JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf

• The most comprehensive Oracle applications & technology content under one roof • The most comprehensive Oracle applications & technology content under one roof

Security Implica/ons when Upgrading JD Edwards

Mike Ward Managing Director

• The most comprehensive Oracle applications & technology content under one roof

Have pity on the homeland.....


Agenda Q So;ware creden/als

Security considera/ons when upgrading JD Edwards E1

Security issues in JD Edwards E1

Planning for security as part of the upgrade

How effec/ve security can help to pay for the upgrade project


The Oracle Security & Compliance People

270+ Customers


Why Upgrade?

•  MigraAng from World to E1 ? •  Moving from blue stack to red stack ? •  Support consideraAons ? •  Moving to newer standards based IT ? •  Moving to higher performance h/w & s/w plaKorm ?

•  ConsolidaAng instances of JDE ? •  New FuncAonality ?


Issues with Instance ConsolidaAon? Instance refers to the unique set of JD Edwards EnterpriseOne data which includes

transacAonal data, control tables and system data

• 7

Increased Maintenance

Cost MulAple data

centers

MulAple ERP

versions

Improper controls

Highly Customised Environment

Duplicate architecture

Disparate processes

WARNING SIGNS


Upgrade consideraAons – FuncAonal Changes

New Func/onality

Business Processes

Alignment of Controls

Risks

1,000+ Enhancements Industry Modules

Custom Programs

& Improvements

Maximise Staff Effectiveness Affects Roles / Responsibilities

Fraud & IP Theft Share Price

Loss of Business Inability to do job


Security & Upgrades

Scope Creep •  Ex-‐employees sAll have access •  Changes to business processes •  OrganisaAonal & process changes •  Upgrades.........

Task 3

Time

Risk

Task 1 Task 1

Task 2 Task 2

Task 3

Task 4


Fraud will never happen to You

•  75% of fraud is due to ineffecAve internal controls, split between – Lack of controls 38% – Over riding controls 19% – Lack of management review 18%

•  80% of businesses modify controls a^er Fraud AssociaAon of CerAfied Fraud Examiners


South Africa: 62% companies suffered fraud 59% experienced bribery &

corruption Source: PwC 2009 crime survey

Australia: 40% suffered economic crime Source: PwC 2009 Crime survey

Canada: 55% companies suffered fraud - 83% - asset misappropriation most common - 38% detected by chance or by tip-off Source: PwC 2009 crime survey

It doesn’t happen here....... UK: almost 50% admit to suffering fraud almost 75% of larger (5,000+ employees)

- 33% of these suffered 100 incidents Source: PwC 2009 fraud survey

Germany: 61% large businesses suffered crime -  Average 8 incidents per business - Average cost of crime cost 4.2 million Euros

Source: PwC 2009 fraud survey

USA: 35% companies suffered “significant economic crime”

- most likely cause is pressure due to economy - increased opportunity is primary driver Source: PwC 2009 crime survey

New Zealand: 42% suffered economic crime - average cost $491,000 - increasingly by middle / senior management Source: PwC 2009 Crime survey


SegregaAon of DuAes (SoD)

Runs off with $1m

Jones & Jones Inc.

A Manager

Sets up MB Inc. as a supplier

Accepts Purchase Invoices from MB Inc.

Approves Invoices

Processes for Payment

Transfers the funds


•  VP in Finance Department •  July – December 2010 •  Stole $19m “Defendant bought a Masera3, 6 Proper3es,

and a $½m entertainment system” “Excessive Access Rights”


Deloife – Auditor Survey

•  3 Most Common Frauds – MisappropriaAon of Assets – 31% –  Improper Expenditures – 22% – Procurement Fraud – 16%

•  63% companies say vulnerability has increased •  83% UK companies had suffered fraud






How effec/ve security can pay for the upgrade project


Issues in JD Edwards E1 §  All Doors Open v All Doors Closed

•  Menu Security is no Security •  No SegregaAon of DuAes

•  Access to criAcal programs •  30+ security types, 300 opAons •  35,000 Objects

•  Complexity of Maintenance -‐ forms, versions •  MulAple roles / Sequence Manager

•  Unexpected security authoriAes •  Changes lead to unexpected results

•  ApplicaAon access is very complex •  Task Views •  FineCut •  FastPath •  Hidden & Associated Applica/ons


Auditors Recommend Roles Based Access Control

•  NaAve in 8.10 upwards •  EssenAal to retain this funcAonality •  Why .....

§ Simplified systems administraAon § Enhanced security & integrity § Simplified regulatory compliance § Enhanced organisaAonal producAvity


Security Planning

•  Upgrading is a good Ame to review security –  Has it kept pace with organisaAonal changes? –  Are you suffering from “security creep”? – Who can access criAcal programs? – What is your security policy?

•  All Doors Closed –  Grant back access – Roles Based Access Control “Only way to ensure a fully auditable system”

–  But need to build a maintainable model “Sustainable Compliance”


Security Planning

•  Security must not be an a^erthought – It should be planned in – Should match business processes

•  EffecAve SoD policy is a must – Prevent Fraud – Auditor requirement – Adds value


Upgrading: Security plan checklist

InformaAon Gathering




Audit Security




Audit Security

Added Value




Audit Security

Added Value

Evaluate Tools




Audit Security

Added Value

Evaluate Tools

Take Advice




Audit Security

Added Value

Evaluate Tools

Take Advice

Risk Management

Plan




Audit Security

Added Value

Evaluate Tools

Take Advice

Risk Management

Plan

Integrate Security


The Dangers and Costs: The Alinean ROI Report

Typical Threats Avg. Risk of Breaches per

Year (per 1,000 users)

Avg. IT Staff Hours per Breach

Avg. Business & Collateral

Damage per Breach

Virus / Worms / Trojans 2 4 hours per infected

asset $24,000 Denial of Service 2 serious incidents 32 hours per system $122,000

Data Destruction / Damage 1 120 hours $350,000

Physical Theft Disclosure

25% employees leave with

assets 2 hours

$5,000 Information Theft

and Disclosure 1 180 hours $250,000 Policy Violation 30 2 hours $20,000

Errant User Behaviour 15 2 hours

$20,000


PROBLEM POSSIBLE IMPACT

Poor SoD Control Fail audit Cost of compensating controls? Cost of remedial action? Cost of fraud? Cost of errors?

Failed audit Incremental cost of Audit trying to get necessary data? Impact on business of failed audit? i.e. share price, lost orders Cost of compensating controls? Cost of remedial action? Cost of fraud? Potential each quarter from shareholder litigation? Potential regulatory fines?

Security / SOX deadline

Impact of missing deadline. Impact on other projects if SOX late Cost of overtime / additional internal resources to achieve deadline? Cost of external resources to help achieve deadline

Unauthorised Access / Ineffective Security

Cost of security incidents? (CSI 2009 survey states average per incident cost exceeds $230k )

Incremental audit costs tracking posting / reconciliation errors (Ciber states that best way to reduce reconciliation errors to implement better security)

Impact Analysis (Cost of InacAon)


Return On Security Investment (ROSI) •  Return On Investment (ROI)

–  Money earned or saved v Money Invested –  QuanAtaAve

•  Return On Security Investment (ROSI) –  Includes risk reducAon –  Includes QualitaAve –  Insurance

•  Auditors place value in accounts for risk


Adding Value to the Upgrade

•  Establish value in strong Security •  Maybe use RoSI? •  Build in SoD & Compliance ReporAng •  Cost of inacAon? •  Audit to reduce Risk


Summary •  Functional upgrades will impact business processes

–  Upgrading requires security restructure

•  Technical upgrades may enable security standardisation

•  JDE security has pitfalls for the unwary •  Ineffective security can prove costly

–  Fraud is on the increase –  More regulations to comply with –  High non-compliance costs

•  Effective security can assist in paying for upgrade –  Reduce opportunity for fraud –  Reduce non-compliance costs


Q Product Family

Quick Fix Accelerator

Security Build & Maintain E1Config

Audit E1SoD

Compliance Reporting erpAudit


Q – Secure & Comply

•  ADC in a few days •  80% saving in Security Management •  Integrated SoD •  Extensive Access ReporAng •  MulAple Roles retained & Improved •  Audit Security – tool to convince Management

•  Upgrade tools


Cameron has it all under control


Ques/ons?

JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf

Documents

Transcript of JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf