Cs Comply And Audit V1.6

Handling Segregation of Dutiesand Auditing

in

Oracle E-Business SuiteSlavik Gimelbrand

Complementary Solutions ManagerOne1up Applications

Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation

2

Agenda

• Introduction• Problem Statement/Business Challenges• Introducing CS*Comply• Features at a glance• Enterprise Packs• Examples/Screenshots• Live Demonstration• Key Benefits/Value Proposition• Q&A


3

Problem Statement/Business Challenges

• Oracle E-Business Suite is very complexo Thousands of userso Hundreds of responsibilitieso Thousands of functionso Thousands of menuso Potentially millions of access combinations

• Lack of Access Controlso Too many privileged userso Effective SOD is difficult to achieve and maintain (if not

impossible)o Multi-faceted...

• Conflicting function pairs• High-risk single functions (SQL Forms)• Functions exposing sensitive data


4

Problem Statement/Business Challenges

• Look for suite that offers...o Handling of both traditional SOD risks as well as

sensitive functionso Multiple preventive controlso Ability to use rules in preventive and detective modeo That does not require additional hardware/softwareo Simple installation and reduced implementation

• Look for a company that offers...o Risk-based contento One-stop shop for compliance needso Offers more than just traditional SOD and auditingo Offers pre-seeded solutions to real EBS issues


5

CaoSys Solution Suite

• A comprehensive suite of solutions...o Improving efficiency with productivity solutionso Delivering assurance through compliance

CS*Applications

CS*Compliance Suite

CS*AccelerateCS*Audit

incl. optional E*Pack

CS*Complyincl. optional

E*PackCS*Secure

SaaS

CS*Proviso

Productivity

CS*Accelerate CS*Enquire CS*Form

Introducing


7

Introducing CS*Comply

CS*Comply is a class leading solution for implementing your user

access/SOD controls in Oracle E-Business Suite.

CS*Comply helps ensure that the risks associated with inappropriate access are mitigated without delay.


8

Advantages of CS*Comply

Advantages over other solutions...o Beyond SOD: Comprehensive solution to address all

User Access Control risks – SOD, Single Function, Sensitive Data

o Ability to put individual rules in Preventive mode while leaving others in Detective mode

o Automation of other control issues such as password control/monitoring

o Other best practices such as monitoring of generic users, high risk responsibilities, policy exceptions, high risk single functions, high risk SOD rules

o Embedded into Oracle EBSo Fast installation and implementationo Greatly reduced costs


9

Advantages of CS*Comply

• CS*Comply addresses all issues in the problem statement and more...o Powerful and comprehensive SOD solutiono Protects conflicts pairso Deals with high risk single functionso Guard forms that expose sensitive datao Comprehensive SOD matrix available…

• More than 600 rules covering well over 45,000 known function based risks in Oracle EBS

o Cost Effective• Low cost• Reduced implementation/configuration further reducing costs

o Time effective• Installation – Typically less than 1 hour• Can be effective from day one• Reduced implementation/configuration


10

At a Glance – Access Controls/SOD

• Very fast Conflict Scanning Engine • 100% integrated into Oracle E-Business Suite • Multiple Preventive controls• Detective mode controls• Access Request system • Built-in Notification Engine• Rank based Alert system • Violation processing by user, responsibility and rule• Comprehensive and easy to use reporting with the Conflict

Enquirer • Several interactive violation inquiry screens • Setup and violation reports• AccessGuard for brute force access control • Entity based function grouping


11

At a Glance – Access Controls/SOD

• Multiple approvers • Class driven conflict matrix • User/Responsibility/Menu Exception system • Handles common false positive…

o View only menuso Query only functionso Buyer/Shipping Functions

• XML support for export/importing content• User friendly • Simple to install• Native look and feel • Integrated with CS*Applications • Available for 11i and R12 (supports R12’s proxy functionality)


12

At a Glance – Best Practices/CCM

• Define password expiration policy globally• Restricted users screen for changing passwords only

(optional, no cost)• Restricted users screen for creating new users only (optional,

no cost)• Find users without password expiration policy• Password policy violations• Users logged in multiple times• Users linked to multiple employees• Generic login responsibility assignments• Users with high risk responsibilities• High risk responsibility user tracking (Professional Forms &

OAF)• High Risk Concurrent Program Usage Tracking• Various User/Function/Menu/Responsibility • Delegation Monitoring

o Worklist Access, Vacation Rules


13

Access Control/SOD Enterprise Packs

• Pre-seeded content (optional)...o Covering well over 45,000 known function

conflicts/riskso Traditional SOD – Conflicting function pairso Beyond SOD – Common and often overlooked conflict

pairso Sensitive Data – Highly sensitive datao High Risk Single Functionso Including all known SQL formso Ready to go out of the boxCS*Comply Enterprise Pack

Hire to Pay Financial Close

Inventory Management Order to Cash Procure to

Pay

System Administratio

n


14

Access Controls/SOD - Example

• The System Administrator Responsibilities function is a typical function to which access should be restricted, we will now show you a number of screenshots demonstrating how CS*Comply helps you implement your Access Controls.


15

Conflict Matrix

• For this example, Responsibilities is listed as a high risk single function


16

Conflict Scanning Engine

• Conflict Scanning Engine (CSE)...o Scan system existing conflictso Invoke interactively or concurrentlyo Very fasto Run by rule, by class, by user and for the whole systemo No baseline/snapshot needed


17

Conflict Enquirer

• Conflict Enquirer – provides fast and detailed analysis of conflicts...o Intra/Inter responsibilityo Intra/Inter menuo By Responsibilityo By Usero By Ruleo By Menuo By Functiono Common False Positiveso Menu Visibilityo Single Function/Conflicts Pairs


18

Conflict Analysis - Conflict Enquirer


19

Conflict Analysis - Conflict Enquirer


20

Conflict Inquiry/Reporting

• Conflicts inquiry/reporting...o Intra-responsibilityo Intra-menuo By Ruleo By Responsibilityo By Usero By Functiono By Function Groupo By Classo …more


21

Real-Time Prevention & Access Requests

• Real-Time Prevention for Professional Forms based screens at the time of access (and OAF pages depending on release)...o Before, during and after remediationo Go live before, during or after remediation


22

Real-Time Notification

• Real-Time Notification...o Sent to authoriserso Sent to user making request


23

Access Requests

• Access Requests (for Professional Forms)...o Authorise, Deny or Revokeo Authorise on a temporary basis (automatically expires)o Notification Group members notified of authorisations


24

Responsibility Assignment Prevention

• Responsibility assignments that would result in a conflict are prevented in real-time


25

AccessGuard

• AccessGuard...o Instant brute force preventiono Access by exception onlyo Protects Professional Forms (and OAF Pages depending

on release)o Included with CS*Comply


26

Best Practice/CCM Examples

• Password control/monitoring…o Set Password Policy globallyo Users without password policyo Password policy violations


27


• User/Employee monitoring...o Users not linked to an employeeo Employees linked to multiple userso Users logged in more than onceo …many more


28


• Login/Responsibility monitoring…o Users with high risk responsibilitieso Generic login responsibility assignmentso …many more


29


• Concurrent Program monitoring…o High risk concurrent program usage trackingo Users with high risk concurrent program access


30


• Delegation monitoring…o Worklist accesso Vacation rules


31

Demonstration


32

Key Benefits/Value Proposition

• CS*Comply brings many benefits...o Out of the Box Solutiono Substantial Time Savingso Considerable Cost Savingso Tightly Integratedo Reduced Burden on ITo Unique functionalityo Very easy to useo Fully embedded into Oracle E-Business Suiteo Native look and feel, users feel at homeo No external tools to get to grips witho Developed (in-part) using our own Extreme RAD tool,

CS*Form – easy and very fast to enhance and extendo Simple installation (the whole suite installs in less than 1

hour)o Rapid implementationo Rapid return on investment


33

GRC Webinar Series

CS*Compliance Suite

A Powerful and Affordable GRC

Solution for Oracle EBS

Handling Segregation of

Duties in Oracle EBS

A Powerful and Effective Auditing

Solution for Oracle EBS Implementing

Application Controls in Oracle

EBS

Data Security for Oracle EBS

Introducing


35

Problem Statement

• Inadequate auditing in standard audit trailo Lack of fine grained auditing resulting in audit overkill o Querying audit data is arduouso Data growth / management issueso Audit trail not understandable due to lack of metadata

from other tables o Same issue with log based solutions who can't grab

data from other tables when writing the audit recordso A proper audit trail is critical for reliance on application

controls under Auditing Standard 5o Certain forms without a proper audit trail leaves you

exposed to fraudo Tracking of activity in SQL forms is an essential IT

General Control


36

Problem Statement

• GRC/auditing solutions are typically expensive• Achieving compliance (SOX, PCI...etc) can be a

time consuming and very costly task• Many solutions are difficult to use out of the box

o Lengthy implementation/configuration


37

An Alternate Solution

• CS*Audit addresses all issues in the problem statement...o Fine-grained and rule driven audit solution

• Hierarchical, fine grained and rule driven audit polices• Comprehensive audit details captured• Easy to use query tool• Over 100 audit policies defined out of the box

o Cost Effective• Low cost• Reduced implementation/configuration further reducing

costso Time effective

• Installation – 1 hour• Effective from day one• Reduced implementation/configuration


38

At a Glance – Auditing

• Transactional data auditing• Database wide auditing• Structured, rule driven auditing• Fine grained auditing• Detailed and extensible audit trail• User friendly auditing• On-screen/off-screen audit enquiry• Security conscious• Transportable audit solutions (via XML)• Pre-seeded audit solutions

o Over 100 audit solution already defined


39

Audit Enterprise Packs

• Pre-seeded content...o Including more than 100 tables to audito Covering over 2,000 data pointso Common data translations includedo Ready to go out of the box

CS*Audit Enterprise Pack

Application Object Library

General Ledger

Human Resources

Order Manageme

ntPayables Purchasing Receivables

How CaoSys solutions

address your audit requirements


41

Auditing - Example

• The Users table within the Oracle Business Suite is a typical table that you should audit; here we have a number of screenshots demonstrating the auditing capabilities of CS*Audit.


42

Auditing - Hierarchical

• Audit policies are hierarchicalo Classes and Sets of audit entities for easy management


43

Auditing – Full Control

• Choose what to audit...o Insertso Deletes o Updates


44

Auditing – Fine Grained & Rule Driven

• Audit policies are fine grained and rule driven...o Check criteria before auditing (i.e. invoice greater than

$1000)o Additional context used to determine audit (i.e. Only

audit within a specific responsibility)o Helps prevent audit-overkillo Self managing audit data (auto-purge)


45

Auditing – Hierarchical Rules

• Audit rules can be applied at multiple levels...o Set levelo Class level


46

Auditing – Security Conscious

• Control who can view audit data from within the CS*Audit Enquirero Clone setup to all Entities in same Set or Class


47

Auditing – Transportable

• Audit policies are easily transportable...o Import and export using standard XML


48

Auditing – Lookups/Translations

• Perform lookups/translations at the time of audito Bring in additional data to make audit data more

meaningful


49

Auditing – Detailed and Extensible

• Highly detailed and extensible audit trail...o More than just the who and the wheno Include any number of lookup values during the audit

transaction (i.e. grab vendor name as well as vendor ID)o Includes a number of predefined attributes such as

hostname, DB domain...etco Clone setup to all Entities in same Set or Class


50

Auditing – Version Controlled

• Audit Policies are automatically version controlled...o All previous versions of audit policy retainedo All previously audited data is retained even if policy

definition is changed


51

Auditing – Database Wide

• Auditing is not limited to Oracle E-Business data, you can audit any data that is accessible from within the database.

• Audit data from within any module of the Oracle E-Business Suite, for example you may want to audit the AOL or the data within Payables or Purchasing.

• Audit custom data for any table within the Oracle database.


52

Auditing – Powerful Query Tool

• CS*Audit reporting...o Answer questions like “who changed the Users table

last in the last 12 hours from within a the System Administrator responsibility”

o Very easy to use


53


• CS*Audit reporting...o Drill down by Year, Month, Day and Time


54


• CS*Audit reporting...o Drill down by Class, Set, Entity hierarchy


55

Auditing – Report

• CS*Audit reporting...o Print audit data...


56

Key Benefits

• CS*Audit brings many benefits...o Out of the Box Solutiono Substantial Time Savingso Considerable Cost Savingso Embedded with Oracle E-Business Suiteo Integrated with CS*Applicationso Reduced Burden on ITo Installed and auditing within a couple of hours


57

Q&A

Q&A

Date post:	26-Jun-2015
Category:	Documents
Upload:	slavik-gimelbrand
View:	813 times
Download:	0 times

Cs Comply And Audit V1.6

Documents