Risk Management Case Study
RISK MITIGATION STRATEGIES
Michael Johnson
Information Technology Risk Management
Case Study 3
RISK MITIGATION STRATEGIES
This document is intended to provide your organization with a set of strategies to mitigate the current risks that exist in regards to Oracle EBS database governance. All strategies and rules have been tested and proven to efficiently reduce current and prevent future SOD violations in relation user access with the enforcement efforts of Application Access Controls Governor (AACG), effectively track current, past and future system transactions processed in core oracle financial modules, prevent future and notify management of current duplicate suppliers, split payments and invoices, duplicate payments and invoices and any other transaction that may violate rules set by configured controls with the presence of Transaction Controls Governor. These applications are combined in one GRC web based application (AACG) and all preferred controls have been configured and provided along with deliverables.
To effectively utilize the AACG application, some key concepts must be understood. First and foremost, Access Points will be explained. In AACG, Access Point is an object in a business management module that enables any user that has been granted access, allows him/her to complete his/her daily duties. Groups of access points may compose a single entitlement. In Oracle EBS an access point include responsibilities, menus, submenus and functions. The next key concept is Access Entitlements. Access Entitlements are used to compile related access points. This develops a series of ways to gain access to functions in EBS.
Access Models in AACG specify access points in business applications that conflict with one another which are also known as segregation of duties or SOD violations. In most cases Access Models will require remediation before they are converted into permanent controls also referred to as AACG. An access model
Michael Johnson
Information Technology Risk Management
Case Study 3
RISK MITIGATION STRATEGIES
This document is intended to provide your organization with a set of strategies to mitigate the current risks that exist in regards to Oracle EBS database governance. All strategies and rules have been tested and proven to efficiently reduce current and prevent future SOD violations in relation user access with the enforcement efforts of Application Access Controls Governor (AACG), effectively track current, past and future system transactions processed in core oracle financial modules, prevent future and notify management of current duplicate suppliers, split payments and invoices, duplicate payments and invoices and any other transaction that may violate rules set by configured controls with the presence of Transaction Controls Governor. These applications are combined in one GRC web based application (AACG) and all preferred controls have been configured and provided along with deliverables.
To effectively utilize the AACG application, some key concepts must be understood. First and foremost, Access Points will be explained. In AACG, Access Point is an object in a business management module that enables any user that has been granted access, allows him/her to complete his/her daily duties. Groups of access points may compose a single entitlement. In Oracle EBS an access point include responsibilities, menus, submenus and functions. The next key concept is Access Entitlements. Access Entitlements are used to compile related access points. This develops a series of ways to gain access to functions in EBS.
Access Models in AACG specify access points in business applications that conflict with one another which are also known as segregation of duties or SOD violations. In most cases Access Models will require remediation before they are converted into permanent controls also referred to as AACG. An access model
References: Unknown (March 21, 2013) “RBAC and AACG Integration” http://oraclegrcexpress.com/blog/category/grc-implementation-method-grcim/ Steve Sullivan (n.d.) “Optimization Services” http://www.navillusllc.com/index.php?cID=218 Unknown (n.d.) “Oracle Enterprise Governance, Risk, and Compliance Manager” http://www.oracle.com/us/solutions/corporate-governance/grc-manager/index.html Unknown (n.d.) “Integrating Oracle Applications Access Control Governor with Oracle® Hyperion Financial Management, Fusion Edition 11.1.1” http://www.oracle.com/webfolder/technetwork/tutorials/obe/hyp/HFM11.1.1_GRC/HFM_GRC.htm