220 likes | 715 Views
Audit Reporting of Security Controls in PeopleSoft Financials. Central Ohio Chapter Information Systems Audit and Control Association April 14, 2005. Your Presenters. Brian O’Brien Manager - Data Security
E N D
Audit Reporting of Security Controls in PeopleSoft Financials Central Ohio Chapter Information Systems Audit and Control Association April 14, 2005
Your Presenters Brian O’Brien Manager - Data Security 9 years of PeopleSoft experience with Ohio State’s 1,300 user HRMS and 2,400 user Financials environments Pat O’Connor Senior Systems Engineer Ohio State’s leading technical security expert, has 7 years of PeopleSoft experience, ranging from configuration management and control to security administration
Overview • PeopleSoft Controls • User Accounts • System Settings • System Architecture • Security Audit Review
Database Environment • Oracle9i Release 9.2.0.2.0 - 64bit • HP Hardware – HP-UX 11.0 N Class • Over 50 PeopleSoft Databases
PeopleSoft Controls • Users • Roles • Permission Lists • Pages • Signon Times • Preferences 6 6
System Controls • Password Controls • Inactivity Timeouts 7 7
System Architecture User (browser) Web Server App Server Data Base Server 8 8
Audit Discussion Points • Administrative Access • Password Controls • Audit Trails • Terminated Users • Default PeopleSoft Accounts • Correction Mode Access 9 9
Administrative Access Discussion Point: Access to high level administrative pages is restricted to appropriate personnel. Privileged access includes: • Application Designer • Maintain Security • Tree Manager
Password Controls Discussion Point: PeopleSoft password controls are turned on and configured for the following: • Password expiration • Minimum length • Required special characters
Password Caveat Problem: PeopleSoft’s password encryption algorithm is not strong. Solution: PSOPRDEFN_VW External Authentication
Audit Trails Discussion Point: PeopleSoft Audit Trails are in place for sensitive Activities. Solution: PeopleSoft Audit • Record level • Field level Oracle Audit
Terminated Users Discussion Point: The security administrator is notified of employees that have changed roles and responsibilities, transferred or been terminated.
Default PeopleSoft Accounts Discussion Point: The default PeopleSoft user profiles and permission lists have been removed or deactivated.
Correction Mode Access Discussion Point: Use of correction authorized action in PeopleSoft is restricted.
Correction Mode Cleanup Removed Totals
Contacts Brian O’Brien Manager, Data Security Office of Information Technology The Ohio State University E-mail: obrien.9@osu.edu Patrick O’Connor Sr. Systems Engineer Office of Information Technology The Ohio State University E-mail: oconnor.33@osu.edu