1 / 55

Reducing the Cost of Compliance in JD Edwards World & EnterpriseOne

Reducing the Cost of Compliance in JD Edwards World & EnterpriseOne. Be in control. Use Q Software. Security compliance solutions for JD Edwards www.qsoftware.com. Today, we will show you…. How you can enhance your security reduce your cost of compliance. Agenda. About Q Software

olina
Télécharger la présentation

Reducing the Cost of Compliance in JD Edwards World & EnterpriseOne

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reducing the Cost of ComplianceinJD Edwards World & EnterpriseOne

  2. Be in control. Use Q Software Security compliance solutions for JD Edwards www.qsoftware.com

  3. Today, we will show you… • How you can • enhance your security • reduce your cost of compliance

  4. Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary

  5. AboutQSoftware • Committed to JDE security • That is ALL we do & have done so for 10 years • Innovative • Patent pending • Continuing to invest in JDE Security • Comprehensive product development roadmap • SEC-Qure™ family released at OpenWorld 2005 • New versions announced at Collaborate 2006 • New versions released for OpenWorld 2006 • 180 customers • 80% in USA • Past 12 months: 45% from Canada + Europe • Based near London, UK

  6. Q Software Alliances With more than 35,000 members in more than 100 countries, the Information Systems Audit and Control Association (ISACA®) is a recognized worldwide leader in IT governance, control, security and assurance.

  7. Q Software Customers

  8. Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary

  9. Business need for security: - Corporate Governance (SOX) • SOX section 404 requires organisations to state… • “the effectiveness of the internal control structure” • SOX section 202 mandates • “frequent testing and validation of internal controls is essential to quarterly confirmations of their effectiveness.” • New security & data privacy laws • According to auditors: • SOD controls are paramount • Effective controls makes sound business sense • Regardless of the regulatory need

  10. Company requirements • Corporate Governance regulations result in four main tasks, companies have to fulfil in order to comply with the important and most frequently addressed requirements. Risk Management Internal Control Internal Control Risk Management Corporate Governance Corporate Governance Audit Committee Reporting Requirements Audit Committee Reporting Requirements tomorrow today Integration of CG components avoids redundancy and allows efficient compliance with laws and regulations. Fragments of CG components exist in the company.

  11. Auditing Analysis Compliance Reporting Security Management Segregation Of Duties The Compliance Life Cycle 10 years

  12. Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary

  13. The Requirement Who can access what? And how? What else can they access once there? Which critical programs can be accessed by whom? And how? The Problem Almost impossible manually Menu security set-up is complex Over 150,000 menu connections Back-door access Reporting is VERY time-consuming “After the event” analysis – too late! If fraud discovered, damage is done! Access Analysis

  14. The Problems World only allows single roles Limits flexibility No simple tools to manage roles Roles-based Security • Recommended by Oracle • Recommended by auditors

  15. The Requirement Define, Manage & Report SoD Rules Report on Conflicts Address or Apply Compensating Procedures The Problems Volume / Complexity of Controls Analysis of “True” Access for Conflicts Enforcing / Maintaining Security Policy Compensating controls may be expensive Manpower Money SoD Controls

  16. The Requirement Regular / Continual Testing Who has access to what? Which critical programs can be accessed by whom? What else can they access once there? Reporting for auditors If tests not recorded, they “did not happen” The Problem Analysis impossibly complex Reporting VERY time-consuming On-going commitment Compliance Reporting

  17. The Requirement Reports – from regular testing Who has access to what? Which critical programs can be accessed by whom? What else can they get at once in a program? SOD conflicts / breaches - Fraud MUST be investigated Data extractions for off-line analysis The Problem Very time-consuming Difficult to prove compliance The bar will be raised year-on-year Auditing

  18. Exposures – What programs can a user access? Menu security allows user Shane73 access to 5 programs only. But function keys & lower level allow access to all these

  19. Exposure: Who can access critical programs?

  20. Demo: How can a user access a program?

  21. Exposures: How can a user access a program? There are over 1,000 routes into the Voucher Entry program P04105.

  22. Integrated World Security Compliance Set up JDE Group Profiles Allocate Security For each Group Audit • Prove compliance Reporting • Security settings • Access analysis Apply SoDrules / functions inside World JDE World SEC-Qure™ WorldSOD Maintain Security • Staff / Role changes • Organisation changes Identify all Access Routes SEC-Qure™ WorldAnalyser SEC-Qure™ WorldConfig (Re)-Assign Users to Roles Check SoD Conflicts Create Roles from Group Profiles Modify JDE Security In-depth Access Analysis

  23. recommends "Q Software is a long-term JD Edwards World business partner and they have been providing security solutions for our customers for over 10 years. They thoroughly understand World security and continue to offer comprehensive security solutions which methodically complement ours." • John Schiff VP & GM, JD Edwards World “We recommend QSoftwareto our customers." • Denise Grills Director Strategy & Marketing, JD Edwards World

  24. SEC-Qure™ WorldReducing Compliance Costs • Reduces analysis & reporting effort • Reduces security maintenance effort • Reduces risk • Only truly secure approach • And maps security to the business processes • Compliance easy to prove Powerful Analysis Comprehensive Reporting “Find and Fix” Compliance easy to prove Comprehensive Reporting Historical (Roles) Audit Trail Unique Multiple Roles Roles map to Business Process Dynamic Security Assignment Simple & Effective Integrated into World Combines with Roles for SOD Enforcement

  25. Q Software World Customers “If asked to provide information on who can update data in a program, I can provide this the same day by updating access information and viewing the information intwo-five strokes, instead of several days research and running queries, which would have taken me literally thousands of keystrokes.I see the greatest savings is time which then equals money” “I needed to identify and apply Action Code Security to critical programs –Q Software is the only way.” “I wholeheartedly recommend Q Software security to other World installations. I would certainly buy again – only this time I’d buy it and use it from Day One!” Coachmen Industries “the man hours and dollars saved justified the investment” “I don’t know how people cope without Q Software”

  26. Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary

  27. E1 has different issues to World • Compliance requirements remain the same • Architectures / functionality are different • Challenges & issues are different • Allows a different approach

  28. E1 Security Fundamentals • All Doors Closed • “Only way to ensure a fully auditable system” • Granting back access fraught with risk • Using standard E1 • Need to build a maintainable model • Sustainable compliance

  29. Associated & Hidden Progs Multiple Roles Mainten-ance Solution Explorer Repetition Row Security SOD Audit-ability Volume 29,000 objects EnterpriseOne: Frequent Security Headaches

  30. Associated & Hidden Programs The Problems • Average of 10 exits per program • New Hidden Programs introduced • Via Service Packs • Upgrading to new versions

  31. Example of Hidden Programs Hidden Programs

  32. Multiple Roles: The Problem • Problem with interaction between roles • Sequence Manager defines “level of security” • Audit problems – which role caused what access? • Creates SOD nightmare • Change a role – introduce unknown access model • Concatenation of security can cause lock-out “ our security admin manager changed a role and locked himself out!” - A customer who wishes to remain anonymous!

  33. Added Roles are assigned Sequence Number P01012 Action Code Security OK/Select = Y, All other Actions = N P01012 Action Code Security Delete = N, All other Actions = Y Sequence Number assigned when role added Greatest number takes precedence in conflict situation

  34. Resulting Level of Access is as intended Delete = N, All other Actions = Y

  35. Role Sequence Change P01012 Action Code Security Delete = N, All other Actions = Y P01012 Action Code Security OK/Select = Y, All other Actions = N • Change required for other hierarchical reasons • Could result in additional unexpected security model changes

  36. Undesirable Consequence Add / Copy no longer available

  37. A/P Voucher Clerk A/P Voucher Clerk Secondary Role 2 Component 2 Secondary Role 3 Component 3 Simplifying Multiple Roles in SEC-Qure™ E1Config A/P “Super” Voucher Clerk Role

  38. Don’t worry SEC-Qure™ E1Config alerts you to problems If you really do need multiple roles…

  39. The Volume & Maintenance Problem • 29,000 objects • Several hundred thousand lines of security • Potentially millions • Errors • Oversights

  40. The Solution Explorer Problem • Solution Explorer is now mandatory • No link between Solution Explorer Tasks and Security • Much effort is duplicated

  41. Demo: Security from Solution Explorer Tasks

  42. SEC-Qure™ E1Config Reducing Compliance Costs - ADC • Reduces security set-up by 80% • Reduces security maintenance by 50% • Reduces Analysis & Reporting Effort from days to minutes Simple Reports Associated & Hidden programs Compliance easy to prove Comprehensive Reporting Re-usable Components Links Solution Explorer to security Multiple Roles Management Simple & Effective Checked whenever security changed Easy enforcement of SOD policy

  43. What you tell us “In my previous company it took about 15-18 man months of effort to set up the JDE security manually.  Here, using Q Software, it took around 2 man months.” “Using Q Software, the security tasks for the first implementation phase took four weeks – around 85% reduction on the original estimate of six months without Q Software.” “It was estimated that the software would achieve as much as a 50% reduction in the workload of maintaining security.” “Q Software enabled us to undertake the security aspects of EnterpriseOne in-house and saved us the expense of employing an external consultant” “Previously it took at least four hours to set up new groups, but withQSoftware that time has been reducedto about 15 minutes.”

  44. Agenda • About Q Software • The Compliance Life-Cycle • Reducing the Cost of Compliance: World • Reducing Cost of Compliance: E1 • Customer Case Study • Summary

  45. Situation Engineering & Construction Industry Private & Public Sector clients Believes in good corporate governance For long-term benefit of the company But SOX was the ultimate driver 2,000+ heavy users 8,000 occasional users The Problems Managing the 8,000 occasional users Many security short-comings Effort / Cost required to manage security Customer Case Study

  46. Customer Case Study • The Impact of the Problems • “Unhealthy” audit • Potential impact on business, especially government • High audit costs • Many deficiencies to be investigated • Security management costs were very high • Exposed to fraud potential

  47. Customer Case Study • The Need • Make security more manageable • Make compliance more sustainable • Reduce the cost & effort involved • Implement tighter SOD controls • Become compliant / pass the next audit

  48. Customer Case Study: The Solution • SEC-Qure™ WorldAnalyser • Analysed short-comings / exposures • Back-door access etc • Identified magnitude of the problem • SEC-Qure™ WorldConfig • Enabled multiple roles-based security model • Cut 8,000 occasional users down to 150 roles • User’s security changes dynamically • when new role selected • SEC-Qure™ WorldSOD • SOD rules integrated into World • 5 different Severity Levels attached to different rules • Security Officer warned of potential violations when assigning roles or changing role security • Report on any breach in the security set-up • 900 rules • Agreed with auditor 4½ MONTHS

  49. Customer Case Study • The Benefits • Significant reduction in security management effort • Set up a new user in 10 minutes • Add security for new country – 20 minutes! • Reduction in audit costs • Both internal & external auditors “love it” • Easy to test, prove & report on compliance • Easy to identify potential SOD violations • Easy to report on roles • Set-up • Security • Assignments • Audit trail of assignments / adoption • Passed the 2006 audit • “as different as night and day”

  50. “We could not have achieved this without Q Software’s SEC-Qure integrated security compliance solutions.”

More Related