#oow16 - introduction to advanced access controls

Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

Introducing Oracle Fusion

Advanced Access Controls to Strengthen Security OpenWorld 2016


Introducing Oracle Fusion

Advanced Access Controls to Strengthen Security

This session provides a first look at this upcoming cloud service:

Continually detect and manage unwanted user access in ERP, HCM & SCM Clouds

Streamline role design, access policies

Improve access controls for SOX, other regulations

This session will help you:

Learn about this cloud service from industry experts and Oracle’s product developers

Determine whether this cloud service will be right for your organization

Get answers to your questions in live Q&A with our panelists


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3

4

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG

International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Why Are Access Controls Needed?


Agenda

Panelist Introductions

Introducing Advanced Access Controls

Panelist Q&A

More Resources

1

2

3

4

5


Panelists

– Katrina Johnson Chief Audit Executive Service Corp International

– Nicholas Seeman Director, Advisory Services KPMG LLP

– Mark Stebelton Director, Product Management Oracle Product Development

Moderator

– Barry Greenhut Director, Product Strategy Oracle Product Development

6

Session Speakers


Agenda



Panelist Q&A

More Resources

1

2

3

4

11


Advanced Access Controls – Design Objectives

Find users in Oracle

ERP/HCM/SCM Cloud who…

• Can generate unwanted transactions – e.g., have separation of duties (SoD) conflicts

• Have access to sensitive data

Let organizations…

• Identify and minimize unnecessary financial and operational risk

• Demonstrate compliance with SOX and similar obligations

12


Why Are Access Controls Needed?

14

• Enforcement includes detecting users who can:

• Application owners must continually enforce those policies

Enter unwanted transactions

Create invoices then pay them

Create purchase orders then record receipts for them

Create/change critical setup data and configurations

Spending authorization limits

Opening closed accounting periods

Create/change master data

Supplier

Customer

Employee

Item

17

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG

International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Access Control Maturity


Create Supplier Invoice Create Payment Supplier

Create Supplier Create Payment for same supplier

+ Create Supplier Create Payment for supplier

≠

Why Is Separation of Duties Needed?

18

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Advanced Access Controls – Design Objectives Restrict Unauthorized Access & Automate SoD Analysis

Manage Exceptions & Simulate Changes

Link Results to Business Risks

Automate User Security Analysis

Deploy Pre-Built SoD Controls

Author New Access Rules & Policies

19


Deep, Dynamic Analysis

• Generate unwanted transactions E.g., Separation of Duties

• Access to sensitive data

ERP/HCM/SCM user abilities

• Ready to grow as privileges are added to ERP/HCM/SCM

6,000+ ERP/HCM/SCM

privileges

20


User: Janie Adams

Job Role: Accounts Payable Supervisor

Duty Role: Payables Payment Creation

Privilege: Create Payables Payments

Privilege: Create Purchase Order

Job Role: Buyer

SoD Conflict

Deep, Dynamic Analysis

Duty Role: Purchase Order Authoring


Closed-loop, Compliant System

Enforce control

objectives, policies,

regulations

Maintain as users are added, assigned other roles

Evaluate & enact

treatment

Detect users’ access continually

Detect Evaluate

Enforce Maintain

24


Agenda



Preview

Panelist Q&A

More Resources

1

2

3

4

26


Preview

InFusion Corp: Goals and Requirements

Requirements: We need an enterprise solution that:

• Automates detection of users with excessive access

• Provides an audit trail of remediation activities for access issues

• Secures what users see and do within the solution

• Provides data and reports that key stakeholders need to make good decisions

• Requires minimum resources to administer after go-live

27

Goal: We need to address user access risk by understanding excessive user access, treating access issues, and documenting accordingly

Process Owner and Auditor

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 28

Best Practice Process

Identify Excessive

Access

Deploy Controls

Address Issues

Report Results

28

Create Models and assess results

Remediate excessive access where feasible

Convert Models to Controls

Run Control Analysis periodically

Manage incidents - options:

Adjust ERP/HCM/SCM security configuration

Add compensating transaction controls

Report incident management results to

managers, auditors


I import pre-built models, test and refine them, and use the results to guide improvements to role definitions

Preview

Diane Analyst


Import Pre-built Models


Import Pre-built Models

Procurement

• Create Payments &

• Create Suppliers

• Set Up Payment

• Create Purchase Orders &

• Approval Authorization Control

• Approve Invoices

• Create Invoices

Financials

• Enter Journal Entry &


• Assets Workbench

• Create Invoices

• Create Payments

• Create Purchase Orders

• Post Journal Entry &


• Assets Workbench

• Create Invoices

• Create Payments


• Physical Inventory

Supply Chain

• Create Items &

• Cycle Counting

• Inventory Transactions

• Inventory Transactions &

• Receive Goods and Services

• Item Costing &

• Create Items


• Ship Confirm Goods

33

Some of the planned pre-built models (100+ planned)


Review Model


Configure Model – Business Objects


Configure Model- Filter Logic


Configure Model- Access Conditions


Review Model Results


Visualize Incidents


Convert Models to Controls


I review and remediate incidents in my business area

Review and Remediate Incidents

Chris Owner


Review and Remediate Incidents


Simulate Role Redesign


I review incident reports and re-evaluate our existing access controls

Review Incident Reports

Alan Auditor


Review Incident Reports


Advanced Access Controls – Design Objectives Restrict Unauthorized Access & Automate SoD Analysis

Manage Exceptions & Simulate Changes

Link Results to Business Risks

Automate User Security Analysis

Deploy Pre-Built SoD Controls

Author New Access Rules & Policies

46


Agenda



Panelist Q&A Katrina Johnson Service Corp International

Nicholas Seeman KPMG LLP

Mark Stebelton Oracle Product Development

More Resources

1

2

3

4

51


Agenda



Panelist Q&A

More Resources

1

2

3

4

52


DEMOgrounds Moscone West Level 3 Lobby (M,T,W) ERP Showcase

Workstation WEP-020

53


Wednesday CUSTOMER CASE STUDY Sep 21, 11:00 AM – 11:45 AM| Moscone West 3005

Securing ERP: Application Compliance and Controls Implementation [CAS7689]

Gautham Ramkumar: Director, Advisory Services, KMPG LLP Chuck Devore, Director, Finance Transformation, ADM Kenneth Kobia, Risk & Controls Lead, Archer Daniels Midland Organizations have successfully transformed their business operations by leveraging Oracle ERP technologies. Yet they continue to struggle to balance the two divergent needs of empowering ERP business users, while protecting sensitive data and transactions. In this session KPMG and Archer Daniels Midland detail how they took advantage of Oracle’s ERP security and controls capabilities, to support ADM’s initiative to deploy Oracle ERP .

PANEL SEESION Sep 21, 1:30 PM – 2:15PM | Moscone West 3005

Introducing Oracle Fusion Advanced Access Controls to Strengthen Security [CON7290]

Katrina Johnson, VP Risk Assurance, Service Corp International Nicholas Seeman, Director, Advisory Services, KMPG LLP Barry Greenhut, Director, Product Strategy, Oracle Mark Stebelton, Director, Product Management, Oracle This session provides an overview of Oracle Fusion Advanced Access Controls to continuously detect segregation of duties violations, manage exceptions, and fix unauthorized access to sensitive functions and data. Compliance managers and auditors can use Oracle Fusion Advanced Access Controls to ensure strong access controls across ERP, HCM and SCM cloud applications.

PANEL SESSION Sep 21, 4:15 PM – 5:00 PM | Moscone West 3005

Implement the Best Practice for Oracle Financial Reporting Compliance Cloud [CON7291]

Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle Barry Greenhut, Director, Product Strategy , Oracle Lakshmi Rajamohan, Principal Product Strategy Mgr., Oracle Mark Stebelton, Director, Product Management, Oracle This session provides a more detailed walkthrough of Oracle Financial Reporting Compliance from an end user’s perspective, and highlights how the product can be configured to automate the best practice process. Based on learning from a decade of customer experience, it showcases the shortest and most cost-effective path to go live and streamline operations.

54


Thursday PANEL SESSION Sep 22, 9:30 AM – 10:15 AM| Moscone West 3005

Implement the Best Practice for Oracle Fusion Advanced Financial Controls Cloud Service [CAS7286]

Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle Barry Greenhut, Director, Product Strategy, Oracle Christine Doxey, President, Doxey, Inc. Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle Mark Stebelton, Director, Product Management, Oracle This session provides a detailed walkthrough of Oracle Fusion Financial Controls Cloud Service from an end user’s perspective, and highlights how the product can be configured to automate best practice controls. Oracle Fusion Advanced Financial Controls Cloud Service is designed to meet the common needs of Oracle Financials Cloud subscribers. Based on learning from a decade of customer experience, this session showcases Oracle’s best practice business process for maximum ROI with minimum cost of ongoing operation.

PANEL SESSION Sep 22, 12:00 PM – 12:45 PM | Moscone West 3005

Get Started with Financial Reporting Compliance and Advanced Financial Controls [CON7284]

Barry Greenhut, Director, Product Strategy, Oracle Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle Joel Alvarado, Customer Success Manager, Oracle This session provides you with the most effective project plan to implement Oracle Financial Reporting Compliance or Oracle Fusion Advanced Financial Controls Cloud Service. Participants will learn the shortest and most cost-effective path to success using Oracle’s customer and partner-tested “get started” process. Learn how to plan and adopt these cloud services, and then sustain your use through growth and change. Learn how to get the experience and expertise needed to succeed.

55

Arturo Martínez del

Campo Saucedo

Corporate Chief Financial Officer

Grupo Posadas S.A.B. de C.V. .

LEADERSHIP IN FINANCE

LATIN AMERICA - CLOUD

2016

Best Practice Adopter

First Adopter of Risk Cloud


For subscribers and partners

To Learn More

Cloud Portal Release Readiness User Documentation Modern Best Practice

Oracle University Success Managers Get Started Customer Connect

57

https://cloud.oracle.com/risk-management-cloud

https://cloud.oracle.com/en_US/saasreadiness/erp?readinessRID=1445273094171

http://docs.oracle.com/cloud/latest/riskcs_gs/docs.htm

http://modernbestpractice.com/

http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=225

https://www.oracle.com/cloud/customer-success-managers.html

https://support.oracle.com/cloud/faces/DocumentDisplay?_afrLoop=299159892333731&_afrWindowMode=0&id=2120557.1&_adf.ctrl-state=12knj1gdd6_4

https://appsconnect.oracle.com/resources/081926cc0a/summary

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 59 59

Join our LinkedIn Group For the latest Updates and Presentations .

| Confidential – Oracle Internal/Restricted/Highly Restricted 61