SoDAC
The Smart Segregation of Duties and Access Controls (SoDAC) overcomes PeopleSoft's security limitation by giving you the ability and freedom to secure your data at any level, in any application or module. If the field exists on the page, we can secure the data in it.
What are my risks?
Users can gain access to programs with sufficient security authorizations that could enable them to commit fraud.
User can exploit their given access by performing actions prohibited by your company policy or industry regulation.
Users can gain the ability to perform both buyer setup and enter vendor invoices, bank reconciliation and vendor payment approval, or product ordering and accounting inventory, among others.
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Segregation of Duties and Sensitive Access as a Service webinar
1.
2. Today’s Presenter
Lewis Hopkins
Senior Applications Consultant
Lewis has been working in governance, risk, and compliance for the last 12 years, providing solutions and guidance to over
200 Organizations. He is a Board Member of the Governance, Risk and Compliance User Group and regularly speaks at
industry events.
3.
4.
5. SmartERP Solutions | Global Expertise with Local Presence
UAE
Dubai
Bangalore
Hyderabad
INDIA
• Toronto
• Boston
• Chicago
• Texas
• Atlanta
HQ
Pleasanton, CA
Chennai
Founded in 2005
by former Oracle
Executives, Architects,
and Consultants
Implementation Partner
Oracle Cloude, NetSuite,
PeopleSoft, EBS and JDE
Solutions and Services
A unique blend of
Solutions and services
300+ Clients
Worldwide clients for life
across various industries
350+ Employees
Certified experts around the
world – 24x7x365
6. Samples of our Cross-Industry Client Successes
Manufacturing, Hi-Tech, Fin-Tech and Healthcare
Industrial, Hi-Tech and Semi-Con Lifesciences, Pharma, Bio-Tech and Healthcare
Wholesale Distribution and Retail
Building, Solar, Furniture, Electronics, Wine, Food and
Beverage
Professional Services & General Bus.
Staffing, Legal, Education, Engineering and Construction
8. Current Figures
5% of revenue is lost every year to Fraud
(Accounting Today)
33% of Bankruptcies down to Employee fraud
Average of 6 frauds per Organization per year
Internal fraud is as prevalent as External (PWC
Global Fraud Survey)
10. Cohesion
Communication – Typically Business Users don’t understand the
Application. Technical Users don’t understand the Risks.
Business Users Technical Users
Responsibility and Ownership
“Foxes watching the
Hen House”
11. Access Definitions
Security too complex – not ‘Business friendly’
Ensure new/copied Security is easy to
read
Re-Use where possible, for example: Sign on process
Delivered Roles have Security issues and please secure ALLPAGES!!
12. Who owns the Access/SoD
Reviews in your organization?
1. Security
2. Audit
3. Functional Users/Managers
4. A combination of the above
5. None of the above
13. ‘Super User’ Access
• Don’t rely on PSADMIN or VP1 generic logins without controls
Options for management:
• Break Glass
• Individual User Logins
14. Individual User Logins
Employee’s request access to
Production, Sys Admin unlocks
their account and grants the
Roles required for diagnosis.
At the end of the process,
the User’s account is locked again.
15. One more thing…
Always worth Auditing User Profiles, Roles/Permission Lists
in PeopleSoft.
Low transaction, high impact
16. Data Security
• Row Security limited in PeopleSoft
• What to do about PCI or PII?
• Field Security, Tokenization, restrict Fields in the Pages, Database Level
Security?
17. Opportunities for Securing Data
For Query:
Create Roles/Permission Lists for accessing this Data
Secure them against the Fields you use & the Queries for accessing this information
• Pros: Accountability – track the Roles that have access
• Cons: Can leave out other data required from a table
For Access:
Use Database level Security to Secure or Obfuscate the Data
• Pros: Total Security at the Data level
• Cons: May need each User to have a DB level User
If one DB User, what about Self Service Users?
18. Production Do’s and Don’ts
• Data Mover and Configuration/Development processes– secure them!
• Submission of Jobs
• Copy of Production for testing and simulation
• Who wants to refresh every day?
• Don’t rely on Auditing
• The Horse may have bolted already!
19. Production Do’s and Don’ts
• Separate Configuration from Transactions
• Segregation of Duties and Access Analysis
• OMB
• NIST
• SOX
Compliance is forcing Organizations to change their Approach to ERP Security
and Controls
20. Role Assignments
Too many Roles = too many Risks/too difficult to answer who has access to what
We’ve seen:
160+ Roles per User
12-24 months before Security is regarded as a mess
Are Role Assignments going through a change request?
21. How do you currently manage
security analysis and SoD?
1. Third-party solution
2. Manual-based process
3. No solution in place
4. Don’t know
23. Access and SoD Subscription
• Analysis of Security for efficiency
• Power User & Third Party access
• Segregation of Duties
• PII and Sensitive Data Access
• Reports, Recommendations and Project
Management
25. Rules
CPA staff maintain ruleset and provide advisory
Rule Maintenance and Controls Assessment
through subscription
26. Access and SoD Reporting as a Service
Extract Data
from PeopleSoft
Import into
Smart ERP
Run Analysis
No PII or Sensitive
Data is taken
27. Access and SoD Reporting
• Users and their SoD Violations
• Power User Access
• Sensitive Access
• PII Access
Reports and Remediation
28. Benefits
• Report on who has access to what in plain
‘English’
• Identify and Remediate Users with too
much access
• Enforce strong Data Security Policies
• Comply with legislation and reduce costs
Reporting and Data Security as it should be..
29. Exceptions
Sometimes Users need to break the rules…
VP’s, Power Users, Limited Staff, etc
All Exceptions are stored for future reference, and
Reports available
31. A. Just Smart Form I-9 (Free)
B. Both Smart Form I-9 and E-Verify (Free)
C. Smart Applications with Smart Onboarding ($)
D. Full Suite with HR Integration ($)
E. Full Suite with HR Integration plus other apps ($)
F. Not Sure?
Use the question feature in your Zoom application