Tuesday, February 7, 2017

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

In my last blog (see http://jeffreythare.blogspot.com/2017/01/security-standards-for-oracle-e.html) we discussed Oracle’s Secure Configuration Guide (MOS Note 403537.1).  Another critical document that Oracle publishes is their DMZ configuration document (MOS Note 380490.1).  Every step must be meticulously followed or your data could be exposed – especially for those with externally facing applications such as Employee Self Service, iStore, or iRecruitment. 

If you are running iStore and have NOT tokenized your credit card data, you could be exposing your organization to significant PCI risk since Oracle provides the ability to decrypt credit card data via a concurrent program.  Find out more about decryption risk at: http://erpra.net/files/Decryption_of_Credit_Card_and_Bank_Data_Risks_and_Controls_v3.pdf. 

Other good information related to the DMZ configuration and related risks can be found on our partner firm’s, Integrigy, website at: https://www.integrigy.com/tags/dmzexternal.  Integrigy is also hosting a webinar on 9-Feb on this topic.  Sign up at: https://www.integrigy.com/security-resources/common-mistakes-when-deploying-oracle-e-business-suite-internet-webinar. 

Recommended Services from ERP Risk Advisors

We offer assessment services that can evaluate your organization’s compliance with part or all the recommendations in this MOS Note along with other high risks not considered by Oracle.
Additionally, we can help you identify a partner than tokenize your credit card data to remove most PCI risks from your EBS environment.
Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service in conjunction with our partner, CaoSys.
Contact us at erpra.net/contactus.html  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consulting as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at caosys.com.

About ERP Risk Advisors

ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies such as Oracle, CaoSys, Smart ERP Solutions, and MentiSoftware.

About Jeffrey T. Hare, CPA CISA CIA

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United Kingdom.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.  You can reach him at jhare@erpra.net or (970) 324-1450.

Jeffrey's first solo book project "Oracle E-Business Suite Controls: Application Security Best Practices" was released in 2009.  His second book project “Auditing Oracle E-Business Suite: Common Issues” was released in 2015.  Jeffrey has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG.  Request these white papers here.  Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.

LinkedIn: linkedin.com/in/jeffreythare
Twitter: twitter.com/jeffreythare
Blog: jeffreythare.blogspot.com