The document discusses security considerations when upgrading JD Edwards E1. It outlines some common security issues in the current JD Edwards E1 system, such as a lack of segregation of duties and complex access controls. It stresses the importance of planning security as part of any upgrade project to address issues and ensure controls are effective. Finally, it notes how effective security can help justify the costs of an upgrade project.
Developer and Fusion Middleware 2 _Greg Kirkendall _ How Australia Post teach...
JDE & Peoplesoft 2 _ Mike Ward _ Security implications of Upgrading JDE.pdf
1. Security
Implica/ons
when
Upgrading
JD
Edwards
Mike
Ward
Managing
Director
• The most comprehensive Oracle applications & technology content under one roof
2. Have
pity
on
the
homeland.....
• The most comprehensive Oracle applications & technology content under one roof
3. Agenda
Q
So;ware
creden/als
Security
considera/ons
when
upgrading
JD
Edwards
E1
Security
issues
in
JD
Edwards
E1
Planning
for
security
as
part
of
the
upgrade
How
effec/ve
security
can
help
to
pay
for
the
upgrade
project
• The most comprehensive Oracle applications & technology content under one roof
4.
The
Oracle
Security
&
Compliance
People
270+ Customers
• The most comprehensive Oracle applications & technology content under one roof
5. Agenda
Q
So;ware
creden/als
Security
considera/ons
when
upgrading
JD
Edwards
E1
Security
issues
in
JD
Edwards
E1
Planning
for
security
as
part
of
the
upgrade
How
effec/ve
security
can
help
to
pay
for
the
upgrade
project
• The most comprehensive Oracle applications & technology content under one roof
6. Why
Upgrade?
• MigraAng
from
World
to
E1
?
• Moving
from
blue
stack
to
red
stack
?
• Support
consideraAons
?
• Moving
to
newer
standards
based
IT
?
• Moving
to
higher
performance
h/w
&
s/w
plaKorm
?
• ConsolidaAng
instances
of
JDE
?
• New
FuncAonality
?
• The most comprehensive Oracle applications & technology content under one roof
7. Issues
with
Instance
ConsolidaAon?
Instance
refers
to
the
unique
set
of
JD
Edwards
EnterpriseOne
data
which
includes
transacAonal
data,
control
tables
and
system
data
Increased
Maintenance
Cost
MulAple
Disparate
data
processes
centers
MulAple
Duplicate
ERP
architecture
WARNING
versions
SIGNS
Highly
Customised
Improper
Environment
controls
• The most comprehensive Oracle applications & technology content under one roof
8. Upgrade
consideraAons
–
FuncAonal
Changes
1,000+ Enhancements
Industry Modules
New
Func/onality
Fraud & IP Theft
Custom
Share Price Business
Programs
Risks
Loss of Business Processes
&
Inability to do job Improvements
Alignment
of
Controls
Maximise Staff Effectiveness
Affects Roles / Responsibilities
• The most comprehensive Oracle applications & technology content under one roof
9. Security
&
Upgrades
Scope
Creep
• Ex-‐employees
sAll
have
access
• Changes
to
business
processes
• OrganisaAonal
&
process
changes
• Upgrades.........
Risk
Task 4
Task 3
Task 3
Task 2 Task 2
Task 1 Task 1
Time
• The most comprehensive Oracle applications & technology content under one roof
10. Fraud
will
never
happen
to
You
• 75%
of
fraud
is
due
to
ineffecAve
internal
controls,
split
between
– Lack
of
controls
38%
– Over
riding
controls
19%
– Lack
of
management
review
18%
• 80%
of
businesses
modify
controls
a^er
Fraud
AssociaAon
of
CerAfied
Fraud
Examiners
• The most comprehensive Oracle applications & technology content under one roof
11. It
doesn’t
happen
here.......
UK: Canada:61% admit businesses suffered crime
NewSouth 50% largesuffered “significant fraud
Germany: 55% companieseconomicfraud
USA:almost Africa: 62%persuffering fraud
35% companies to business suffered
companies
Zealand: 42% suffered suffered crime
almost83%incidents experiencedmost common
- Average 8 - average cost $491,000
economic crime”asset misappropriation bribery &
- 75% of 59% (5,000+ employees)
- larger
- Average cost 40% suffered economic crime
Australia: of sufferedchancemilliontip-off
-
-most 38% detected by 100 incidentsEuros
crime cost 4.2
increasingly corruption or by
-33% of these by middle / senior management
- likely cause is pressure due to economy
Source: PwC 2009 fraud survey Crime survey
Source: PwCopportunitySource: PwC driver survey
2009
- increased 2009Source: PwCPwC 2009 crime survey
fraud Source: 2009 Crimecrime
Source: PwC 2009 survey
survey
is primary
Source: PwC 2009 crime survey
• The most comprehensive Oracle applications & technology content under one roof
12. SegregaAon
of
DuAes
(SoD)
Jones & Jones Inc.
A Manager
Sets up MB Inc. as a supplier
Accepts Purchase Invoices from MB Inc.
Approves Invoices
Processes for Payment
Transfers the funds
Runs
off
with
$1m
• The most comprehensive Oracle applications & technology content under one roof
13. • VP
in
Finance
Department
• July
–
December
2010
• Stole
$19m
“Defendant
bought
a
Masera3,
6
Proper3es,
and
a
$½m
entertainment
system”
“Excessive
Access
Rights”
• The most comprehensive Oracle applications & technology content under one roof
14. Deloife
–
Auditor
Survey
• 3
Most
Common
Frauds
– MisappropriaAon
of
Assets
–
31%
– Improper
Expenditures
–
22%
– Procurement
Fraud
–
16%
• 63%
companies
say
vulnerability
has
increased
• 83%
UK
companies
had
suffered
fraud
• The most comprehensive Oracle applications & technology content under one roof
15. Agenda
Q
So;ware
creden/als
Security
considera/ons
when
upgrading
JD
Edwards
E1
Security
issues
in
JD
Edwards
E1
Planning
for
security
as
part
of
the
upgrade
How
effec/ve
security
can
pay
for
the
upgrade
project
• The most comprehensive Oracle applications & technology content under one roof
16. Issues
in
JD
Edwards
E1
§ All
Doors
Open
v
All
Doors
Closed
• Menu
Security
is
no
Security
• No
SegregaAon
of
DuAes
• Access
to
criAcal
programs
• 30+
security
types,
300
opAons
• 35,000
Objects
• Complexity
of
Maintenance
-‐
forms,
versions
• MulAple
roles
/
Sequence
Manager
• Unexpected
security
authoriAes
• Changes
lead
to
unexpected
results
• ApplicaAon
access
is
very
complex
• Task
Views
• FineCut
• FastPath
• Hidden
&
Associated
Applica/ons
• The most comprehensive Oracle applications & technology content under one roof
17. Issues
in
JD
Edwards
E1
§ All
Doors
Open
v
All
Doors
Closed
• Menu
Security
is
no
Security
• No
SegregaAon
of
DuAes
• Access
to
criAcal
programs
• 30+
security
types,
300
opAons
• 35,000
Objects
• Complexity
of
Maintenance
-‐
forms,
versions
• MulAple
roles
/
Sequence
Manager
• Unexpected
security
authoriAes
• Changes
lead
to
unexpected
results
• ApplicaAon
access
is
very
complex
•
•
•
Task
Views
FineCut
FastPath
• Hidden
&
Associated
Applica/ons
• The most comprehensive Oracle applications & technology content under one roof
18. Agenda
Q
So;ware
creden/als
Security
considera/ons
when
upgrading
JD
Edwards
E1
Security
issues
in
JD
Edwards
E1
Planning
for
security
as
part
of
the
upgrade
How
effec/ve
security
can
help
to
pay
for
the
upgrade
project
• The most comprehensive Oracle applications & technology content under one roof
19. Auditors
Recommend
Roles
Based
Access
Control
• NaAve
in
8.10
upwards
• EssenAal
to
retain
this
funcAonality
• Why
.....
§ Simplified
systems
administraAon
§ Enhanced
security
&
integrity
§ Simplified
regulatory
compliance
§ Enhanced
organisaAonal
producAvity
• The most comprehensive Oracle applications & technology content under one roof
20. Security
Planning
• Upgrading
is
a
good
Ame
to
review
security
– Has
it
kept
pace
with
organisaAonal
changes?
– Are
you
suffering
from
“security
creep”?
– Who
can
access
criAcal
programs?
– What
is
your
security
policy?
• All
Doors
Closed
– Grant
back
access
–
Roles
Based
Access
Control
“Only
way
to
ensure
a
fully
auditable
system”
– But
need
to
build
a
maintainable
model
“Sustainable
Compliance”
• The most comprehensive Oracle applications & technology content under one roof
21. Security
Planning
• Security
must
not
be
an
a^erthought
– It
should
be
planned
in
– Should
match
business
processes
• EffecAve
SoD
policy
is
a
must
– Prevent
Fraud
– Auditor
requirement
– Adds
value
• The most comprehensive Oracle applications & technology content under one roof
22. Upgrading:
Security
plan
checklist
InformaAon
Gathering
• The most comprehensive Oracle applications & technology content under one roof
23. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Audit
Security
• The most comprehensive Oracle applications & technology content under one roof
24. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Audit
Security
Added
Value
• The most comprehensive Oracle applications & technology content under one roof
25. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Audit
Security
Added
Value
Evaluate
Tools
• The most comprehensive Oracle applications & technology content under one roof
26. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Audit
Security
Added
Value
Take
Evaluate
Advice
Tools
• The most comprehensive Oracle applications & technology content under one roof
27. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Audit
Security
Risk
Management
Added
Value
Plan
Take
Evaluate
Advice
Tools
• The most comprehensive Oracle applications & technology content under one roof
28. Upgrading:
Security
plan
checklist
InformaAon
Gathering
Integrate
Audit
Security
Security
Risk
Management
Added
Value
Plan
Take
Evaluate
Advice
Tools
• The most comprehensive Oracle applications & technology content under one roof
29. Agenda
Q
So;ware
creden/als
Security
considera/ons
when
upgrading
JD
Edwards
E1
Security
issues
in
JD
Edwards
E1
Planning
for
security
as
part
of
the
upgrade
How
effec/ve
security
can
help
to
pay
for
the
upgrade
project
• The most comprehensive Oracle applications & technology content under one roof
30. The
Dangers
and
Costs:
The
Alinean
ROI
Report
Avg. Risk of Avg. Business &
Breaches per Avg. IT Staff Hours Collateral
Typical Threats
Year (per 1,000 per Breach Damage per
users) Breach
Virus / Worms / 4 hours per infected
2 $24,000
Trojans asset
Denial of Service 2 serious incidents 32 hours per system $122,000
Data Destruction /
1 120 hours $350,000
Damage
25% employees
Physical Theft 2 hours
leave with $5,000
Disclosure
assets
Information Theft
1 180 hours $250,000
and Disclosure
Policy Violation 30 2 hours $20,000
Errant User 2 hours
15 $20,000
Behaviour
• The most comprehensive Oracle applications & technology content under one roof
31. Impact
Analysis
(Cost
of
InacAon)
PROBLEM POSSIBLE IMPACT
Fail audit
Cost of compensating controls?
Poor SoD Control Cost of remedial action?
Cost of fraud?
Cost of errors?
Incremental cost of Audit trying to get necessary data?
Impact on business of failed audit? i.e. share price, lost orders
Cost of compensating controls?
Failed audit Cost of remedial action?
Cost of fraud?
Potential each quarter from shareholder litigation?
Potential regulatory fines?
Impact of missing deadline. Impact on other projects if SOX late
Security / SOX
Cost of overtime / additional internal resources to achieve deadline?
deadline
Cost of external resources to help achieve deadline
Cost of security incidents?
Unauthorised (CSI 2009 survey states average per incident cost exceeds
Access / $230k )
Ineffective Incremental audit costs tracking posting / reconciliation errors
Security (Ciber states that best way to reduce reconciliation errors to
implement better security)
• The most comprehensive Oracle applications & technology content under one roof
32. Return
On
Security
Investment
(ROSI)
• Return
On
Investment
(ROI)
– Money
earned
or
saved
v
Money
Invested
– QuanAtaAve
• Return
On
Security
Investment
(ROSI)
– Includes
risk
reducAon
– Includes
QualitaAve
– Insurance
• Auditors
place
value
in
accounts
for
risk
• The most comprehensive Oracle applications & technology content under one roof
33. Adding
Value
to
the
Upgrade
• Establish
value
in
strong
Security
• Maybe
use
RoSI?
• Build
in
SoD
&
Compliance
ReporAng
• Cost
of
inacAon?
• Audit
to
reduce
Risk
• The most comprehensive Oracle applications & technology content under one roof
34. Summary
• Functional upgrades will impact business processes
– Upgrading requires security restructure
• Technical upgrades may enable security
standardisation
• JDE security has pitfalls for the unwary
• Ineffective security can prove costly
– Fraud is on the increase
– More regulations to comply with
– High non-compliance costs
• Effective security can assist in paying for upgrade
– Reduce opportunity for fraud
– Reduce non-compliance costs
• The most comprehensive Oracle applications & technology content under one roof
35. Q
Product
Family
Quick Fix Accelerator
Security Build &
Maintain E1Config
Audit E1SoD
Compliance
Reporting erpAudit
• The most comprehensive Oracle applications & technology content under one roof
36. Q
–
Secure
&
Comply
• ADC
in
a
few
days
• 80%
saving
in
Security
Management
• Integrated
SoD
• Extensive
Access
ReporAng
• MulAple
Roles
retained
&
Improved
• Audit
Security
–
tool
to
convince
Management
• Upgrade
tools
• The most comprehensive Oracle applications & technology content under one roof
37. Cameron
has
it
all
under
control
• The most comprehensive Oracle applications & technology content under one roof
38. Ques/ons?
• The most comprehensive Oracle applications & technology content under one roof