#oow16 - introduction to advanced access controls
TRANSCRIPT
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Introducing Oracle Fusion
Advanced Access Controls to Strengthen Security OpenWorld 2016
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Introducing Oracle Fusion
Advanced Access Controls to Strengthen Security
This session provides a first look at this upcoming cloud service:
Continually detect and manage unwanted user access in ERP, HCM & SCM Clouds
Streamline role design, access policies
Improve access controls for SOX, other regulations
This session will help you:
Learn about this cloud service from industry experts and Oracle’s product developers
Determine whether this cloud service will be right for your organization
Get answers to your questions in live Q&A with our panelists
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
4
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Why Are Access Controls Needed?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
5
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Panelists
– Katrina Johnson Chief Audit Executive Service Corp International
– Nicholas Seeman Director, Advisory Services KPMG LLP
– Mark Stebelton Director, Product Management Oracle Product Development
Moderator
– Barry Greenhut Director, Product Strategy Oracle Product Development
6
Session Speakers
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
11
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Advanced Access Controls – Design Objectives
Find users in Oracle
ERP/HCM/SCM Cloud who…
• Can generate unwanted transactions – e.g., have separation of duties (SoD) conflicts
• Have access to sensitive data
Let organizations…
• Identify and minimize unnecessary financial and operational risk
• Demonstrate compliance with SOX and similar obligations
12
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Why Are Access Controls Needed?
14
• Enforcement includes detecting users who can:
• Application owners must continually enforce those policies
Enter unwanted transactions
Create invoices then pay them
Create purchase orders then record receipts for them
Create/change critical setup data and configurations
Spending authorization limits
Opening closed accounting periods
Create/change master data
Supplier
Customer
Employee
Item
17
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Access Control Maturity
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Create Supplier Invoice Create Payment Supplier
Create Supplier Create Payment for same supplier
+ Create Supplier Create Payment for supplier
≠
Why Is Separation of Duties Needed?
18
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Advanced Access Controls – Design Objectives Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
19
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Deep, Dynamic Analysis
• Generate unwanted transactions E.g., Separation of Duties
• Access to sensitive data
ERP/HCM/SCM user abilities
• Ready to grow as privileges are added to ERP/HCM/SCM
6,000+ ERP/HCM/SCM
privileges
20
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
User: Janie Adams
Job Role: Accounts Payable Supervisor
Duty Role: Payables Payment Creation
Privilege: Create Payables Payments
Privilege: Create Purchase Order
Job Role: Buyer
SoD Conflict
Deep, Dynamic Analysis
Duty Role: Purchase Order Authoring
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Closed-loop, Compliant System
Enforce control
objectives, policies,
regulations
Maintain as users are added, assigned other roles
Evaluate & enact
treatment
Detect users’ access continually
Detect Evaluate
Enforce Maintain
24
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Preview
Panelist Q&A
More Resources
1
2
3
4
26
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Preview
InFusion Corp: Goals and Requirements
Requirements: We need an enterprise solution that:
• Automates detection of users with excessive access
• Provides an audit trail of remediation activities for access issues
• Secures what users see and do within the solution
• Provides data and reports that key stakeholders need to make good decisions
• Requires minimum resources to administer after go-live
27
Goal: We need to address user access risk by understanding excessive user access, treating access issues, and documenting accordingly
Process Owner and Auditor
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 28
Best Practice Process
Identify Excessive
Access
Deploy Controls
Address Issues
Report Results
28
Create Models and assess results
Remediate excessive access where feasible
Convert Models to Controls
Run Control Analysis periodically
Manage incidents - options:
Adjust ERP/HCM/SCM security configuration
Add compensating transaction controls
Report incident management results to
managers, auditors
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 31
I import pre-built models, test and refine them, and use the results to guide improvements to role definitions
Preview
Diane Analyst
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 32
Import Pre-built Models
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Import Pre-built Models
Procurement
• Create Payments &
• Create Suppliers
• Set Up Payment
• Create Purchase Orders &
• Approval Authorization Control
• Approve Invoices
• Create Invoices
Financials
• Enter Journal Entry &
• Approve Invoices
• Assets Workbench
• Create Invoices
• Create Payments
• Create Purchase Orders
• Post Journal Entry &
• Approve Invoices
• Assets Workbench
• Create Invoices
• Create Payments
• Create Purchase Orders
• Physical Inventory
Supply Chain
• Create Items &
• Cycle Counting
• Inventory Transactions
• Inventory Transactions &
• Receive Goods and Services
• Item Costing &
• Create Items
• Create Purchase Orders
• Ship Confirm Goods
33
Some of the planned pre-built models (100+ planned)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 34
Review Model
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 35
Configure Model – Business Objects
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 36
Configure Model- Filter Logic
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 37
Configure Model- Access Conditions
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 38
Review Model Results
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 39
Visualize Incidents
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 40
Convert Models to Controls
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 41
I review and remediate incidents in my business area
Review and Remediate Incidents
Chris Owner
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 42
Review and Remediate Incidents
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 43
Simulate Role Redesign
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 44
I review incident reports and re-evaluate our existing access controls
Review Incident Reports
Alan Auditor
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 45
Review Incident Reports
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Advanced Access Controls – Design Objectives Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
46
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A Katrina Johnson Service Corp International
Nicholas Seeman KPMG LLP
Mark Stebelton Oracle Product Development
More Resources
1
2
3
4
51
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
52
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
DEMOgrounds Moscone West Level 3 Lobby (M,T,W) ERP Showcase
Workstation WEP-020
53
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Wednesday CUSTOMER CASE STUDY Sep 21, 11:00 AM – 11:45 AM| Moscone West 3005
Securing ERP: Application Compliance and Controls Implementation [CAS7689]
Gautham Ramkumar: Director, Advisory Services, KMPG LLP Chuck Devore, Director, Finance Transformation, ADM Kenneth Kobia, Risk & Controls Lead, Archer Daniels Midland Organizations have successfully transformed their business operations by leveraging Oracle ERP technologies. Yet they continue to struggle to balance the two divergent needs of empowering ERP business users, while protecting sensitive data and transactions. In this session KPMG and Archer Daniels Midland detail how they took advantage of Oracle’s ERP security and controls capabilities, to support ADM’s initiative to deploy Oracle ERP .
PANEL SEESION Sep 21, 1:30 PM – 2:15PM | Moscone West 3005
Introducing Oracle Fusion Advanced Access Controls to Strengthen Security [CON7290]
Katrina Johnson, VP Risk Assurance, Service Corp International Nicholas Seeman, Director, Advisory Services, KMPG LLP Barry Greenhut, Director, Product Strategy, Oracle Mark Stebelton, Director, Product Management, Oracle This session provides an overview of Oracle Fusion Advanced Access Controls to continuously detect segregation of duties violations, manage exceptions, and fix unauthorized access to sensitive functions and data. Compliance managers and auditors can use Oracle Fusion Advanced Access Controls to ensure strong access controls across ERP, HCM and SCM cloud applications.
PANEL SESSION Sep 21, 4:15 PM – 5:00 PM | Moscone West 3005
Implement the Best Practice for Oracle Financial Reporting Compliance Cloud [CON7291]
Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle Barry Greenhut, Director, Product Strategy , Oracle Lakshmi Rajamohan, Principal Product Strategy Mgr., Oracle Mark Stebelton, Director, Product Management, Oracle This session provides a more detailed walkthrough of Oracle Financial Reporting Compliance from an end user’s perspective, and highlights how the product can be configured to automate the best practice process. Based on learning from a decade of customer experience, it showcases the shortest and most cost-effective path to go live and streamline operations.
54
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Thursday PANEL SESSION Sep 22, 9:30 AM – 10:15 AM| Moscone West 3005
Implement the Best Practice for Oracle Fusion Advanced Financial Controls Cloud Service [CAS7286]
Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle Barry Greenhut, Director, Product Strategy, Oracle Christine Doxey, President, Doxey, Inc. Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle Mark Stebelton, Director, Product Management, Oracle This session provides a detailed walkthrough of Oracle Fusion Financial Controls Cloud Service from an end user’s perspective, and highlights how the product can be configured to automate best practice controls. Oracle Fusion Advanced Financial Controls Cloud Service is designed to meet the common needs of Oracle Financials Cloud subscribers. Based on learning from a decade of customer experience, this session showcases Oracle’s best practice business process for maximum ROI with minimum cost of ongoing operation.
PANEL SESSION Sep 22, 12:00 PM – 12:45 PM | Moscone West 3005
Get Started with Financial Reporting Compliance and Advanced Financial Controls [CON7284]
Barry Greenhut, Director, Product Strategy, Oracle Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle Joel Alvarado, Customer Success Manager, Oracle This session provides you with the most effective project plan to implement Oracle Financial Reporting Compliance or Oracle Fusion Advanced Financial Controls Cloud Service. Participants will learn the shortest and most cost-effective path to success using Oracle’s customer and partner-tested “get started” process. Learn how to plan and adopt these cloud services, and then sustain your use through growth and change. Learn how to get the experience and expertise needed to succeed.
55
Arturo Martínez del
Campo Saucedo
Corporate Chief Financial Officer
Grupo Posadas S.A.B. de C.V. .
LEADERSHIP IN FINANCE
LATIN AMERICA - CLOUD
2016
Best Practice Adopter
First Adopter of Risk Cloud
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
For subscribers and partners
To Learn More
Cloud Portal Release Readiness User Documentation Modern Best Practice
Oracle University Success Managers Get Started Customer Connect
57
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 59 59
Join our LinkedIn Group For the latest Updates and Presentations .
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 60
| Confidential – Oracle Internal/Restricted/Highly Restricted 61