560 likes | 820 Views
Reducing the Cost of Compliance in JD Edwards World & EnterpriseOne. Be in control. Use Q Software. Security compliance solutions for JD Edwards www.qsoftware.com. Today, we will show you…. How you can enhance your security reduce your cost of compliance. Agenda. About Q Software
E N D
Reducing the Cost of ComplianceinJD Edwards World & EnterpriseOne
Be in control. Use Q Software Security compliance solutions for JD Edwards www.qsoftware.com
Today, we will show you… • How you can • enhance your security • reduce your cost of compliance
Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary
AboutQSoftware • Committed to JDE security • That is ALL we do & have done so for 10 years • Innovative • Patent pending • Continuing to invest in JDE Security • Comprehensive product development roadmap • SEC-Qure™ family released at OpenWorld 2005 • New versions announced at Collaborate 2006 • New versions released for OpenWorld 2006 • 180 customers • 80% in USA • Past 12 months: 45% from Canada + Europe • Based near London, UK
Q Software Alliances With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA®) is a recognized worldwide leader in IT governance, control, security and assurance.
Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary
Business need for security: - Corporate Governance (SOX) • SOX section 404 requires organisations to state… • “the effectiveness of the internal control structure” • SOX section 202 mandates • “frequent testing and validation of internal controls is essential to quarterly confirmations of their effectiveness.” • New security & data privacy laws • According to auditors: • SOD controls are paramount • Effective controls makes sound business sense • Regardless of the regulatory need
Company requirements • Corporate Governance regulations result in four main tasks, companies have to fulfil in order to comply with the important and most frequently addressed requirements. Risk Management Internal Control Internal Control Risk Management Corporate Governance Corporate Governance Audit Committee Reporting Requirements Audit Committee Reporting Requirements tomorrow today Integration of CG components avoids redundancy and allows efficient compliance with laws and regulations. Fragments of CG components exist in the company.
Auditing Analysis Compliance Reporting Security Management Segregation Of Duties The Compliance Life Cycle 10 years
Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary
The Requirement Who can access what? And how? What else can they access once there? Which critical programs can be accessed by whom? And how? The Problem Almost impossible manually Menu security set-up is complex Over 150,000 menu connections Back-door access Reporting is VERY time-consuming “After the event” analysis – too late! If fraud discovered, damage is done! Access Analysis
The Problems World only allows single roles Limits flexibility No simple tools to manage roles Roles-based Security • Recommended by Oracle • Recommended by auditors
The Requirement Define, Manage & Report SoD Rules Report on Conflicts Address or Apply Compensating Procedures The Problems Volume / Complexity of Controls Analysis of “True” Access for Conflicts Enforcing / Maintaining Security Policy Compensating controls may be expensive Manpower Money SoD Controls
The Requirement Regular / Continual Testing Who has access to what? Which critical programs can be accessed by whom? What else can they access once there? Reporting for auditors If tests not recorded, they “did not happen” The Problem Analysis impossibly complex Reporting VERY time-consuming On-going commitment Compliance Reporting
The Requirement Reports – from regular testing Who has access to what? Which critical programs can be accessed by whom? What else can they get at once in a program? SOD conflicts / breaches - Fraud MUST be investigated Data extractions for off-line analysis The Problem Very time-consuming Difficult to prove compliance The bar will be raised year-on-year Auditing
Exposures – What programs can a user access? Menu security allows user Shane73 access to 5 programs only. But function keys & lower level allow access to all these
Exposures: How can a user access a program? There are over 1,000 routes into the Voucher Entry program P04105.
Integrated World Security Compliance Set up JDE Group Profiles Allocate Security For each Group Audit • Prove compliance Reporting • Security settings • Access analysis Apply SoDrules / functions inside World JDE World SEC-Qure™ WorldSOD Maintain Security • Staff / Role changes • Organisation changes Identify all Access Routes SEC-Qure™ WorldAnalyser SEC-Qure™ WorldConfig (Re)-Assign Users to Roles Check SoD Conflicts Create Roles from Group Profiles Modify JDE Security In-depth Access Analysis
recommends "Q Software is a long-term JD Edwards World business partner and they have been providing security solutions for our customers for over 10 years. They thoroughly understand World security and continue to offer comprehensive security solutions which methodically complement ours." • John Schiff VP & GM, JD Edwards World “We recommend QSoftwareto our customers." • Denise Grills Director Strategy & Marketing, JD Edwards World
SEC-Qure™ WorldReducing Compliance Costs • Reduces analysis & reporting effort • Reduces security maintenance effort • Reduces risk • Only truly secure approach • And maps security to the business processes • Compliance easy to prove Powerful Analysis Comprehensive Reporting “Find and Fix” Compliance easy to prove Comprehensive Reporting Historical (Roles) Audit Trail Unique Multiple Roles Roles map to Business Process Dynamic Security Assignment Simple & Effective Integrated into World Combines with Roles for SOD Enforcement
Q Software World Customers “If asked to provide information on who can update data in a program, I can provide this the same day by updating access information and viewing the information intwo-five strokes, instead of several days research and running queries, which would have taken me literally thousands of keystrokes.I see the greatest savings is time which then equals money” “I needed to identify and apply Action Code Security to critical programs –Q Software is the only way.” “I wholeheartedly recommend Q Software security to other World installations. I would certainly buy again – only this time I’d buy it and use it from Day One!” Coachmen Industries “the man hours and dollars saved justified the investment” “I don’t know how people cope without Q Software”
Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary
E1 has different issues to World • Compliance requirements remain the same • Architectures / functionality are different • Challenges & issues are different • Allows a different approach
E1 Security Fundamentals • All Doors Closed • “Only way to ensure a fully auditable system” • Granting back access fraught with risk • Using standard E1 • Need to build a maintainable model • Sustainable compliance
Associated & Hidden Progs Multiple Roles Mainten-ance Solution Explorer Repetition Row Security SOD Audit-ability Volume 29,000 objects EnterpriseOne: Frequent Security Headaches
Associated & Hidden Programs The Problems • Average of 10 exits per program • New Hidden Programs introduced • Via Service Packs • Upgrading to new versions
Example of Hidden Programs Hidden Programs
Multiple Roles: The Problem • Problem with interaction between roles • Sequence Manager defines “level of security” • Audit problems – which role caused what access? • Creates SOD nightmare • Change a role – introduce unknown access model • Concatenation of security can cause lock-out “ our security admin manager changed a role and locked himself out!” - A customer who wishes to remain anonymous!
Added Roles are assigned Sequence Number P01012 Action Code Security OK/Select = Y, All other Actions = N P01012 Action Code Security Delete = N, All other Actions = Y Sequence Number assigned when role added Greatest number takes precedence in conflict situation
Resulting Level of Access is as intended Delete = N, All other Actions = Y
Role Sequence Change P01012 Action Code Security Delete = N, All other Actions = Y P01012 Action Code Security OK/Select = Y, All other Actions = N • Change required for other hierarchical reasons • Could result in additional unexpected security model changes
Undesirable Consequence Add / Copy no longer available
A/P Voucher Clerk A/P Voucher Clerk Secondary Role 2 Component 2 Secondary Role 3 Component 3 Simplifying Multiple Roles in SEC-Qure™ E1Config A/P “Super” Voucher Clerk Role
Don’t worry SEC-Qure™ E1Config alerts you to problems If you really do need multiple roles…
The Volume & Maintenance Problem • 29,000 objects • Several hundred thousand lines of security • Potentially millions • Errors • Oversights
The Solution Explorer Problem • Solution Explorer is now mandatory • No link between Solution Explorer Tasks and Security • Much effort is duplicated
SEC-Qure™ E1Config Reducing Compliance Costs - ADC • Reduces security set-up by 80% • Reduces security maintenance by 50% • Reduces Analysis & Reporting Effort from days to minutes Simple Reports Associated & Hidden programs Compliance easy to prove Comprehensive Reporting Re-usable Components Links Solution Explorer to security Multiple Roles Management Simple & Effective Checked whenever security changed Easy enforcement of SOD policy
What you tell us “In my previous company it took about 15-18 man months of effort to set up the JDE security manually. Here, using Q Software, it took around 2 man months.” “Using Q Software, the security tasks for the first implementation phase took four weeks – around 85% reduction on the original estimate of six months without Q Software.” “It was estimated that the software would achieve as much as a 50% reduction in the workload of maintaining security.” “Q Software enabled us to undertake the security aspects of EnterpriseOne in-house and saved us the expense of employing an external consultant” “Previously it took at least four hours to set up new groups, but withQSoftware that time has been reducedto about 15 minutes.”
Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary
Situation Engineering & Construction Industry Private & Public Sector clients Believes in good corporate governance For long-term benefit of the company But SOX was the ultimate driver 2,000+ heavy users 8,000 occasional users The Problems Managing the 8,000 occasional users Many security short-comings Effort / Cost required to manage security Customer Case Study
Customer Case Study • The Impact of the Problems • “Unhealthy” audit • Potential impact on business, especially government • High audit costs • Many deficiencies to be investigated • Security management costs were very high • Exposed to fraud potential
Customer Case Study • The Need • Make security more manageable • Make compliance more sustainable • Reduce the cost & effort involved • Implement tighter SOD controls • Become compliant / pass the next audit
Customer Case Study: The Solution • SEC-Qure™ WorldAnalyser • Analysed short-comings / exposures • Back-door access etc • Identified magnitude of the problem • SEC-Qure™ WorldConfig • Enabled multiple roles-based security model • Cut 8,000 occasional users down to 150 roles • User’s security changes dynamically • when new role selected • SEC-Qure™ WorldSOD • SOD rules integrated into World • 5 different Severity Levels attached to different rules • Security Officer warned of potential violations when assigning roles or changing role security • Report on any breach in the security set-up • 900 rules • Agreed with auditor 4½ MONTHS
Customer Case Study • The Benefits • Significant reduction in security management effort • Set up a new user in 10 minutes • Add security for new country – 20 minutes! • Reduction in audit costs • Both internal & external auditors “love it” • Easy to test, prove & report on compliance • Easy to identify potential SOD violations • Easy to report on roles • Set-up • Security • Assignments • Audit trail of assignments / adoption • Passed the 2006 audit • “as different as night and day”
“We could not have achieved this without Q Software’s SEC-Qure integrated security compliance solutions.”