securing the cloud erp overview - kpmg institutes · pdf filecloud erp security & controls...

Overview

© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cloud ERP Risk

Responsibly Balancing Risks and Rewards

Organizations can achieve tangible benefits from emerging technologies such as mobility, social media and cloud computing. When turning IT risk into opportunity, an organization must demonstrate effective IT compliance through: • Governance and controls • Data integrity • Security and privacy • Supplier management compliance needed to

embrace disruptive technologies


1

Cloud ERP Security & Controls Challenge

How do you effectively and efficiently balance Cloud ERP user enablement with transaction & data protection?

Key Business

Drivers

Employees

Increased Burdensome Cloud Centric Need to Unrelenting Cyber Regulatory Operational Empower Technology

Threats Requirements Complexities Employees Changes


2

Controls

Security

Risk

Compliance

Traditionally, Oracle Cloud ERP project teams are focused on core ERP functionality, prioritizing implementation activities to align with timeline limitations and budget constraints.

This tactical approach commonly results in risk and control compromises not fully appreciated, until after go-live.

Once the Cloud ERP solution is live and operational, organizations begin to realize the significance of their oversights and compromises and are forced to initiate post go-live remediation projects to make the necessary corrections. These projects are disruptive, exponentially more expensive and time consuming.

The primary function of our Oracle Risk Consulting practice is to provide experienced resources to proactively assist Cloud ERP implementations through a focus on the Securing the ERP principles to help minimize the threat of costly rework after the Cloud ERP solution is operational.


3

KPMG’s Securing the Cloud ERP Approach

An operational view of Cloud ERP security and controls, and is positioned to help industry leading organizations effectively balance the divergent tasks of leveraging the cloud to empower ERP business users, while simultaneously protecting sensitive data and transactions.


4

Cloud Application Controls

Business Process Controls

Automated Controls

Enhancement &

Configuration Controls

Conversion & Interface Controls

Cloud Application

Controls

Key Business Drivers

• Revenue leakage, fraud, preventable errors • Cloud ERP centric business processes complexities and inefficiencies • High ERP configuration costs • Cloud enhancement management • Complex regulatory compliance requirements • Greater transparency required for sensitive transactions

Key Capabilities for Advanced Controls

• Business Process Controls Framework to organize manual controls, Cloud ERP application controls and automated controls

• Preventative Controls to mitigate process risks • Detective Controls to monitor sensitive transactions and data changes • Configuration Controls to track/monitor configuration changes and

compare Oracle Cloud ERP instances • Conversion & Interface Controls (Cloud to Premise, Cloud to Cloud)

Realized Value

• Automated controls for Cloud ERP Applications • Effective enhancement & configuration management program • Effective regulatory compliance program


5

Application Security

Adaptive Authentication

Role Based Access Controls (RBAC)

Cloud Application

Security Architecture

Sensitive Access &

Segregation of Duties

Cloud Application

Security


• Employee access to Cloud ERP applications • Sensitive Cloud ERP transactions and data • Cloud centric fraud risk • Complex regulatory compliance requirements associated with cloud

applications

Key Capabilities for Application Security

• Adaptive Authentication for Cloud ERP access • Role Based Access Controls (RBAC) based on specific job functions • Access Permissions Architecture based on specific requirements such

as job role or geographic location • Function Security restricts user access to individual menus of Cloud

ERP functions • Cloud ERP data security to restrict the access to the individual data that

is shown once a user has selected a menu or menu option. • Operational Segregation of duties (SOD) framework

Realized Value

• Cloud enabled ERP user access aligned with job functions • Risk driven user administration costs • Effective regulatory compliance program for Cloud ERP Applications


6

Cloud Cyber and Data Security

Information Protection

Cyber Security

Business & Technology Resilience

Privilege Access

Cyber & Data

Security


• Transactional threats • Information and data protection • Cloud technology vulnerabilities • Complex regulatory compliance requirements

Key Capabilities for Data & Infrastructure

• Information protection to protect data ingress and egress transactions • Cyber Security program to minimize the impact of cyber security attacks

by proactively monitoring transactions & leveraging an incident response program

• Business and Technology Resilience to provide business continuity planning & management, disaster recovery, crisis management, high availability capabilities, performance monitoring

• Privilege user management program to manage ERP administration and system–to-system user accounts

• Mobile transaction security

Realized Value

• Effective, risk-based information security program to protect Cloud ERP applications

• Effective regulatory compliance program


7

Cloud Security Operations

Enhancement Management for Security &

Controls

Cloud ERP Security & Controls Operations

Cloud Security

Operations


• Continued functional and technical enhancement requirements for Cloud ERP

• Cloud ERP security operational challenges • Greater need to manage security & controls solution impacted by Cloud

ERP enhancements

Key Capabilities for User Access Administration • Cloud ERP functional and technical enhancement and patch

management • Enhancement impact evaluation for security & controls • Security & controls solution updates to address changes

associated with ERP cloud enhancement/patch program • User permission updates

• Cloud ERP Security Operations and Controls Governance • Organizational design & operational processes • Policies and procedures • Controls Governance & reporting • ERP Controls enablement and remediation processes • Segregation of Duties process

Realized Value

• Efficient Cloud ERP enhancement / patch program for security & controls

• Effective regulatory compliance program


8

User Access Administration

User Access

Management

Password Management

User Access Certification

User Analytics

Cloud User Administration & Governance


• Ongoing user administration and control governance • Complex regulatory compliance requirements • Greater need to understand cloud ERP user activities and usage trends

Key Capabilities for User Access Administration • Cloud ERP User Access Administration Functions and Tools

• Registration / Approval • Self Service • Delegation • User Provisioning : Add, Change, Inactive • Password Management • Certification

• User Analytics

Realized Value

• Efficient ERP user administration program • Reduced user administration cost • Effective regulatory compliance program


9

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved.

10

Methodology

“ ”

Framework

Our KPMG Securing the Cloud ERP framework uses a risk-based phased approach to create more manageable

and measurable engagements. Each phase logically leads to the next phase and leverages work performed in all

prior phases, while managing the project closely with the client in each phase.


11

Securing the ERP

Cloud Application Controls Advanced Controls

Cyber & Data Security

Cloud User Administration and Governance

Securing the Cloud ERP Services • Strategy, business requirements and business case development • Cloud Security current state assessments • Oracle ERP Security and Advanced Controls design and

implementation • Automated Controls implementation – Preventative & Detective

• User Access Administration design and operational realization • Data security design an implementation • Cloud configuration controls implementation

Cloud Security Operations

• Plan

Current Statt1 Assessment

Securlngthe Cloud ERP Strategy

Securing th~ Cloud ERP

Pro1ect Plan

• Design

Cloud Jlwlicabon

"°""""

AppllC&lilOl'I secvmv

Cloud User Adm1fWrS.1r8llOO & ~mance

II .. ~.nnnutU Contfols

Design . .

Appficatlon Controls Design

Adaptive Auttient1cat1on

Automoted Controls

Cloud ERP Application SecurttyOeslgn

RBACOeslgn

Cloud ERP OaliJ s~curtry Design

Sccurny & Controls OpernUons O'"slgn

Update User AdmlnlstraUon

Program

--+

Cloud Con1rols ConnguraUon

Bulld & Valtdate Cloud ERP Roles &

Responslbil!Ues

Bll!ld Dara Secunty Atchttectur~

CyberSecunty Assessment

• Implement

~ Cloud ERP

AppflcaUon Security

~ VaUda1e Data & Infrastructure

Security & Control11i Optrauons Target Operoung rt.•odel

Re111e\\f User Administration Program

• Monitor

1

l

II . '

Framework


12

Tools and Accelerators

Securing the Cloud ERP Framework Risk & Controls Catalog

Implementation Tools & Accelerators

Deliverable Process Analysis Templates Flowcharts Tools

Role Designer Role Uploader


13


14

Practice Overview

“ ”

Practice Overview

Oracle Our KPMG brings a depth and breadth of security and controls expertise to today’s Cloud ERP security challenges. Security & Controls resources know the business advantages of a well-managed Cloud ERP system, and they know how to implement the right security & control solutions in a given context to not just foster a company’s growth and efficiency, but help ensure that its assets and data are protected. KPMG’s Oracle Cloud ERP Security & Controls Practice Highlights

20 years of Oracle EPR security and controls experience

Global delivery team with 100+ Oracle security & controls resources

Oracle Security & Controls implementations have included EBS, PeopleSoft, and integrations with Siebel, Hyperion, BRM , PIM, and OIM

100+ Oracle ERP security & controls engagements delivered by the team members

Long standing relationships with Oracle Advanced Controls product development, and product support organization

Thought Leadership Profit Magazine Securing the ERP Interview

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBSR12 Upgrades/Implementations

Record to Report (R2R) White Paper


15

Tools and Accelerators

Oracle ERP Leading Practices Control Catalogs Control catalogs are KPMG proprietary risk and control knowledgebase based on leading practices that specialize in the design, implementation, and assessment of security and controls.

Leading Practices Segregation of Duties and Sensitive Access Rule sets A set of rules which incorporates leading business practices to identify security access privileges that introduce a SOD and Critical Access conflicts in the key control areas. These rule sets are used to address conflicts that the customized security roles and responsibilities could contain after potential re-design of the SOD and critical access compliant roles in order to fit clients business environment.

Fact2Value Facts-2-Value © is advanced analytics assessment program for Oracle ERP environments. With Fact-2-Value KPMG LLP routinely helps our clients identify irregularities in operational and financial processes and provide insights for improving process efficiency and effectiveness. F2V serves as a key accelerator within an Oracle implementation project because it provides quick, automated assessments of the effectiveness of configured internal control and SOD based on leading practices standards and business rules.

Oracle Advanced Controls Solutions Lab Our collective experiences while working around thousands of Oracle Advanced Controls solutions for more than 15 years has provided us the insight necessary to create an advanced controls solutions lab to help our clients to identify and implement actionable processes automated to unleash the value of their Oracle Advanced Controls investments. F2V serves as a key accelerator within an Oracle implementation project because it provides quick, automated assessments of the effectiveness of configured internal control and SOD based on leading practices standards and business rules.


16


17

Maturity Model

“ ”

--

Maturity Model

Securing the Cloud ERP Maturity Model Individual Defined user RBAC UMX - User Identity

User request and self service integration Permission approval HR position

Security Approach process based Adaptive Adaptive permissions authentication

Authentication

1 2 3 4 5 Initial Repeatable Defined Managed Optimized Level

Ad Hoc Reactive -----------------------Automated-------------------

Manual ERP Automated Detective Control driven Controls configurable SOD Controls Business

controls management Preventative Process Controls No SOD Controls Optimization Controls matrix Configuration

controls © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

18


19

Workshop

“ ”

Securing the Cloud ERP Workshop

Goal Review KPMG’s Securing the Cloud ERP areas of focus and understand how this program can be used to strategically align Oracle Cloud ERP Security & Controls related spend and operational priorities

Agenda

9:00 to 11am

Review Securing the Cloud ERP Areas of Focus - Controls Enabled Business Process Optimization and Performance Analytics - Cloud ERP Controls (Automated, Detective, User, Configuration) - Adaptive authentication - Cloud ERP Application Security (Users, Permissions, Role Based Access Controls, SOD) - Cloud ERP enhancement / patch management program for security & controls - User Access Administration (User Operations, Business Processes & Analytics) - Data Security

11:00 to 12 noon Lunch and Real-Life Example / Use Case Discussion

1:00 to 3pm

Strategy & Planning Deep Dive - Strategic Planning Considerations - Prioritization & Budgeting - Current State – “White Board” Assessment - Strategic Roadmap Deep Dive – 24 Month

Output - Current State “White Board “Assessment - Prioritized Strategic Roadmap


20

Securing the Cloud ERP Workshop


Director of

Internal

Audit

Chief

Information

Officer

Finance

Chief

Risk

Officer

Controls

Leader

Chief

Information

Security

Officer

ERP Project

Leader

Human

Resources

21


22

Laeeq Ahmed [email protected] (818) 227 6032

Brian Jensen [email protected] (817) 946 9552


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

“ ”

https://www.facebook.com/KPMGUS

https://www.facebook.com/KPMGUS

http://www.linkedin.com/company/kpmg-us

http://www.linkedin.com/company/kpmg-us

http://twitter.com/kpmg_us

http://twitter.com/kpmg_us

http://www.youtube.com/user/KPMGMediaChannel

http://www.youtube.com/user/KPMGMediaChannel

mailto:[email protected]

mailto:[email protected]

securing the cloud erp overview - kpmg institutes · pdf filecloud erp security & controls...

Documents