Best Practices
Implementing Security and Controls in PeopleSoft
Why Security, Compliance and Segregation of Duties?
This webinar addresses the key features for security and controls in PeopleSoft. Without controls built around these features there is a high probability for error, poor performance or in extreme cases fraudulent transactions. SmartERP will guide you through the steps for best-practice techniques in securing your Application, and the Applications available to assist with this process.
%in Midrand+277-882-255-28 abortion pills for sale in midrand
Implementing security and controls in people soft best practices - may 2017
1. Implementing Security and Controls
in PeopleSoft – Best Practices
Lewis Hopkins – Applications Consultant
Lewis.Hopkins@smarterp.com
2. Reminders
A recording of today’s session will be sent to all
registrants shortly after the webinar.
Phone lines/mics are MUTED.
There will be a Q & A section at the end of today’s
session. Please use the GoToWebinar “Questions”
feature (not the “Chat” feature) from your control panel
to post a question at any time during the presentation.
3. Agenda
• About Smart ERP
• Managing Super User Access
• Access Definitions
• Data Security
• Productions Do’s and Don’ts
• Solutions
5. Achieve Best-In-Class Performance
Our mission is to provide innovative, configurable, flexible, cost-effective solutions
to common business challenges, enabling our clients to save time,
increase productivity, minimize costs, and maximize their return on investment.
Solutions
Business applications that
offer organizations an
end-to-end solution
providing the right design
and implementation from
start to finish.
Services
A 24/7 seasoned and
experienced staff of
experts to help you
implement your business
solutions efficiently and
effectively at a cost-
effective rate.
Cloud
Cloud applications
provide solutions built on
proven enterprise class
architecture that enable
high configurability and
ease of monitoring.
6. About SmartERP
Oracle Platinum Partner
Best practices and expertise in strategic planning, implementation, upgrade and add-on / customization services
Unique blend of Solutions and Services
‘Clients for Life’ – High level of client satisfaction and loyalty
200+ Clients across various industries
350+ Employees
Global Locations:
Headquarters in Pleasanton, CA
Offices in Atlanta GA, Hyderabad, Chennai and Bangalore (India)
Founded in 2005 by former Oracle Architects, Executives and Consultants
8. Managing Super User Access
Communication – Typically Business Users don’t understand the
Application’s Security design.
Business Users Technical Users
Responsibility and Ownership
“Foxes watching the
Hen House”
9. ‘Super User’ Access
• Don’t rely on PSADMIN or VP1 generic logins without controls
Options for management:
• Break Glass
• Individual User Logins
10. BreakGlass
Employee requests access to
investigate/resolve a
Production issue
In an IDM Solution:
Automate the creation and
assignment of Roles
Either through timeout or
manual process,
Change the User
credentials so this
Employee cannot log back
in
11. Individual User Logins
Employee’s request access to
Production, Sys Admin unlocks
their account and grants the
Roles required for diagnosis.
At the end of the process,
the User’s account is locked again.
12. Break Glass Vs Individual User Logins
Pros Cons Pros Cons
Tight Control Can be slow to respond to
incidents
Quick – User accounts already
exist
More User accounts to track
potentially
Limit the User Accounts with
privileges
Costly to implement, especially if
you don’t have IDM already.
Free to implement Manual process
Most IDM solutions have audit
tracking and other features to
track who accessed Prod – even
record sessions.
Cant track User sessions unless
auditing is switched on
More Compliant solution No control over User Profiles
(unless customized)
Break Glass Individual User Logins
13. One more thing…
Always worth Auditing User Profiles, Roles/Permission
Lists in PeopleSoft.
Low transaction, high impact
14. Access Definitions
Too many Roles = too many Risks/too difficult to answer who
has access to what
We’ve seen:
160+ Roles per User
12-24 months before Security is regarded as a
mess
Are Role Assignments going through a change request?
15. Access Definitions
Security too complex – not ‘Business friendly’
Ensure new/copied Security is easy to
read
Re-Use where possible, for example: Sign on process
Delivered Roles have Security issues and please secure ALLPAGES!!
Segregation of Duties
17. Data Security
• Row Security limited in PeopleSoft
• What to do about PCI or PII?
• Field Security, Tokenization, restrict Fields in the Pages,
Database Level Security?
19. Opportunities for Securing Data
For Query:
Create Roles/Permission Lists for accessing this Data
Secure them against the Fields you use & the Queries for accessing this information
• Pros: Accountability – track the Roles that have access
• Cons: Can leave out other data required from a table
For Access:
Use Database level Security to Secure or Obfuscate the Data
• Pros: Total Security at the Data level
• Cons: May need each User to have a DB level User
If one DB User, what about Self Service Users?
20. Production Do’s and Don’ts
• Data Mover and Configuration/Development processes–
secure them!
• Submission of Jobs
• Copy of Production for testing and simulation
– Who wants to refresh every day?
• Don’t rely on Auditing
– The Horse may have bolted already!
21. Production Do’s and Don’ts
• Separate Configuration from Transactions
• Segregation of Duties and Access Analysis
– OMB
– NIST
– SOX
Compliance is forcing Organizations to change their Approach to
ERP Security and Controls
23. Access and SoD Reporting
• Abilities contain the Security required to
perform a task or duty – wrapped into an
easy to read container
• Allow for Roles, Permission Lists,
Components, Pages and User Preferences
• Incorporate Authorities – can the User
update records or not?
Abilities for Reporting
24. Data Security
• Secure specific Fields such as SSN, Credit
Cards are more
• Create Contexts: Row Security at the User,
Permission List, Role and Tree Level
• Open up Data Security possibilities
Apply Data Security to any Field on any Page
25. Benefits
• Report on who has access to what in plain
‘English’
• Identify and Remediate Users with too
much access
• Enforce strong Data Security Policies
• Comply with legislation and reduce costs
Reporting and Data Security as it should be..
26. Achieve Best-In-Class Security and Controls
Solutions
• Segregation of Duties/Access
Reporting
• Access Provisioning
• Transaction Monitoring
• Configuration Monitoring
Services
• Security and Configuration ‘Scans’
• Security Design and
Implementation
• Training & Review