Upcoming ERP Risk Advisors webinars_July 2017

Upcoming ERP Risk Advisors webinars_July 2017

You are invited to attend three upcoming webinars taking place over the next couple of weeks as follows:

Don’t give up on your Oracle Advanced Controls investment – Tuesday, July 11

How to automate controls using CaoSys’ newest features – Wednesday, July 12

Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks with SafePaas – Wednesday, July 26

“Don’t give up on your Oracle Advanced Controls investment” will be held at two times Tuesday, July 11 – 9 a.m. EST and 4 p.m. EST. 

Have you’ve spent into the six figures on your Oracle Advanced Controls implementation and are wondering how to leverage your investment into something of value.  In this webinar we will share how the expertise, content, and risk-based methodology of ERP Risk Advisors can easily extend the usefulness of your investment and add value to your controls environment.  We will first look at current trends in the audit community and discuss how to leverage your Oracle Advanced Controls investment to address these trends.  Register at: https://attendee.gotowebinar.com/register/5792990699975558914

“How to automate controls using CaoSys’ newest features” will be held at two times Wednesday, July 12 – 9 a.m. EST and 4 p.m. EST. 

With Oracle no longer offering premier support on their Advanced Controls suite customers are wondering about their long-term options with their E-Business Suite on-premise solution.  In this webinar we will provide an overview of the CaoSys GRC suite and showcase some of its newer features that can be helpful to automate controls.  Register at: https://attendee.gotowebinar.com/register/4664617991482616322

"Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks” will be held at two times on Wednesday, July 26 – 7 am. EST and Noon EST. 

Most organizations have multiple software applications to help run their business.  Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective.  Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, automated controls, and access controls.  Webinar held in conjunction with SafePaas.  Register at: https://register.gotowebinar.com/rt/5153873178082543873

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.   

This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.  

 Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules.  This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk. 

ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services. 

The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite. 


For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution.  To start the engagement, we will perform an assessment and provide you a roadmap.  In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG.  If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean.  We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.

The engagement would start with an initial assessment and will include:

1. Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
2. Evaluation of the completeness of the SoD and Sensitive Access rules
3. Review of your configuration of each of the modules - primarily AACG and CCG
4. Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
5. Review of key SQL scripts to evaluate your role design from a 10,000 foot level
6. Review of the results of key rules, if implemented already, that all auditors are currently evaluating
7. Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
8. An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used

The deliverables for the engagement would include:

1. In some cases, we'll be able to finalize the identification of what should be considered in scope rules.  Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level.  This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
2. High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
3. An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy.  We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
4. A roadmap for maturing your user provisioning process and the re-certification process
5. A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
6. This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
7. Recommendations on patching your Advanced Controls modules, as needed, and where justified

Once we perform our initial assessment, we would be in a position to offer premium support for your Oracle GRC Advanced Controls suite.  Our support would be tailored to your organization's requirements, but would include the following as our core offering:

1. All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
2. Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.  
3. A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
4. Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
5. Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
6. Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
7. Revisiting and updating the roadmap to present to senior management

In addition to the above, we could also provide the following services as a supplement to our core offerings:

1.      Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process

2.      Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)

3. Auditing changes to other configurations that should be subject to the change management process (scope tbd)
4. Auditing the completeness and accuracy of the approvals related to the User Provisioning process

If you are interested in discussing these services with us, please use our Contact page and we'll get back to you as soon as possible.

Regards,

Jeffrey T. Hare, CPA CISA CISA
CEO

Sam Monarch

Oracle GRC Practice Lead

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Regards,

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,

We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services: http://erpra.net/contactus.html.

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY

 

Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update

Function Name: BOM_BOMFDCON / BOM_BOMFDCON_UPDATE

 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL

ERP Risk Advisors now support's Oracle Advanced Controls Suite

ERP Risk Advisors now support's Oracle Advanced Controls Suite

ERP Risk Advisors has hired a new highly-qualified resource that knows Oracle’s Advanced Controls suite very, very well.  We can now bring to our clients the most comprehensive risk-based rules matrix in the market for use with the AACG module.  Our rule set includes nearly 1,900 Functions and nearly 1,500 Concurrent Programs identified with specific risks documented for each one.

Sam Monarch has been hired to head up our Oracle GRC software practice.  Sam has over 12 years’ experience with Oracle’s GRC software and over 20 full cycle implementations.

We can help you prepare for your external audits by helping to scope the Sensitive Access and Segregation of Duties rules that relevant to your organization.  We can also implement GRC software to help you monitor these risks from top software providers like CaoSys and now can offer you similar services if you’ve made the investment in Oracle’s Advanced Controls suite.

Please keep us in mind for your Oracle GRC software needs, now including services for Oracle’s Advanced Controls suite.

Contact us at http://erpra.net/contactus.html if you are interested in hearing more about our services offerings.

Regards,

Jeffrey T. Hare, CPA CISA CIA

CEO, ERP Risk Advisors

Effective Governance over Profile Option Values in Oracle E-Business Suite

Effective Governance over Profile Option Values

“If only I knew back then what I know now…”  A famous phrase with applicability to many of life’s situations…

If you’ve implemented an ERP system and stuck around for a while, eventually you’ll say those words.  The implementation of a new ERP system for the first time is like drinking from a fire hose. 

If you’ve been live for a couple of years and were part of the implementation team, I challenge you to do just that.  Go back and visit your implementations configurations with the knowledge you now have.  No doubt some of the decisions you made during the implementation you’d make differently now.

Specifically, look at how you set your profile options and what profile option values you have set since you went live.  I am guessing that your governance process related to profile option values has been less than perfect.

Start with these questions to understand if you have in place proper governance relating to the approval and maintenance of profile option values:

1.      Which profile options should be set in Production?  Or… which profile options should NOT be set in Production? (yes this implies that some should not be set).

2.      Who is authorized to approve the setting of new profile options or changes to existing settings?

3.      At what level(s) should each profile option be set (Site, Application, Responsibility, User)

Each profile option has unique characteristics and abilities.  Following is a screen shot of the System Profile Values form where profile option values can be configured:

The above example shows a profile option that can only be set at the Site and User levels. 

The next example “Printer” can be set at any level.

The configuration of each Profile Option is set in the Profiles form.  The box “Hierarchy Type Access Level” defines at which level a Profile Option is Visible and Updatable.  The User Access box identifies whether it can be updated via the User Profile Values form.

Following is a screen shot of the User Profile Values form (aka Personal Profile Values):

Risks and Controls related to the Personal Profile Values form will be covered in another blog.'

You can download a template to use as a starting point for your risk assessment here: http://erpra.net/BookResources.html.   Your organization could used the outcome of the risk assessment as a basis for a desktop procedures for those that have the authority to make profile option value changes in Production.

If you want to know more about Profile Options and why you should care, I’d suggest watching the video for the full webinar we did on this topic at: https://www.youtube.com/watch?v=NGa_rGAetLc. 

One other topic of interest may be how to address the profile option "Utilities: Diagnostics" from a SOX audit perspective.  I covered that in an earlier blog that you can review at: http://jeffreythare.blogspot.com/2017/01/why-utilities-diagnostics-should-not-be.html.

Recommended Services from ERP Risk Advisors related to this topic

We are a free health check that includes reviewing how  your organization has set many of the high risk profile options.  See more about this free service at:  http://erpra.net/Services.html . 

If you are an auditor, keep in mind that we also do outsourced IT audit work.   We are thorough, risk-based, and will work with you to develop a scope that fits your budget.

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

In my last blog (see http://jeffreythare.blogspot.com/2017/01/security-standards-for-oracle-e.html) we discussed Oracle’s Secure Configuration Guide (MOS Note 403537.1).  Another critical document that Oracle publishes is their DMZ configuration document (MOS Note 380490.1).  Every step must be meticulously followed or your data could be exposed – especially for those with externally facing applications such as Employee Self Service, iStore, or iRecruitment. 

If you are running iStore and have NOT tokenized your credit card data, you could be exposing your organization to significant PCI risk since Oracle provides the ability to decrypt credit card data via a concurrent program.  Find out more about decryption risk at: http://erpra.net/files/Decryption_of_Credit_Card_and_Bank_Data_Risks_and_Controls_v3.pdf. 

Other good information related to the DMZ configuration and related risks can be found on our partner firm’s, Integrigy, website at: https://www.integrigy.com/tags/dmzexternal.  Integrigy is also hosting a webinar on 9-Feb on this topic.  Sign up at: https://www.integrigy.com/security-resources/common-mistakes-when-deploying-oracle-e-business-suite-internet-webinar. 

Recommended Services from ERP Risk Advisors

We offer assessment services that can evaluate your organization’s compliance with part or all the recommendations in this MOS Note along with other high risks not considered by Oracle.

Additionally, we can help you identify a partner than tokenize your credit card data to remove most PCI risks from your EBS environment.

Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service in conjunction with our partner, CaoSys.

Contact us at erpra.net/contactus.html  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consulting as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at caosys.com.

About ERP Risk Advisors

ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies such as Oracle, CaoSys, Smart ERP Solutions, and MentiSoftware.

About Jeffrey T. Hare, CPA CISA CIA

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United Kingdom.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.  You can reach him at jhare@erpra.net or (970) 324-1450.

Jeffrey's first solo book project "Oracle E-Business Suite Controls: Application Security Best Practices" was released in 2009.  His second book project “Auditing Oracle E-Business Suite: Common Issues” was released in 2015.  Jeffrey has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG.  Request these white papers here.  Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.

LinkedIn: linkedin.com/in/jeffreythare

Twitter: twitter.com/jeffreythare

Blog: jeffreythare.blogspot.com

Security standards for Oracle E-Business Suite; the good, the bad, the ugly...

Security Standards for Oracle E-Business Suite; the good, the bad the ugly

Organizations that use Oracle E-Business Suite rely on the quality and completeness of the guidance provided to them by Oracle through My Oracle Support (MOS).  There are several documents that organizations should know like the back of their hand and should have documented their compliance with the recommendations in detail.   One such document is MOS Note 403537.1 – Secure Configuration Guide for Oracle E-Business Suite.  Compliance with this document prior to going live is a necessity.  Because of changes being introduced by users, DBAs, security administrators, developers, and via patches provided by Oracle, compliance needs to be reviewed and re-tested on a regular basis. 

Over the last 10 years we have uncovered several issues with this document.  We have published our findings from time to time and Oracle has acknowledged use of our feedback in their documentation.   Recently we have identified four other issues that we’d like to address that frankly has us questioning the quality and completeness of the document as well as questioning the quality and completeness of the internal processes that should be influencing this document.

I wrote an article documenting the pros and cons of this document that I’d encourage you to download and read.  The MOS Note presents various risks that organizations need to be aware of and Oracle provides some recommendations related to these risks.  You can access this article here. 

Conclusion

I have identified several major issues with this MOS note.  Why isn’t Oracle updating their documentation when they release new forms that allow SQL injection?  Could it be the problem is with their development standards and peer review process?  Are they not identifying these risks as part of their development process?  If so, isn’t that a bigger concern.  Perhaps this is why they have backed off making ‘best practice’ recommendations. 

Why doesn’t Oracle see the ability to decrypt credit card and bank account data as a security risk?

How is it these deficiencies exist in their documentation (failure to identify that JTF_FM_QUERY is a view and that they aren’t monitoring the ALR_ACTIONS table) and have gone unnoticed for over three years from the release of this guidance in September 2011?  The only logical conclusion is they are not implementing and testing their own guidance.

Over the past few years, we have noted deficiencies in the easiest of these recommendations – seeded application users and seeded database users.  We have also identified four new functions which allow SQL injection that have not been updated in their documentation.  At one point, there were five, but two of them have been since added to their documentation.  We have published the three functions above.

My concern is that organizations relying on this guidance have a false sense of ‘security’ if they follow this guidance.  Following this ‘guidance’ is certainly necessary at a minimum, but additional risks exist that Oracle isn’t adding to their documentation.  We’d love to see Oracle increase its effectiveness which can only be done by taking a hard look at their internal standards and setting a regular schedule for testing their guidance and updating this documentation.  Compliance with this document is necessary, but with Oracle, sometimes you need to fill in the blanks…

Recommended Services from ERP Risk Advisors

We offer assessment services that can evaluate your organization’s compliance with part or all of the recommendations in this MOS Note along with other high risks not considered by Oracle.  This engagement can range from one to six weeks.

Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service through our partner, CaoSys.

Contact us at erpra.net/contactus.html  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consulting as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at caosys.com.

About ERP Risk Advisors

ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies such as Oracle, CaoSys, Smart ERP Solutions, and MentiSoftware.

About Jeffrey T. Hare, CPA CISA CIA

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United Kingdom.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.  You can reach him at jhare@erpra.net or (970) 324-1450

Jeffrey's first solo book project Oracle E-Business Suite Controls: Application Security Best Practices was released in 2009.  He published a second book called Auditing Oracle E-Business Suite: Common Issues in 2015.   He is working on an expansion of his first book which will be called Oracle E-Business Suite Controls: Foundational Principles and is working on an update for his second book.  Both are expected to be released in 2017.

He has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG.  Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.

LinkedIn: linkedin.com/in/jeffreythare

Twitter: twitter.com/jeffreythare

Blog: jeffreythare.blogspot.com

Why Utilities Diagnostics Should NOT Be In Scope for SOX

Why Utilities Diagnostics Should NOT Be In Scope for SOX

The setting of the Utilities: Diagnostics profile option has been a source of scrutiny for our clients over the past few years.  Some auditors have suggested that access in Production allowed by the setting of Utilities: Diagnostics could provide a back-door way to update financially significant data that a user would not be able to maintain through their normal access.  Access this video at: https://youtu.be/5eXzhv7jTpM. 

This testing was done on an R12 environment and the conclusions should not be applied to 11i or prior environments.

Recommended Services from ERP Risk Advisors

We offer an evaluation of Application Controls design effectiveness along with an analysis of the configurations.  This service can be performed typically in one to three weeks.

Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service through our partner, CaoSys.

Contact us at erpra.net/contactus.html  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consutling as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at caosys.com.

Appendix A- Screen Shots of how Utilities: Diagnostics works:
Following are a couple of screen shots related to Utilities: Diagnostics: