Information Technology Risk Management
Case Study 3
RISK MITIGATION STRATEGIES
This document is intended to provide your organization with a set of strategies to mitigate the current risks that exist in regards to Oracle EBS database governance. All strategies and rules have been tested and proven to efficiently reduce current and prevent future SOD violations in relation user access with the enforcement efforts of Application Access Controls Governor (AACG), effectively track current, past and future system transactions processed in core oracle financial modules, prevent future and notify management of current duplicate suppliers, split payments and invoices, duplicate payments and invoices and any other transaction that may violate rules set by configured controls with the presence of Transaction Controls Governor. These applications are combined in one GRC web based application (AACG) and all preferred controls have been configured and provided along with deliverables.
To effectively utilize the AACG application, some key concepts must be understood. First and foremost, Access Points will be explained. In AACG, Access Point is an object in a business management module that enables any user that has been granted access, allows him/her to complete his/her daily duties. Groups of access points may compose a single entitlement. In Oracle EBS an access point include responsibilities, menus, submenus and functions. The next key concept is Access Entitlements. Access Entitlements are used to compile related access points. This develops a series of ways to gain access to functions in EBS.
Access Models in AACG specify access points in business applications that conflict with one another which are also known as segregation of duties or SOD violations. In most cases Access Models will require remediation before they are converted into permanent controls also referred to as AACG. An access model may be configured as Access point vs. Access Point, Access Entitlement vs. Access Entitlement, or Access Point vs. Access Entitlement. Access Controls are similar to Access Models in that they run analysis and return violations the same. The difference is that Access Controls results are permanent and Access Model results are temporary. When ran, the results returned are considered incidents. Incidents are conflicts generated during control analysis. Before running any analysis data synchronization must occur. Data Synchronization updates the data to be used my any particular model. It helps the access model to recognize the changes that may have occurred within the datasource since the last model evaluation. The datasource is the business management/database management application where the data for that particular application is stored (Oracle EBS).
Lastly, In AACG, enforcement deals with controls that you want to assign to your access control definition. This ensures that any violation will be acted upon based on the enforcement type. AACG has 3 types of enforcement which are named:
• Approval required: This enforcement requires that the responsibility requests that violate an access control is suspended and notifications are sent to control participants. End date are removed from approved responsibilities but, kept for those that are rejected in EBS.
• Prevent: Requires that any assignments that violate a prevent control is rejected. In Oracle, the newly assigned role is end-dated. No incidents (conflicts) are generated.
• Monitor: This enforcement type of monitor allows assignment of both responsibilities and roles in EBS. But the status in AACG is set to assign until the participants review and approve the access.
There is no process for reporting. Reports, which are required in the analysis of incidents, are located in the report management page of AACG. AACG has a number of standard reports, which can be used to...