Security & Segregation of Duties for PeopleSoft
•
3 recomendaciones•2,431 vistas
Presentation from Alliance 11 conference from the University of Nebraska and Smart ERP Solutions. Covers Row Level Security and Segregation of Duties for PeopleSoft.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a Security & Segregation of Duties for PeopleSoft
Similar a Security & Segregation of Duties for PeopleSoft (20)
Más de Smart ERP Solutions, Inc.
Más de Smart ERP Solutions, Inc. (20)
Último
Último (20)
Security & Segregation of Duties for PeopleSoft
- 1. Security and Segregation of Duties for PeopleSoft Session #29904 March 29, 2011
- 2. Denise Goin, PeopleSoft Security Specialist University of Nebraska CSN 14+ years working with PeopleSoft Security, Campus Solutions, HR, Financials, Portal. Higher Ed, Public and Private Sector. Former Oracle Security Consultant. Kirk Chan/Ramesh Panchagnula, Smart ERP Solutions, Inc.
- 3. Multi-Institutional Implementation in 2 Production Instances Using SmartSecurity in Development as well as in Production environments Overview of solution providing automated Segregation of Duties directly from within your PeopleSoft
- 4. Row Level Security at the University of Nebraska Denise Goin PeopleSoft Security Specialist, University of Nebraska CSN
- 5. Nebraska Student Information System structure Change in how Security is structured, maintained Business Process changing- enable SACR security to the functional offices Shared data/components/SACR (Especially with Multi-Institution) Why Nebraska choose Smart Security? No row level security on many components in the system, and no read all/update own on anything. Fully configurable as business processes change, or new functionality is needed. As wide open or as restricted as we like. Business Requirement- To be able to SEE everything, but only allow UPDATE to our own students, especially CPP
- 6. Nebraska Student Information System NeSIS NU NSCS UNL UNO UNK UNMC Chadron Wayne Peru
- 7. NeSIS Security Team PeopleSoft Security Specialist University Security State College Analyst Security Analyst UNK UNL UNMC UNO CSC PSC WSC Sec. Sec. Sec. Sec. Sec. Sec. Sec. Cord. Cord. Cord. Cord. Cord. Cord. Cord.
- 8. Row Level Security- The Issues Business Processes Changing SF SACR Security started the trend No Institution Specific row level security on many pages Transactional Configuration Security/SACR Security Using the Security views on the pages that allow it, didn’t allow for viewing other schools data when needed. Transactional Configuration Security/SACR Security Custom/Cloned
- 9. But……..We Want it ALL How to grant access to Students Data from another school without running the risk of mistakes being made when entering data? Many students will attend multiple Universities, even in the same term. Can we protect the data and still allow access to it?
- 15. Define CPP Read All/Update Own
- 16. Define Security Access by Role Name- View All Update Own
- 17. Define Security Access by Role Name – Only See/Update own
- 18. Define Security Access by Role Name – Only See/Update own
- 19. SACR Configuration Pages- Update Own/View All vs Only See/Update My Own
- 20. SACR Configuration Pages- Update Own/View All
- 25. Effective Segregation of Duties Kirk Chan VP, Business Development Ramesh Panchagnula President Smart ERP Solutions, Inc.
- 26. “Effective” Segregation of Duties (SoD) Smart SoD™: Effective SoD for PeopleSoft Demo Summary and Q & A
- 27. A key element in the compliance lifecycle 10+ years, ERP compliance solutions Smart Security for PeopleSoft
- 28. Proactive SoD SoD Reactive Mitigation SoD
- 29. Built-in model enables SoD enforcement Violations checked BEFORE go-live Your decision to enforce rules or allow violations Saves time (= money) Easy set-up and testing for violations Quick and easy reporting Reduces number of compensating controls required Reduces auditing effort / costs Reduces risk Enforcing and reporting SoD violations reduces opportunity for fraud
- 30. Nothing in PeopleSoft Any release Use a Spreadsheet? How do you… Ensure the actual access control mirrors the spreadsheet? Right people access the right data? Manage change control problems? Assess impact of changes? Manage enforcement of SoD?
- 31. Aim: Prevent SoD Violations occurring during security Assignment. Ensure Security Policy is enforced long term.
- 32. A/P “Super” SoD Voucher Clerk Role OK 1. AP Voucher clerk Violations 2. Secondary role 2 Check 3. Secondary role 3 6 Violations Segregate this task: From this task Build Security Change Role assignment Sales Order Entry Purchase Order Or Vendor Master Bank Payments Security Sales Pricing Sales Order Entry without Purchase Order Goods Receipt affecting live security Customer Master Sales Order Entry Sales Order Entry Credit limits Credit Notes Invoicing (A/R) Purchase Order Vendor Master Purchase Order Invoice entry (A/P) Extract from pre-populated, Vendor Master Purchase Order model Vendor Master Credit Notes Invoice entry (A/P) Bank Payments
- 33. Aim: Accurately assess existing security for remediation. Reduce Audit time and cost. Build case for restructuring security.
- 34. Roles (High- Level) Permission List (Process) Components (In-depth Audit) Reporting directly on existing PeopleSoft security
- 35. Creating a journal entry and opening a closed accounting period Maintaining accounts receivable master data and posting receipts Depositing cash and reconciling bank statements Completing goods transfer and adjusting physical inventory counts Approving time cards and distributing paychecks Preparing an order and changing a billing document Changing an order and creating a delivery Creating a journal entry and opening a closed accounting period Creating general ledger accounts and posting journal entries Maintaining bank account information and posting payments
- 36. Role level Create matrix of all active system roles Identify all roles that should not be linked to the same user Such as purchasing and payments Permission List / Business Process level Include Application security & processing options Add to / modify as needed Component / Program level Add in any custom or modified processing If creating your own rules, start with most important controls & gradually add to them
- 37. Current Economic Climate (fewer employees) Many redundancies equates to less people doing more. Major requirement from Audit to allow remediation where a user is considered a risk. SOX requires that during an audit all risks must at least be visible and understood by the business. With this comes risk assessment and documentation. Seasonal Changes Staff holidays or time away from office requires other users be able to perform these additional duties.
- 38. Ability to mitigate users once a validation has occurred. Details of mitigation, including notes get added to a mitigation table. The user gets checked during the next validation but is not added to the violations table. Ability to time out mitigations, i.e. allowing for staff who are on holiday, etc.
- 40. Business Requirements Smart Solutions Row level security on any data that requires limited or authorized access Smart Security Define , manage and enforce segregation of duties for various roles within an organization to adhere to compliance requirements Smart SoD Robust workflow approval capabilities across any business transaction or documents across your Enterprise Smart Workflow Streamlined and easy-to-use data entry pages configured to meet your specific business process requirements, incl. industry reqmts; Easily add Smart Docs including features anywhere such as Save as Draft, Copy from Templates, ERP Gadget Attachments, Configurable Print, Collaborative Comments, Workflow, User Help, Business Process View Configuring and tailoring business processes to meet your organization’s specific processes, including defining step-by-step actions for each Smart Enterprise BPM process and managing your users through your organizations specific business process. One-stop visibility into the full business process lifecycle of a transaction Smart Lifecycle Viewer Addressing additional compliance requirements not in standard PeopleSoft: I-9/W-4 Form, 1042 Foreign National Requirements Smart Compliance Manageable solutions for complex integration needs Smart Integration Packs Other Common, Critical and Complementary business requirements Tell us, we’ll build it!
- 41. Developed expressly for PeopleSoft Q by SmartERP in cooperation with Q Software Software Uniquely integrated within your SmartERP current PeopleSoft Powerful Proactive, Reactive and Mitigation features Built-in Smart SoD™ Analytics/Reporting/Dashboards Use delivered SoD rules or easily create your own
- 43. SoD Model and Rules Reactive: Mass check for user violations Proactive: Validate new user profile against established SoD rules Dashboard/Analytics
- 45. Value Statement Segregation of Duties is an important element of your overall PeopleSoft security and risk management Key Features of Smart SoD can help you maintain legislative compliance (SoX), meet audit requirements and reduce the likelihood and impacts of fraud and errors Expressly designed for your current PeopleSoft Powerful Proactive, Reactive and Mitigation Features Automated Workflow Approvals Reporting/Dashboards facilitate audits and compliance Use pre-packaged built-in SoD rules (from PeopleSoft audits) or easily create your own Add-on Architecture Lowers Total Cost of Ownership Seamless Integration Utilize Best Practices Maintenance and Upgrades
- 46. Denise Goin PeopleSoft Security Specialist University of Nebraska CSN University of Nebraska E-mail: ddgoin@nebraska.edu Kirk Chan VP, Business Development Smart ERP Solutions, Inc. E-mail: kirk.c@smarterp.com Ramesh Panchagnula President Smart ERP Solutions, Inc. E-mail: ramesh.p@smarterp.com
- 47. This presentation and all Alliance 2011 presentations are available for download from the Conference site at www. heug.org www.psugonline.org www.federalusersnetwork.com Presentations from previous meetings are also available