Loading documents preview...
Oracle E-Business Suite Controls: Application Security Best Practices Table of Contents Table of Contents
vi
Acknowledgements
1
Foreword
2
What Makes This Book Different
3
Who Should Read this Book
3
Organization of this Book
4
Chapter 1: Introduction Chapter 2: Introduction to ERP Systems
5 11
Impact of ERP Systems’ Technical Architecture
11
EBS Technical Architecture: Audit Trail Implications Application Controls Change Management Privileged User Access and Monitoring
16 19 21 22
Chapter 3: Goals of Application Security Design and Impact of RBAC Standards
23
Application Security Design Goals
23
The RBAC Standard and its Impact on Application Security Design
25
Chapter 4: Introduction to Oracle Application Security: Function Security 31 Function Security
31
Users
31
Responsibilities
38
Oracle E-Business Suite Controls: Application Security Best Practices
Page vi
Oracle E-Business Suite Controls: Application Security Best Practices Menus
42
Request Groups
45
Form Functions
47
Function Security Conclusions
51
Chapter 5: Change Management Best Practices and their impact on Application Security
52
Change Management, Prior to ERP Systems
52
Change Management, Impact of ERP Systems
53
Protecting the BUSINESS process…
54
IT Change Management Best Practices
56
Change Management Conclusions
62
Chapter 6: Developing a Proper Audit Trail for your EBS Environment
64
Standard Application Audit Information
64
Sign-on Audit Information
65
Snapshot-based Technologies
67
Advanced Application Audit Trail Methodologies Log-based Technologies Trigger-based Technologies EBS System Administrator Advanced Auditing; Trigger-Based Evaluating Advanced Application Auditing Technologies
71 71 73 75 76
What to Audit
76
Audit Trail Conclusions
77
Chapter 7: Application Users Best Practices
78
User Provisioning Process
78
Establishing a User in Oracle EBS
81
User Password Controls
81
Monitoring of User Activity and Logins
83
Oracle E-Business Suite Controls: Application Security Best Practices
Page vii
Oracle E-Business Suite Controls: Application Security Best Practices User Termination Process
84
Use and Care of Generic User Accounts
85
Application Users Conclusions
88
Chapter 8: Application Support Principles and Their Impact on Application Security 90 Assessing Risk Related to Privileged Users
91
Application Support Security Design
93
Application Support Processes
95
Application Support Principles Conclusions
96
Chapter 9: Data Security and Its Impact on Application Security
98
Project Approach to Addressing Risks Associated with Access to Sensitive Data 99 Data Security Conclusions
105
Chapter 10: Assessing Risk for User Access Controls and Segregation of Duties 106 What a Risk Assessment Process Should Contain
106
When Should a Risk Assessment Be Performed?
112
Who Should Perform a Risk Assessment?
113
Risk Assessment Methodology
113
Risk Assessment Process Results
118
Risk Assessment Conclusions
125
Chapter 11: Workflow Security Implications
126
Worklist Access
127
Delegation of Notifications in the Application
130
Vacation Rules
133
Notifications Via Email
136
Oracle E-Business Suite Controls: Application Security Best Practices
Page viii
Oracle E-Business Suite Controls: Application Security Best Practices Workflow Administrator
137
Workflow Security Conclusions
138
Chapter 12: User Management Module and Security Design
140
Role Definition
143
Role Hierarchies
149
Data Level Security
152
User Management Versus Function Security
153
Mandatory Use of UMX and Related Monitoring
154
Administrative Features Delegated Administration Provisioning Services Self-Service and Approvals
155 155 157 157
User Management Conclusions
159
Chapter 13: Application Security in Non-Production Environments
160
Protection of Sensitive Data
160
Instance-Specific Security Requirements
162
Password Encryption Risks
163
Other Recommendations
164
Non-Production Instances Application Security Conclusions
165
Chapter 14: Upgrade Risks
166
Common Application Security Implementation Practices
166
Upgrade Risk Use of Standard Menus and Submenus and Related Risks
173 173
Upgrade Risks Conclusions
182
Chapter 15: Release 12 Impact on Application Security Design Manage Proxies Oracle E-Business Suite Controls: Application Security Best Practices
184 184 Page ix
Oracle E-Business Suite Controls: Application Security Best Practices Multi-Org Access Control (MOAC)/ Security Profiles
189
Chapter 16: Auditors Toolkit
192
Oracle Diagnostics Tool
192
Using Oracle Forms to Access the Application for Audit Purposes
200
Standard Oracle Reports
201
SQL Queries
201
Appendix A – Common Controls Related to Application Security
204
Users
204
Security Design
204
Change Management
205
Appendix B – Other Resources
206
ERP Seminars Hosted Websites
206
Other Websites
207
Books
208
Companies with EBS Expertise
208
Appendix C – Terminology
210
Appendix D – Tips and Tricks
212
Oracle E-Business Suite Controls: Application Security Best Practices
Page x