Oracle E-business Suite Controls Application Security Best Practices Toc

Oracle E-Business Suite Controls: Application Security Best Practices Table of Contents Table of Contents

vi

Acknowledgements

1

Foreword

2

What Makes This Book Different

3

Who Should Read this Book

3

Organization of this Book

4

Chapter 1: Introduction Chapter 2: Introduction to ERP Systems

5 11

Impact of ERP Systems’ Technical Architecture

11

EBS Technical Architecture: Audit Trail Implications Application Controls Change Management Privileged User Access and Monitoring

16 19 21 22

Chapter 3: Goals of Application Security Design and Impact of RBAC Standards

23

Application Security Design Goals

23

The RBAC Standard and its Impact on Application Security Design

25

Chapter 4: Introduction to Oracle Application Security: Function Security 31 Function Security

31

Users

31

Responsibilities

38

Oracle E-Business Suite Controls: Application Security Best Practices

Page vi

Oracle E-Business Suite Controls: Application Security Best Practices Menus

42

Request Groups

45

Form Functions

47

Function Security Conclusions

51

Chapter 5: Change Management Best Practices and their impact on Application Security

52

Change Management, Prior to ERP Systems

52

Change Management, Impact of ERP Systems

53

Protecting the BUSINESS process…

54

IT Change Management Best Practices

56

Change Management Conclusions

62

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

64

Standard Application Audit Information

64

Sign-on Audit Information

65

Snapshot-based Technologies

67

Advanced Application Audit Trail Methodologies Log-based Technologies Trigger-based Technologies EBS System Administrator Advanced Auditing; Trigger-Based Evaluating Advanced Application Auditing Technologies

71 71 73 75 76

What to Audit

76

Audit Trail Conclusions

77

Chapter 7: Application Users Best Practices

78

User Provisioning Process

78

Establishing a User in Oracle EBS

81

User Password Controls

81

Monitoring of User Activity and Logins

83

Oracle E-Business Suite Controls: Application Security Best Practices

Page vii

Oracle E-Business Suite Controls: Application Security Best Practices User Termination Process

84

Use and Care of Generic User Accounts

85

Application Users Conclusions

88

Chapter 8: Application Support Principles and Their Impact on Application Security 90 Assessing Risk Related to Privileged Users

91

Application Support Security Design

93

Application Support Processes

95

Application Support Principles Conclusions

96

Chapter 9: Data Security and Its Impact on Application Security

98

Project Approach to Addressing Risks Associated with Access to Sensitive Data 99 Data Security Conclusions

105

Chapter 10: Assessing Risk for User Access Controls and Segregation of Duties 106 What a Risk Assessment Process Should Contain

106

When Should a Risk Assessment Be Performed?

112

Who Should Perform a Risk Assessment?

113

Risk Assessment Methodology

113

Risk Assessment Process Results

118

Risk Assessment Conclusions

125

Chapter 11: Workflow Security Implications

126

Worklist Access

127

Delegation of Notifications in the Application

130

Vacation Rules

133

Notifications Via Email

136

Oracle E-Business Suite Controls: Application Security Best Practices

Page viii

Oracle E-Business Suite Controls: Application Security Best Practices Workflow Administrator

137

Workflow Security Conclusions

138

Chapter 12: User Management Module and Security Design

140

Role Definition

143

Role Hierarchies

149

Data Level Security

152

User Management Versus Function Security

153

Mandatory Use of UMX and Related Monitoring

154

Administrative Features Delegated Administration Provisioning Services Self-Service and Approvals

155 155 157 157

User Management Conclusions

159

Chapter 13: Application Security in Non-Production Environments

160

Protection of Sensitive Data

160

Instance-Specific Security Requirements

162

Password Encryption Risks

163

Other Recommendations

164

Non-Production Instances Application Security Conclusions

165

Chapter 14: Upgrade Risks

166

Common Application Security Implementation Practices

166

Upgrade Risk Use of Standard Menus and Submenus and Related Risks

173 173

Upgrade Risks Conclusions

182

Chapter 15: Release 12 Impact on Application Security Design Manage Proxies Oracle E-Business Suite Controls: Application Security Best Practices

184 184 Page ix

Oracle E-Business Suite Controls: Application Security Best Practices Multi-Org Access Control (MOAC)/ Security Profiles

189

Chapter 16: Auditors Toolkit

192

Oracle Diagnostics Tool

192

Using Oracle Forms to Access the Application for Audit Purposes

200

Standard Oracle Reports

201

SQL Queries

201

Appendix A – Common Controls Related to Application Security

204

Users

204

Security Design

204

Change Management

205

Appendix B – Other Resources

206

ERP Seminars Hosted Websites

206

Other Websites

207

Books

208

Companies with EBS Expertise

208

Appendix C – Terminology

210

Appendix D – Tips and Tricks

212

Oracle E-Business Suite Controls: Application Security Best Practices

Page x