Security Standards for Oracle E-Business Suite: DMZ Configuration Guide
In my last blog (see http://jeffreythare.blogspot.com/2017/01/security-standards-for-oracle-e.html)
we discussed Oracle’s Secure Configuration Guide (MOS Note 403537.1). Another critical document that Oracle
publishes is their DMZ configuration document (MOS Note 380490.1). Every step must be meticulously followed or
your data could be exposed – especially for those with externally facing
applications such as Employee Self Service, iStore, or iRecruitment.
If you are running iStore and have NOT tokenized your credit
card data, you could be exposing your organization to significant PCI risk
since Oracle provides the ability to decrypt credit card data via a concurrent
program. Find out more about decryption
risk at: http://erpra.net/files/Decryption_of_Credit_Card_and_Bank_Data_Risks_and_Controls_v3.pdf.
Other good information related to the DMZ configuration and
related risks can be found on our partner firm’s, Integrigy, website at: https://www.integrigy.com/tags/dmzexternal. Integrigy is also hosting a webinar on 9-Feb
on this topic. Sign up at: https://www.integrigy.com/security-resources/common-mistakes-when-deploying-oracle-e-business-suite-internet-webinar.
Recommended Services from ERP Risk Advisors
We offer assessment services that can evaluate your
organization’s compliance with part or all the recommendations in this MOS Note
along with other high risks not considered by Oracle.
Additionally, we can help you identify a partner than
tokenize your credit card data to remove most PCI risks from your EBS
environment.
Since some of these risks need to be evaluated by reviewing
access controls, a SaaS service to review role design may also be
appropriate. We perform that service in
conjunction with our partner, CaoSys.
Contact us at erpra.net/contactus.html for more information about these services or
CaoSys GRC solutions if you are interested in learning more. We offer our Role / Responsibility analysis consulting
as a service (CS*Proviso) or via installed software (CS*Comply). See more about CaoSys GRC solutions at caosys.com.
About ERP Risk Advisors
ERP Risk Advisors is a leading provider of Risk Advisory
services for organizations using Oracle Applications. We provide consulting and training services
related to compliance, security, risk management, and controls. We also assist organizations in implementing
GRC-related software from industry-leading companies such as Oracle, CaoSys,
Smart ERP Solutions, and MentiSoftware.
About Jeffrey T. Hare, CPA CISA CIA
Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP
Risk Advisors. His extensive background
includes public accounting (including Big 4 experience), industry, and Oracle
Applications consulting experience.
Jeffrey has been working in the Oracle Applications space since 1998
with implementation, upgrade, and support experience. Jeffrey is a Certified Public Accountant
(CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal
Auditor (CIA). Jeffrey has worked in
various countries including Austria, Australia, Brazil, Canada, Germany,
Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United
Kingdom. Jeffrey is a graduate of
Arizona State University and lives in northern Colorado with his wife and three
daughters. You can reach him at
jhare@erpra.net or (970) 324-1450.
Jeffrey's first solo book project "Oracle E-Business
Suite Controls: Application Security Best Practices" was released in 2009. His second book project “Auditing Oracle
E-Business Suite: Common Issues” was released in 2015. Jeffrey has written various white papers and
other articles, some of which have been published by organizations such as
ISACA, the ACFE, and the OAUG. Request
these white papers here. Jeffrey is a
contributing author for the book “Best Practices in Financial Risk Management”
published in 2009.
LinkedIn: linkedin.com/in/jeffreythare
Twitter: twitter.com/jeffreythare
Blog: jeffreythare.blogspot.com
No comments:
Post a Comment