Dont risk failing your security audit

1
Dont risk failing your security audit

• Session 10080

David Hunt Diccon Grayling
2
Hands up !
Who amongst you are World users?
Who amongst you are EnterpriseOne (OneWorld)
users?
3
Agenda

• Corporate Governance Security considerations
• The EnterpriseOne security challenge
• So you think your World is secure?

4
About Q Software

• Security Solutions for J D Edwards
• Q Security Workbench for World
• QSeries for OneWorld / EnterpriseOne
• Certified by JDE
• Both products to be certified by Oracle
• 150 customers
• 80 in USA
• Based near London, UK

5
Q Software Alliances
With more than 35,000 members in more than 100
countries, the Information Systems Audit and
Control Association (ISACA) is a recognized
worldwide leader in IT governance, control,
security and assurance.
6
White Papers

• Executive White Papers
• Corporate Governance Security Considerations
• Implementing Effective Control Systems in World
  and OneWorld
• Controls Cut Costs
• So you think your World is SOX compliant
• Technical White Papers
• World Security Strategy
• EnterpriseOne Security Strategy
• The Need for QSeries a technical perspective
• Enhancing Security for Effective Control in
  EnterpriseOne 8.9

7
Back to Basics
Why should we have security or controls in our
ERP systems?
8
Business Need for Security

• Part of an overall Control System
• Corporate Governance Legislation
• Sarbanes and Oxley
• Quality Control
• ISO 9000
• Industry Legislation
• Federal Drugs Agency - 21 CFR Part 11
• But - CONTROLS SAVE MONEY

9

• KPMG fraud survey
• 75 US companies suffered fraud
• Mainly due to poor internal controls
• PwC Survey
• 50 UK companies suffered fraud
• Yet felt internal controls adequate
• Frauds discovered by chance, not thru controls

10
SOX section 404 requires

• that organisations can confirm the
• effectiveness of the internal
• control structureUsers need to ensure adequate
  controls are in place for an audit as well as for
  good company practice and to ensure it is
  maintained for subsequent years
• Deloitte state SOD is crucial

11
Enhanced Security for Effective Control

• Ensures data only accessed by authorised people
• Prevents malicious damage
• Prevents accidental access
• Prevents fraud
• Segregation of Duties
• Ensures applications only access relevant data
• i.e. plant A only updates plant A stock, not
  plant B

12
Ineffective controls allows fraud
Management Requests 300 widgets
Fraudster changes BOM to 500
500 widgets sent to factory floor
Factory floor confirms 500 widgets
200 widgets are stolen by fraudster
Fraudster amends BOM back to 300
13
If you think good security costs a lot
Poor security costs so much more
14
Corporate Governance is serious

• Robbery 7 years
• Rape 9 years
• Murder 20 years

• Andie Fastow, Enron 10 years
• Jamie Olis, Dynegy 24 years
• Bernie Ebbers, Worldcom facing 165 years
• Jeff Skilling, Enron facing 325 years

15
Dangers of an open system

• Critical update programs will not be protected
• Users will be able to navigate to these programs
• Deliberate or accidental updates will take place
• Data will be corrupted
• You will fail an audit

X
16
Is YOUR security watertight?

• Who has access to sensitive information?
• Who has access to key applications?
• Have violations occurred?
• Is your implementation strategy still being
  applied?
• Is your organisation unchanged since you
  implemented World or EnterpriseOne ?
• Acquisitions ?
• Divestments ?
• Staff secondments ?

17
The importance of security

• ISACA guidelines for auditing controls
• Mentions security 350 times !!

18
The security threat

• Solutions people buy the best solution for
  each threat
• Anti-spam s/w Anti-virus s/w
• Firewalls Data Encryption
• Passwords etc

19
COSO Q Software
COSO framework
QSoftware
QSoftware
QSoftware
20
Agenda

• Corporate Governance Security considerations
• The EnterpriseOne security challenge
• So you think your World is secure?

21
E1 Security Fundamentals

• 12 Security Parameters
• 3 Object Security
• Application, Action, Processing Option
• 2 Data Confidentiality
• Row Column
• 7 Access Control
• E.g. Exit,Tab, Exclusive Application, External
  Application

22
A sizeable task

• Volume problem
• 29,000 objects
• P00950 program is very clumsy
• Repetition problem
• Repeating Tasks
• Repeating Row Security
• Maintenance problem
• Solution Explorer not related to Security

23
RISKS - Global Security

• EnterpriseOne comes with no security in place
• Essential that the global (ALL No) locks be
  applied for all objects and all actions.
• Without these locks
• there is no guarantee that a user is denied
  access to all objects, particularly because-
• Impossible to find lock all navigation routes
• So many objects - they can never be identified
  and explicitly locked.
• New Service Packs contain new objects
• these must be locked.
• Open access to a new payroll report was given as
  it was not explicitly locked when it was loaded.
  
• gave all users sight of all pay details for all
  employees.

24
RISKS Control Tables

• Control tables open to all
• Business managers want access to control tables
• for day-to-day application management.
• Controls should be placed over control tables
• Next Number
• inadvertent changes cause duplicate (or gaps) in
  document number sequences or master file
  references.
• Missing or duplicate invoice numbers are an
  immediate alert for fraudulent activity.
• Access must be restricted to one or two users.
• Automatic Accounting Instructions
• inadvertent changes mean transactions are posted
  to incorrect accounts.
• Finding an error requires a huge amount of
  effort.
• Accountants love to have access to the file but
  it must be strictly limited.
• User Defined Codes
• if changed in error it can cause severe integrity
  problems

25
RISKS Multi-Function progs

• eg Sales Order Entry
• Explicit controls needed to
• stop Order Clerks changing ship-to and bill to
  addresses and the tax code.
• Prevent accidental price changes post order entry
• Security is complex
• combination of Action Code, Processing Option,
  Exit and Row
• Similar for Purchase Order Entry.
• Proof mode and update mode
• many programs such as Stock Take, can be run in
  proof mode and update mode.
• Selected via simple tick box
• Selecting the wrong one can have a catastrophic
  effect on stock levels.

26
RISKS Master Files

• Sensitive Master Files
• many master files contain sensitive data
• some are structured in complex ways making the
  implementation of effective security very
  difficult.
• Address Book
• contains sensitive data
• such as employee Social Security number and
  customer discount codes.
• is split into several sub-files and is now
  difficult to secure.
• Use of a simple coding structure and Row Security
  overcomes this problem.
• Costs and Prices
• careful segregation of duties is required
• to ensure accidental updates dont take place and
  confidentiality is maintained.
• Bill of Materials and Work Centre files
• contain prices and costs and can be very
  sensitive.
• If changed by mistake it can lead to a loss of
  stock information.

27
Risks Multiple roles

• Use of multiple roles creates an auditing
  nightmare
• Some auditors may refuse to audit E1 if you use
  this capability

28
RISKS - SOD

• Approx 30 Sensitive financial programs
• require special control and SOD
• to ensure more than one person is involved in the
  business process.
• Cheque printing
• Voucher approval
• Item master update

29
RISKS Solution Explorer

• Solution Explorer, Menus and Fast Path
• careful consideration needs to be taken on how
  these are used.
• Solution Explorer and Menus look different
• depending on the security strategy used.
• Fast path is an extremely powerful facility
• performance of the program can vary depending on
  whether it is called from a menu option or from
  fast path.
• Fast path will call the original ZJDE version
• will ignore any custom versions with their
  processing options, data selections and
  sequencing.

30
How can we simplify E1 security?
QBuild QComponents QSeries Methodology
31
The QBuild Approach

• Easy to use Security Grids
• Create a model (usually from Solution Explorer)
• Task Components
• Row security Components
• Job Functions
• Segregation of Duties rules
• Link them all together and press the build button
• Make a change and press the re-build button

32
EnterpriseOne 8.10 Security
EnterpriseOne 8.10 Solution Explorer
User
Role
Task
Role
AP Process Task for P0101 P0105 P0111
A/P Clerk Ohio AP Process Addrs Book Row Sec Ohio
A/P Clerk
John
Addrs Book Task for P0110 P0935 P0834
A/R Clerk Ohio AR Process Addrs Book Row Sec Ohio
A/R Clerk
AR Process Task for P0632 P0795 P0866
A/R Clerk Texas AR Process Addrs Book Row Sec
Texas
REPEATS Addrs Book x 2 Row Sec Ohio AR Process
Paul
33
EnterpriseOne 8.10 Security
EnterpriseOne 8.10 Solution Explorer
QBuild Model Enhancing Security for Effective
Control
Job
Task Component
User
Role
Task
Role
AP Process Task for P0101 P0105 P0111
A/P Clerk Ohio AP Process Addrs Book Row Sec Ohio
A/P Clerk
John
Addrs Book Task for P0110 P0935 P0834
A/R Clerk Ohio AR Process Addrs Book Row Sec Ohio
A/R Clerk
AR Process Task for P0632 P0795 P0866
A/R Clerk Texas AR Process Addrs Book Row Sec
Texas
Paul
BENEFITS
Rapid Deployment Use Component Generator to
Implement Deny ALL in 2 steps
Reduce Errors QComponents standard security model
Always on Segregation of Duties Reporting for a
profile
Eliminate repetition in EnterpriseOne security
file
34
QSeries Customers
I believe it would be almost impossible to
implement an all doors shut security model
under EnterpriseOne without QBuild
QBuild provides an easy way to configure
security in EnterpriseOne.
Previously it took at least four hours to set up
new groups, but with QBuild that time has been
reduced to about 15 minutes.
Using Q Software has saved us at least 1600 man
hours of entering security manually for the
initial 500 users we have set up so far.
The QSeries approach simplifies the whole
process and it was obvious that it would save us
an enormous amount of time.
35
The productivity saving

• EnterpriseOne It used to take me 4 hours to
  set-up security for a GROUP ID
• (2 Groups a day)
• QBuild It now takes me 15 minutes to create
  security for a GROUP ID
• (32 Groups a day)

16 times the productivity 90 time saving
36
Agenda

• Corporate Governance Security considerations
• The EnterpriseOne security challenge
• So you think your World is secure?

37
World QCheck Review revealed

• Sensitive programs
• Could be reached by many users
• Security maintenance programs
• were unprotected
• Vital business data
• Could be amended by 70 of users using menus
• Menu security
• Allowed 85 of users to access unauthorised
  programs via function keys and options

38
Risks - World

• AAI Maintenance (P0012)
• If users can change auto numbering
• Entries can be posted to the wrong accounts
• Address Book (P01051)
• Functional rights can be changed
• Payment terms etc
• Payroll PO entry also at risk !!!

39
Risks - World

• Action code security
• Only introduced in later programs
• 299 programs have NO action code security
• Hidden selections - 36
• Takes user to Command Line
• Over-rides PeopleSoft security
• Who relies on Menu Security?

• Menu security is No security
• Function keys, Option keys Command Line allow
  back-door entry

40
RISKS - Examples

• Menu security allows user Keith73 access to
  programs P0002 and P00041,

But function keys allow access programs P00021
and P0004D
41
RISKS Considerations

• Group Profiles
• Do you use Group Profiles to ease security
  management?
• We recommend you do so.
• Do you have visibility of any user settings that
  override the Group Profile?
• You need to
• Are you aware some attributes do not even inherit
  such as the users Initial Menu, Menu Travel and
  Search Type security?
• Without controlling these, the User Group
  relationship is redundant.

42
RISKS - considerations

• Purchase Order entry (P4311)
• Should be limited and locked. 
• Can any users input POs, AND authorise payments? 
  
• This is a key Segregation of Duties issue.
• Accounts Receivable - Cash Collection
• Do users responsible for collection of cash,
  and/or Entering of Manual Invoices have access to
  A/R Cash Application Spreads, Write Offs, or
  Adjustments (program P03103)?

43
RISKS

• Plus many more
• .finally - to further highlight the complexity
  of controlling World security
• a QSecurity Workbench audit report.

44
RISKS
There are over 1,000 routes into the Voucher
Entry program P04105.
45
Summary - Security in World

• Visibility
• Difficult (Impossible) to find all programs a
  user has access to
• Action security only works on - 66 of
  interactive update programs
• No simple yes/no switch for programs
• Menu security is no security
• Too many back-doors

46
How we can make your World secure
QSecurity Workbench(QSW)
47
Components of QSW V5
Menu Security Workbench
Who has access to what menus Complex menu locking
User Security Workbench
Program Security Workbench
Main Menu
Program settings Identify exposures
Manage profiles Simplify security Realtime
analysis
Access Analyser
Who has access to what how Filters by DWV
48
Our World customers tell us
Q Software justified itself on the create user
profile feature alone. Everything else was a
bonus.
Our first implementation of Q Software in Ohio
has been an enormous success, please send the
product to all our World sites world-wide.
I needed to identify and apply Action Code
Security to critical files and programs Q
Software is the only way.
When we evaluated World we placed Security as a
strength and as a weakness. With Q Software,
Security is just a strength.
We couldnt achieve compliance without Q Software
Various customers
49
Summary

• Dont risk failing your security audit
• Compliance in World
• Is achievable only with Q Security Workbench
• Compliance in EnterpriseOne
• Is an awesome task without QBuild

50
For more information

• Visit Q Software on stand 821
• Attend our product presentation
• Wednesday June 15, 230
• Austin 4
• www.qsoftware.com
• Email sales_at_qsoftware.com