more than sod
TRANSCRIPT
#JDEINFOCUS
Linda NelsonAugust 21, 2018
Security ComplianceMore Than Just Segregation of Duties
#JDEINFOCUS
Compliance
What to Look For
Specifics
Wrap Up43
21
Agenda
#JDEINFOCUS
Security
Roles
Best Practice in JDE
Risk Management
Task Views
#JDEINFOCUS
Who is ALLOut Security?Security Management
Efficient Role ManagementAll Security Records in GridsAutomatically resolve security conflicts
User Management
One Click ProvisioningManage unused user IDs
Menu ManagementManage Menus in a GridVersion Management in a GridSecurity Management by Menu
ReportingUser, Security and MenuAudit HistoryDelivered, Simple and Auditable
ComplianceSegregation of Duties, SOX and JSOX ReportingGDRP SupportSection 404 List
Sample Project AutomationOpen to Close or Deny All Set UpUpgradesNet New Implementation
#JDEINFOCUS
What is Compliance?
#JDEINFOCUS
Compliant with What?
#JDEINFOCUS
Compliance Management
#JDEINFOCUS
Main Challenges Implementing Compliancy?
Budget
Time
Staff/Experience and Team Effort
Planning and implementing
Maintenance
#JDEINFOCUS
Tips on Achieving Compliance
Develop Awareness
Review your systems, your business and your future.
Examine & find solutions
Find value Develop a plan Lean on your community
#JDEINFOCUS
ERP System
• Comprehensive System• Sharing Data Effectively• Eliminates Integrations• Accelerates Efficiencies• Better Information
#JDEINFOCUS
Resulting ERP System Risks• Reporting Access• Technical Personnel With Too Much Access• Timeline Constraints and Prioritization on Implementations
• Security Concerns Lost in the Shuffle• Serious Gaps in Security and Controls Not Identified Before Go-
Live• Result in Post Go-Live Remediation Projects
Weak ERP security can ultimately lead to not just operational bottlenecks, but fraud, loss of assets, misstatement of financial results, and data privacy compromises.
#JDEINFOCUS
ALLOut ToolsAccess
Reporting
SOD Reporting
Audit Trail Report
SOD Locking
Change Control
Mitigating
Controls
Requests &
Approvals
Controlled Roles
Manage Unused Access
SecurityPlus
CombiRoles
ProfilePlus
MenuPlus
Risk Reporting
Risk Management
#JDEINFOCUS
Answering to Auditors• Segregation of Duties – More Frequently• Critical Access Reporting• Managing Users Not Accessing the System• Quarterly User Access Reviews
Where ALLOut Can Help• Risk Management – Preventative Control• Testing and approving security changes within the tool and
promoting to PD• Tools to remove access not used• Automate critical access reporting• Automate user access reviews
#JDEINFOCUS
More to Consider
Include External System AccessImplement Mitigating ControlsReview OMW Projects for New Programs with
Access Implication Ensure Risk Assessments are Still Organizationally
Relevant
#JDEINFOCUS
User Access• Test ID's are Disabled in Production • Ensure All Users are Included in User Reviews • Review for Users Not Signing In • Ensure users Excluded from Review are Disabled in
Production• Remove Users with No Security Roles • Ensure System Admins Have No Other Access • Identify Individual Users With Information For Those Not
Compliant with Global Policies • Restrict Inquiry Roles From Submitting Batch Processes
#JDEINFOCUS
Inactive User Report
#JDEINFOCUS
EU General Data Protection Regulation (GDPR) • List of Programs that have access to
personal data• Identification of access paths
Access Reporting
• All roles that have access to personal data• ALL users that have access to personal
data
Critical Access Report
• Any changes to the personal data access• Any changes to programs considered for
accessAudit History
• Tracking of approvals and documentation within E1 for granting access to roles with access to personal data.
Role assignment request process
#JDEINFOCUS
Unauthorized Access
• Nonconformity With Security or Regulatory Requirements• Access to Sensitive data
• Banking• Payroll• Product
#JDEINFOCUS
Critical Data Access
• Review Users with Advanced Access Such as Table Level Access
• Use Encryption on Key Data • Block Access to Critical Data at a Table Level for
*Public/*All
#JDEINFOCUS
Column (Security Type 2)Column security to grant/restrict access/update to columns of data (i.e. data items) You can control Add/Change/View access.• Table: Access/update can be restricted to a data item for one or
all tables. When applied to *ALL this affects all tables and applications that use the relevant data item.
• Program: Access/update can be restricted for a data item (field) in a specific application. This allows you to deny view or update ability to particular fields in an application. It can be limited to a specific form or version.
#JDEINFOCUS
Standard Address Book View
#JDEINFOCUS
Apply Column Security
#JDEINFOCUS
Can Still See
#JDEINFOCUS
Add Column Security
#JDEINFOCUS
Address Book Personal Data Security• Alternative for this example• 7 standard fields protected• Can add others by modifying B0100095 (Up to 8)• Impacts Address Book and other applications, Data Browser,
UTB and UBE’s• Multiple Steps
• Activate – Address Book Constants• Create Permission Lists - What - Address Book Data Permissions program (P01138)• Create Relationships – Who - Permission List Relationships program (P95922)
• For more information:https://docs.oracle.com/cd/E17984_01/doc.898/e14717/adressbook_security.htm
#JDEINFOCUS
Process StepsNeed for
Change ArisesRequest is Submitted
Request Reviewed
Change is Approved
Change is Completed
Change is Communicated
Change is Tested
Documentation is Retained
Self Monitor Process is Audited
#JDEINFOCUS
Security Change Approvals Documentation
#JDEINFOCUS
E1 Auditing Tools
• Interactive Application or UTB
• System Profile Reports
#JDEINFOCUS
Limitations• JDE Tools
• Interactive – Inquire only• Reporting tools – limited
• Insufficient information• Only JDE Events does not enable a complete Compliance Audit
• User Access• Environment access (F0093)• Menu Filtering (F9006)
• Menu Access• Menus changes (F9000/1)
#JDEINFOCUS
ALLOut Audit Additional Events•Distinguishes Admin changes (F98OWSEC) – i.e. *Enabled/*Disabled
User Changes
•User/Role Environment Relationships (F0093)•User to Role Relationships Expiry (F95921)
Assignment Changes
•Menu Filtering (F9006)
Security Changes
•Tasks (F9000), Task Relationships & Favorites (F9001)
Menu Changes
•SoD Rules/Lists•SoD Role Rules•Mitigating Controls•ALLOut Defaults & Configuration•Xe Solution Explorer Roles (UDC)
Compliance Changes – ALLOut specific
#JDEINFOCUS
Variety of Standard Reports
• User Changes Auditing• Role Changes Auditing• Assignment Changes Auditing• Security Changes Auditing• Menu Changes Auditing• Compliance Changes Auditing• Audit Configuration Changes Auditing
#JDEINFOCUS
Uses In The Change Management Process Monitoring of the Process
Provide Information to Auditors
Communicate Changes
Capture Approvals
Variety of Non-Process Uses
#JDEINFOCUS
Best Practice• Say what you will do and do what you say• Defined• Repeatable• Separate approval and performance of change• Communication is key• Auditable
• “Written” Request and Approval• Track changes• Process to monitor
• Independence is Key• Focus on risk• Keep it simple
#JDEINFOCUS
Wrap Up
Balancing Act Don’t over ComplicateManaging Material RisksContinually Adjust
Change is the Normal in a Healthy BusinessAlign Security Control Strategies with Business Processes to Ensure Adherence Network Access and Database Security is Also Required
#JDEINFOCUS
ALLOutSecurity Tools
- “Prove It”Change
ManagementEnterprise Risk Management
Wrap Up
#JDEINFOCUS
Additional Ways to Learn More
http://education.oracle.com
http://www.iso.org
https://www.rims.org
www.acfe.com
https://www.isaca.org
Feel free to ask us…
Ask your fellow JDEdwards users
#JDEINFOCUS
Questions
#JDEINFOCUS
Contact Us
Tuesday 11:15 – 12:15103150Security Speed Race
Tuesday 1:30 – 2:30104360
Security compliance for SOX, JSO and GDPR: More Than Just SOD
Wednesday 9:15-10:15103550
A Midsummer Night’s Security Dream a.k.a. Leveraging Best Practice JDE
Security
Booth
Sessions this week:
Don’t hesitate to ask!
Websitewww.alloutsecurity.com
#JDEINFOCUS
A 55,000+ member user community for Oracle Cloud, JD Edwards and PeopleSoft customers.
What the Quest JD Edwards Community offers:
Customized digital content
Official JD Edwards newsletter
Customer success stories
Virtual and face-to-face events
JD Edwards networking groups
Visit www.QuestDirect.org for more information!
Who is the Quest Community?