cs comply and audit v1.6
DESCRIPTION
SOD and Auditing Solution for Oracle EBSTRANSCRIPT
Handling Segregation of Dutiesand Auditing
in
Oracle E-Business SuiteSlavik Gimelbrand
Complementary Solutions ManagerOne1up Applications
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
2
Agenda
• Introduction• Problem Statement/Business Challenges• Introducing CS*Comply• Features at a glance• Enterprise Packs• Examples/Screenshots• Live Demonstration• Key Benefits/Value Proposition• Q&A
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
3
Problem Statement/Business Challenges
• Oracle E-Business Suite is very complexo Thousands of userso Hundreds of responsibilitieso Thousands of functionso Thousands of menuso Potentially millions of access combinations
• Lack of Access Controlso Too many privileged userso Effective SOD is difficult to achieve and maintain (if not
impossible)o Multi-faceted...
• Conflicting function pairs• High-risk single functions (SQL Forms)• Functions exposing sensitive data
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
4
Problem Statement/Business Challenges
• Look for suite that offers...o Handling of both traditional SOD risks as well as
sensitive functionso Multiple preventive controlso Ability to use rules in preventive and detective modeo That does not require additional hardware/softwareo Simple installation and reduced implementation
• Look for a company that offers...o Risk-based contento One-stop shop for compliance needso Offers more than just traditional SOD and auditingo Offers pre-seeded solutions to real EBS issues
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
5
CaoSys Solution Suite
• A comprehensive suite of solutions...o Improving efficiency with productivity solutionso Delivering assurance through compliance
CS*Applications
CS*Compliance Suite
CS*AccelerateCS*Audit
incl. optional E*Pack
CS*Complyincl. optional
E*PackCS*Secure
SaaS
CS*Proviso
Productivity
CS*Accelerate CS*Enquire CS*Form
Introducing
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
7
Introducing CS*Comply
CS*Comply is a class leading solution for implementing your user
access/SOD controls in Oracle E-Business Suite.
CS*Comply helps ensure that the risks associated with inappropriate access are mitigated without delay.
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
8
Advantages of CS*Comply
Advantages over other solutions...o Beyond SOD: Comprehensive solution to address all
User Access Control risks – SOD, Single Function, Sensitive Data
o Ability to put individual rules in Preventive mode while leaving others in Detective mode
o Automation of other control issues such as password control/monitoring
o Other best practices such as monitoring of generic users, high risk responsibilities, policy exceptions, high risk single functions, high risk SOD rules
o Embedded into Oracle EBSo Fast installation and implementationo Greatly reduced costs
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
9
Advantages of CS*Comply
• CS*Comply addresses all issues in the problem statement and more...o Powerful and comprehensive SOD solutiono Protects conflicts pairso Deals with high risk single functionso Guard forms that expose sensitive datao Comprehensive SOD matrix available…
• More than 600 rules covering well over 45,000 known function based risks in Oracle EBS
o Cost Effective• Low cost• Reduced implementation/configuration further reducing costs
o Time effective• Installation – Typically less than 1 hour• Can be effective from day one• Reduced implementation/configuration
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
10
At a Glance – Access Controls/SOD
• Very fast Conflict Scanning Engine • 100% integrated into Oracle E-Business Suite • Multiple Preventive controls• Detective mode controls• Access Request system • Built-in Notification Engine• Rank based Alert system • Violation processing by user, responsibility and rule• Comprehensive and easy to use reporting with the Conflict
Enquirer • Several interactive violation inquiry screens • Setup and violation reports• AccessGuard for brute force access control • Entity based function grouping
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
11
At a Glance – Access Controls/SOD
• Multiple approvers • Class driven conflict matrix • User/Responsibility/Menu Exception system • Handles common false positive…
o View only menuso Query only functionso Buyer/Shipping Functions
• XML support for export/importing content• User friendly • Simple to install• Native look and feel • Integrated with CS*Applications • Available for 11i and R12 (supports R12’s proxy functionality)
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
12
At a Glance – Best Practices/CCM
• Define password expiration policy globally• Restricted users screen for changing passwords only
(optional, no cost)• Restricted users screen for creating new users only (optional,
no cost)• Find users without password expiration policy• Password policy violations• Users logged in multiple times• Users linked to multiple employees• Generic login responsibility assignments• Users with high risk responsibilities• High risk responsibility user tracking (Professional Forms &
OAF)• High Risk Concurrent Program Usage Tracking• Various User/Function/Menu/Responsibility • Delegation Monitoring
o Worklist Access, Vacation Rules
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
13
Access Control/SOD Enterprise Packs
• Pre-seeded content (optional)...o Covering well over 45,000 known function
conflicts/riskso Traditional SOD – Conflicting function pairso Beyond SOD – Common and often overlooked conflict
pairso Sensitive Data – Highly sensitive datao High Risk Single Functionso Including all known SQL formso Ready to go out of the boxCS*Comply Enterprise Pack
Hire to Pay Financial Close
Inventory Management Order to Cash Procure to
Pay
System Administratio
n
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
14
Access Controls/SOD - Example
• The System Administrator Responsibilities function is a typical function to which access should be restricted, we will now show you a number of screenshots demonstrating how CS*Comply helps you implement your Access Controls.
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
15
Conflict Matrix
• For this example, Responsibilities is listed as a high risk single function
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
16
Conflict Scanning Engine
• Conflict Scanning Engine (CSE)...o Scan system existing conflictso Invoke interactively or concurrentlyo Very fasto Run by rule, by class, by user and for the whole systemo No baseline/snapshot needed
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
17
Conflict Enquirer
• Conflict Enquirer – provides fast and detailed analysis of conflicts...o Intra/Inter responsibilityo Intra/Inter menuo By Responsibilityo By Usero By Ruleo By Menuo By Functiono Common False Positiveso Menu Visibilityo Single Function/Conflicts Pairs
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
18
Conflict Analysis - Conflict Enquirer
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
19
Conflict Analysis - Conflict Enquirer
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
20
Conflict Inquiry/Reporting
• Conflicts inquiry/reporting...o Intra-responsibilityo Intra-menuo By Ruleo By Responsibilityo By Usero By Functiono By Function Groupo By Classo …more
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
21
Real-Time Prevention & Access Requests
• Real-Time Prevention for Professional Forms based screens at the time of access (and OAF pages depending on release)...o Before, during and after remediationo Go live before, during or after remediation
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
22
Real-Time Notification
• Real-Time Notification...o Sent to authoriserso Sent to user making request
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
23
Access Requests
• Access Requests (for Professional Forms)...o Authorise, Deny or Revokeo Authorise on a temporary basis (automatically expires)o Notification Group members notified of authorisations
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
24
Responsibility Assignment Prevention
• Responsibility assignments that would result in a conflict are prevented in real-time
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
25
AccessGuard
• AccessGuard...o Instant brute force preventiono Access by exception onlyo Protects Professional Forms (and OAF Pages depending
on release)o Included with CS*Comply
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
26
Best Practice/CCM Examples
• Password control/monitoring…o Set Password Policy globallyo Users without password policyo Password policy violations
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
27
Best Practice/CCM Examples
• User/Employee monitoring...o Users not linked to an employeeo Employees linked to multiple userso Users logged in more than onceo …many more
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
28
Best Practice/CCM Examples
• Login/Responsibility monitoring…o Users with high risk responsibilitieso Generic login responsibility assignmentso …many more
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
29
Best Practice/CCM Examples
• Concurrent Program monitoring…o High risk concurrent program usage trackingo Users with high risk concurrent program access
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
30
Best Practice/CCM Examples
• Delegation monitoring…o Worklist accesso Vacation rules
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
31
Demonstration
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
32
Key Benefits/Value Proposition
• CS*Comply brings many benefits...o Out of the Box Solutiono Substantial Time Savingso Considerable Cost Savingso Tightly Integratedo Reduced Burden on ITo Unique functionalityo Very easy to useo Fully embedded into Oracle E-Business Suiteo Native look and feel, users feel at homeo No external tools to get to grips witho Developed (in-part) using our own Extreme RAD tool,
CS*Form – easy and very fast to enhance and extendo Simple installation (the whole suite installs in less than 1
hour)o Rapid implementationo Rapid return on investment
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
33
GRC Webinar Series
CS*Compliance Suite
A Powerful and Affordable GRC
Solution for Oracle EBS
Handling Segregation of
Duties in Oracle EBS
A Powerful and Effective Auditing
Solution for Oracle EBS Implementing
Application Controls in Oracle
EBS
Data Security for Oracle EBS
Introducing
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
35
Problem Statement
• Inadequate auditing in standard audit trailo Lack of fine grained auditing resulting in audit overkill o Querying audit data is arduouso Data growth / management issueso Audit trail not understandable due to lack of metadata
from other tables o Same issue with log based solutions who can't grab
data from other tables when writing the audit recordso A proper audit trail is critical for reliance on application
controls under Auditing Standard 5o Certain forms without a proper audit trail leaves you
exposed to fraudo Tracking of activity in SQL forms is an essential IT
General Control
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
36
Problem Statement
• GRC/auditing solutions are typically expensive• Achieving compliance (SOX, PCI...etc) can be a
time consuming and very costly task• Many solutions are difficult to use out of the box
o Lengthy implementation/configuration
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
37
An Alternate Solution
• CS*Audit addresses all issues in the problem statement...o Fine-grained and rule driven audit solution
• Hierarchical, fine grained and rule driven audit polices• Comprehensive audit details captured• Easy to use query tool• Over 100 audit policies defined out of the box
o Cost Effective• Low cost• Reduced implementation/configuration further reducing
costso Time effective
• Installation – 1 hour• Effective from day one• Reduced implementation/configuration
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
38
At a Glance – Auditing
• Transactional data auditing• Database wide auditing• Structured, rule driven auditing• Fine grained auditing• Detailed and extensible audit trail• User friendly auditing• On-screen/off-screen audit enquiry• Security conscious• Transportable audit solutions (via XML)• Pre-seeded audit solutions
o Over 100 audit solution already defined
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
39
Audit Enterprise Packs
• Pre-seeded content...o Including more than 100 tables to audito Covering over 2,000 data pointso Common data translations includedo Ready to go out of the box
CS*Audit Enterprise Pack
Application Object Library
General Ledger
Human Resources
Order Manageme
ntPayables Purchasing Receivables
How CaoSys solutions
address your audit requirements
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
41
Auditing - Example
• The Users table within the Oracle Business Suite is a typical table that you should audit; here we have a number of screenshots demonstrating the auditing capabilities of CS*Audit.
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
42
Auditing - Hierarchical
• Audit policies are hierarchicalo Classes and Sets of audit entities for easy management
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
43
Auditing – Full Control
• Choose what to audit...o Insertso Deletes o Updates
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
44
Auditing – Fine Grained & Rule Driven
• Audit policies are fine grained and rule driven...o Check criteria before auditing (i.e. invoice greater than
$1000)o Additional context used to determine audit (i.e. Only
audit within a specific responsibility)o Helps prevent audit-overkillo Self managing audit data (auto-purge)
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
45
Auditing – Hierarchical Rules
• Audit rules can be applied at multiple levels...o Set levelo Class level
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
46
Auditing – Security Conscious
• Control who can view audit data from within the CS*Audit Enquirero Clone setup to all Entities in same Set or Class
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
47
Auditing – Transportable
• Audit policies are easily transportable...o Import and export using standard XML
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
48
Auditing – Lookups/Translations
• Perform lookups/translations at the time of audito Bring in additional data to make audit data more
meaningful
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
49
Auditing – Detailed and Extensible
• Highly detailed and extensible audit trail...o More than just the who and the wheno Include any number of lookup values during the audit
transaction (i.e. grab vendor name as well as vendor ID)o Includes a number of predefined attributes such as
hostname, DB domain...etco Clone setup to all Entities in same Set or Class
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
50
Auditing – Version Controlled
• Audit Policies are automatically version controlled...o All previous versions of audit policy retainedo All previously audited data is retained even if policy
definition is changed
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
51
Auditing – Database Wide
• Auditing is not limited to Oracle E-Business data, you can audit any data that is accessible from within the database.
• Audit data from within any module of the Oracle E-Business Suite, for example you may want to audit the AOL or the data within Payables or Purchasing.
• Audit custom data for any table within the Oracle database.
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
52
Auditing – Powerful Query Tool
• CS*Audit reporting...o Answer questions like “who changed the Users table
last in the last 12 hours from within a the System Administrator responsibility”
o Very easy to use
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
53
Auditing – Powerful Query Tool
• CS*Audit reporting...o Drill down by Year, Month, Day and Time
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
54
Auditing – Powerful Query Tool
• CS*Audit reporting...o Drill down by Class, Set, Entity hierarchy
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
55
Auditing – Report
• CS*Audit reporting...o Print audit data...
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
56
Key Benefits
• CS*Audit brings many benefits...o Out of the Box Solutiono Substantial Time Savingso Considerable Cost Savingso Embedded with Oracle E-Business Suiteo Integrated with CS*Applicationso Reduced Burden on ITo Installed and auditing within a couple of hours
Copyright © 1999-2010 CaoSys Limited. All rights reserved.Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation
57
Q&A
Q&A