Audit Reporting of Security Controls in PeopleSoft Financials

1. Audit Reporting of Security Controls in PeopleSoft Financials Central Ohio Chapter Information Systems Audit and Control Association April 14, 2005

2. Your Presenters Brian O’Brien Manager - Data Security 9 years of PeopleSoft experience with Ohio State’s 1,300 user HRMS and 2,400 user Financials environments Pat O’Connor Senior Systems Engineer Ohio State’s leading technical security expert, has 7 years of PeopleSoft experience, ranging from configuration management and control to security administration

3. Overview • PeopleSoft Controls • User Accounts • System Settings • System Architecture • Security Audit Review

4. Database Environment • Oracle9i Release 9.2.0.2.0 - 64bit • HP Hardware – HP-UX 11.0 N Class • Over 50 PeopleSoft Databases

5. Ohio State and PeopleSoft 5 5

6. PeopleSoft Controls • Users • Roles • Permission Lists • Pages • Signon Times • Preferences 6 6

7. System Controls • Password Controls • Inactivity Timeouts 7 7

8. System Architecture User (browser)  Web Server  App Server  Data Base Server 8 8

9. Audit Discussion Points • Administrative Access • Password Controls • Audit Trails • Terminated Users • Default PeopleSoft Accounts • Correction Mode Access 9 9

10. Administrative Access Discussion Point: Access to high level administrative pages is restricted to appropriate personnel. Privileged access includes: • Application Designer • Maintain Security • Tree Manager

11. Password Controls Discussion Point: PeopleSoft password controls are turned on and configured for the following: • Password expiration • Minimum length • Required special characters

12. Password Controls

13. Password Caveat Problem: PeopleSoft’s password encryption algorithm is not strong. Solution: PSOPRDEFN_VW External Authentication

14. Audit Trails Discussion Point: PeopleSoft Audit Trails are in place for sensitive Activities. Solution: PeopleSoft Audit • Record level • Field level Oracle Audit

15. Audit Trails

16. Audit Trails

17. Terminated Users Discussion Point: The security administrator is notified of employees that have changed roles and responsibilities, transferred or been terminated.

18. Default PeopleSoft Accounts Discussion Point: The default PeopleSoft user profiles and permission lists have been removed or deactivated.

19. Correction Mode Access Discussion Point: Use of correction authorized action in PeopleSoft is restricted.

20. Correction Mode Cleanup Removed Totals

21. QUESTIONS?

22. Contacts Brian O’Brien Manager, Data Security Office of Information Technology The Ohio State University E-mail: obrien.9@osu.edu Patrick O’Connor Sr. Systems Engineer Office of Information Technology The Ohio State University E-mail: oconnor.33@osu.edu