping used during the implementation Centralized user group that manages the configuration of controls and systematically respond to SOD Incidents Advanced Access Controls Project Experience Unit Test: Security Team reviews SOD Violations to identify: Role False-Positives AAC configurations corrections Global Conditions to remove unneeded incidents (i.e. removing Inquiry Roles) User Acceptance Test: Review Incidents with Business to identify User Access Revocation Mitigating Controls for required controls

25 Oracle Advanced Access Controls Use Case
Lessons Learned Implement AAC during the implementation to fix false positives early and day one compliance tracking Allow ample time to understand the incident outputs, review with business, and re-test role and user access Oracle AAC does not prevent SOD Violations. Role Management and User Provisioning governance processes are updated to include the use of AAC SOD Checks in advance of adding new access in production.

26 Program Agenda 1 Introduction Orientation & Context McDermott: Business Study Oil & Gas: Case Study Q&A + Wrap-up 2 3 4 5

27 Oracle Risk Management Customers
….and more!

28 Oracle Risk Management User Forums
conference presentations, product updates, training materials, Q&A etc. cloudcustomerconnect.oracle.com

29 Oracle Risk Management – Learn More
Get started, documentation, release notes, training. Guided Tours Path to Success Training Personal Guidance User Documentation Release Readiness Forum

Download ppt "Strengthen Security using Advanced ERP & HCM Controls [CAS 5823]"

Similar presentations

Manuel Neyra Senior Manager EnterpriseOne Product Strategy

Manuel Neyra Senior Manager EnterpriseOne Product Strategy
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.

Oracle Cloud Marketplace Neelesh Gurnani Director, Product Development Arif Khan Director, Product Management September 29, 2014 Copyright © 2014, Oracle.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Agile insurance carrier - What the carrier has to look like? Glenn Lottering Senior Director, EMEA Insurance Product Strategy and Sales Consulting.

Agile insurance carrier - What the carrier has to look like? Glenn Lottering Senior Director, EMEA Insurance Product Strategy and Sales Consulting.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Introduction and Update: Oracle Hyperion Financial Close Management CON8536 Richard.

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Introduction and Update: Oracle Hyperion Financial Close Management CON8536 Richard.
“The Effective Enterprise: Building for the Future” Prepare for the Future with Enterprise Edition Choose the best upgrade path for your company Romeo.

“The Effective Enterprise: Building for the Future” Prepare for the Future with Enterprise Edition Choose the best upgrade path for your company Romeo.
Best Practices for Upgrading Oracle PeopleSoft Environments

Best Practices for Upgrading Oracle PeopleSoft Environments
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Amit Jha Project Leader, Product Management Oracle EBS Procurement & Contracts.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Amit Jha Project Leader, Product Management Oracle EBS Procurement & Contracts.
Discover the Latest in Partner Training for Solutions Specialists Ian Reed Sr. Director, Partner Enablement Dana Hutanu Director, Partner Enablement WWA&C.

Discover the Latest in Partner Training for Solutions Specialists Ian Reed Sr. Director, Partner Enablement Dana Hutanu Director, Partner Enablement WWA&C.
Product Lifecycle Management: Meeting the Needs of Collaboration

Product Lifecycle Management: Meeting the Needs of Collaboration
LEARN. NETWORK. DISCOVER. | #QADexplore Implementing Business Process Management: Steps to Success WCUG – November 18, 2014.

LEARN. NETWORK. DISCOVER. | #QADexplore Implementing Business Process Management: Steps to Success WCUG – November 18, 2014.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Know More. Do More. Spend Less. January 24, 2006 Monica Loomis, Senior Sales Consultant Oracle Contract Management.

Know More. Do More. Spend Less. January 24, 2006 Monica Loomis, Senior Sales Consultant Oracle Contract Management.
Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.

Oracle Confidential – Internal/Restricted/Highly RestrictedCopyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Identity Management.
Enterprise Asset Management

Enterprise Asset Management
QAD Customer Day – Santa Clara, CA QAD Customer Value Day WELCOME!

QAD Customer Day – Santa Clara, CA QAD Customer Value Day WELCOME!
QAD's Customer Engagement Dan Blake Consultancy Development Director, QAD QAD Explore 2012.

QAD's Customer Engagement Dan Blake Consultancy Development Director, QAD QAD Explore 2012.
McGraw-Hill/Irwin Copyright © 2011 The McGraw-Hill Companies, All Rights Reserved Chapter 14 Enterprise Resource Planning Systems.

McGraw-Hill/Irwin Copyright © 2011 The McGraw-Hill Companies, All Rights Reserved Chapter 14 Enterprise Resource Planning Systems.
Oracle E-Business Suite Order Management: Presenting the HTML and Mobile User Experience Durgaprasad Bodapati Director, Product Management Bhavana Sharma.

Oracle E-Business Suite Order Management: Presenting the HTML and Mobile User Experience Durgaprasad Bodapati Director, Product Management Bhavana Sharma.

Similar presentations

Ads by Google