PeopleSoft securing the ERP white paper

May 2016

kpmg.com

Some or all of the services described herein may not be permissibale for KPMG audit clients and their affiliates.

How secure is your PeopleSoft ERP?KPMG provides services to its clients in an effort to protect data and important assets within PeopleSoft systems from internal and external threats.

KPMG LLP’s ‘PeopleSoft Security and Controls’ practice, is comprised of a team of professionals concentrated on PeopleSoft application security and controls, regulatory compliance, cyber and data security, and user access administration. The team focuses on helping reduce risk for companies implementing PeopleSoft based on security assessments and control reviews, as well as leveraging the implementation experience of our professionals within various industries. As an Oracle Platinum Partner, KPMG’s PeopleSoft ERP security, controls, business process and implementation experience has resulted in well-executed projects, extremely satisfied clients, and a ‘value add’ to security programs and system integration efforts. KPMG has gained favorable industry feedback and a positive reputation in several industry sectors through delivery of our services in a timely, transparent and value-oriented fashion.

What are risk areas that are often overlooked by companies using PeopleSoft?There are a number of risks that organizations confront when implementing or using PeopleSoft. The following are the most commonly identified risks:

1. Application access – Sensitive transactions and data access within PeopleSoft should align with functional tasks and need to be restricted to appropriate users.

2. Technology vulnerability – PeopleSoft should be protected against external and internal threats through designing and implementing proper controls at Database and Infrastructure levels.

3. Non-compliance with regulatory or security requirements – There are many regulations, depending on industries, that PeopleSoft systems should be compliant with and these regulations continuously evolve.

4. Complex and inefficient PeopleSoft business processes – Often times, PeopleSoft inherent capabilities do not address the organization’s business process complexities and result in security challenges while integrating with other technologies.

Why does KPMG care about PeopleSoft security strategy?PeopleSoft, one of the largest Enterprise Resource Planning (ERP) systems, is an organization’s “backbone” comprised of an enterprise accounting and business system, process enablement tools, and an application to support finance, HR, manufacturing and logistics. It starts with a basic general ledger, and expands outwardly, driving all processes of an Enterprise, to global operations that spread across multi-geographic locations.

PeopleSoft security is convoluted based on the sheer number of functional and technical components that have to be taken into account when defining a PeopleSoft security and controls program. Some of the most complex areas include the following building components: user management, internal controls, financial data management, reporting, and compliance. Most importantly, it needs to be protected against internal and external cyber threats associated with a global user community into an integrated solution, which is a tall order.

Some or all of the services described herein may not be permissibale for KPMG audit clients and their affiliates.

PeopleSoft securing the ERP white paper

PeopleSoft systems implemented out-of-the-box are comprised of robust functionality to support a wide range of business requirements, including financial reporting, that are “must-haves” for organizations and industries. However, organizations often do not activate built-in features or take full advantage of automated solutions that can be configured to serve their particular needs, reduce risk and drive efficiencies.

How does “Securing the ERP” strategy strengthen the security of PeopleSoft systems?Dealing with the complexity of PeopleSoft systems, KPMG drills down into the layers of security using a 360-degree strategy during an assessment and deploys a risk-based approach that unfolds in phases over the course of a PeopleSoft implementation. With data at its center, the strategy is surrounded by application security, advanced controls, data and infrastructure security, and user and network access administration.

— Application SecurityKPMG assesses application security with the focus on the following business components: employee access to PeopleSoft application, sensitive transactions and data, fraud and error, and complex regulatory compliance requirements. Through assessments and potential remediation activities, the following capabilities and values are achievable at the application security layer: proper authentication (PeopleSoft authentication or Single Sign-On), access permissions architecture based on specific requirements, function security to restrict user access to individual menus, security assigned at the data level to restrict data visible to the user, and operational Segregation of Duties framework.

— Advanced ControlsKPMG assesses Advanced Controls with the focus on the following business components: revenue leakage, business process complexities and inefficiencies, fraud and errors, high configuration costs, and increased transparency requirements of sensitive transactions. Through assessments and remediation activities, the following capabilities and values are achievable at the advanced controls layer: business process control framework to organize automated and manual controls, detective controls to monitor sensitive transactions and data changes, controls to track configuration changes, conversion and interface controls, and fine grain segregation of duties.

— Data and Infrastructure SecurityKPMG assesses data and infrastructure security with the focus on the following business components: internal and external threats, technology vulnerabilities, complex regulatory compliance requirements, consistent uptime of business applications, and application code vulnerability. Through assessments and remediation activities, the

following capabilities and values are achievable at the data and infrastructure security layer: information protection to safeguard data at rest and data in motion, vulnerability management, assurance over operating system security, a program to help minimize the impact of cybersecurity attacks, business and technology resiliency to provide business continuity planning and management, and a privilege user management program to manage administration and system to system user accounts.

— User and Network Access AdministrationKPMG assesses user and network access administration with the focus on the following business components: ongoing user administration and control governance, high user administration process and controls cost, and greater need to understand user activities and usage trends. Through assessments and remediation activities, the following capabilities and values are achievable at the user and network access administration layer: PeopleSoft security operations and controls governance, streamlined user access administration processes and tools (Oracle Identity Manager or Oracle Identity Analytics integrations), and user analytics.

What values does KPMG add to PeopleSoft through the “Securing the ERP” strategy?Utilizing experience in PeopleSoft security and controls to address security challenges, KPMG assists companies in creating a well-managed PeopleSoft ERP system. Our clients see great benefit from an effectively secured PeopleSoft ERP system including: reduced user administration cost, an operational regulatory compliance program, an effective control management program, and an operative risk-based information security program. KPMG has lead companies to the realization of understanding the value of configuring proper security and controls which inherently provides more business efficiency and profitability. With the ever changing global risks it is imperative that organizations remain proactive in securing their ERP system to safeguard their data and assets, as well as enable a functional and efficient business environment.

kpmg.com/socialmedia

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 585442

Content that displays the KPMG logo or uses the KPMG name shall include the following trademark ownership statement, once.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Laeeq AhmedAdvisory Managing Director – GRC TechnologyT: 818-227-6032 E: laeeqahmed@kpmg.com

Contact us

Nicholas SeemanAdvisory Director – GRC TechnologyT: 214-840-4581 E: nseeman@kpmg.com

Visit the KPMG Government Institute at www.kpmg.com/us/governmentinstitute.