OracleAppsBlog

A day in the life of an Oracle Applications Consultant

Security

Friday, September 10, 2004

Oracle Applications Auditing and Security Best Practices

This post points you to a site that has some really good presentations and white papers related to auditing and securing Oracle E-Business Suite and provides some related links.

Having been an Auditor/Accountant in a former life, I always try to make certain that when implementing an ERP system I take into account security issues and also ensure that the system can be audited by both internal and external parties. Oracle has many built in auditing and security features, but in my experience, people do not make appropriate use of them because they are not aware they exist or they do not have the time or budget to implement them. Personally, I believe awareness of the capabilities of Oracle E-Business Suite is the starting point towards ensuring system security and auditability. Hence, it’s always nice to come across some information which can give you new ideas as to what approach you should take when implementing such a system.

A really good site that I have come across which has some superb white papers and related information on Oracle Applications auditing and security is Integrigy. According to their site: -

Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.

Key Oracle Applications papers and presentations on auditing and security that you can download are as follows: -

• Securing 11i - What did you miss? (221KB) - Stephen Kost, Chief Technology Officer
• Securing Oracle Applications - What You Need to Know (78KB) - Stephen Kost, Chief Technology Officer
• Securing the Oracle Applications Infrastructure (152KB) - Stephen Kost, Chief Technology Officer
• Guide to Auditing in Oracle Applications (303KB)

The resources section of the site is also quite good since it not only includes white papers but also security alerts, advisories and notes, analysis and tools and scripts . There is also a quarterly newsletter published which keeps you up to date with Security Issues around Oracle Applications.

Other Resources

• Best Practices for Securing Oracle E-Business Suite – Metalink Note ID 189367.1
• Best Practices For Securing Oracle E-Business Suite 11i For Internet Access – Metalink Note ID 229335.1
• 11i: A Guide to Understanding and Implementing SSL for Oracle Applications – Metalink Note ID 123718.1
• Oracle Applications 11i System Administrator’s Guide
• Oracle Security Alerts – http://technet.oracle.com

Thursday, July 08, 2004

The Financial Systems Project (FSP) - an Oracle Implementation and Upgrade

This post contains details of a Financials Systems Implementation and Upgrade that was undertaken at the University of Waterloo and contains links to the associated documentation.

The University of Waterloo undertook an Oracle Applications R10.5 Implementation in 1996 and Upgraded to R10.7 in1998. Although the implementation and upgrade was carried out some time ago I thought that the documentation provided on their site would still be useful to any potential implementors of Oracle Applications. According to their site: -

The May 1996 implementation of the Financial Systems Project (FSP) was motivated by the realization that UW’s Computer-based central accounting systems had many limitations and inefficiencies. Its mission has been: “To conduct a comprehensive review of financial processes leading to the development of an integrated, effective and efficient system for managing the financial affairs of the University”.

The December 1998 upgrade of the Financial System was motivated by the need to achieve year 2000 compliance within the application software.

The Financial System Project consists of the implementation of Oracle Government Financials (General Ledger, Accounts Payable and Purchasing modules) from ORACLE Corporation plus the custom extensions written to accomodate interfaces with other systems used on campus.

The Financial Systems Project site contains the following types of documentation: -

• Upgrade Project Summary
• Project Team Structure and Membership
• Architectural Diagram
• Information Security Policy and Standards
• ORACLE Government Financials Security
• Technical and Functional Documentation

Of particular interest to those involved in Chart of Accounts design will be the Accounting Flexfield Values portion of the site. Here the Chart of Accounts segments structure and associated values that populate the structure is outlined.

The Applications Technology “department” of the University should also be looked at. According to the site: -

“Applications Technology is responsible for the application software supporting the University’s information systems. This responsibility encompasses all aspects of the System Development Life Cycle; including business process and system analysis, design, acquisition, development, implementation, documentation, and ongoing maintenance. In particular, this includes responsibility for designing and evolving the corporate database. As systems move into production, this group cooperates with Client Services and Electronic Workplace to train users and provide them with access to systems, and with Production Support to commission systems and provide second-level support to ongoing production”.

On the Applications Technology site you will find details of ongoing projects at the University in the areas of Co-operative Education & Career Services (CECS), Financial Systems, Human Resources, Strategic Consulting and Student Information Systems.

I’m interested to know whether the University has upgraded to 11i. I’ve fired a mail their way to find this out and will update this post with any further information or documentation I obtain.

Wednesday, June 23, 2004

Threat and Risk Assessment Working Guide

This post contains information on where to find a sample Threat and Risk Assessment document layout.

In a previous post I introduced readers to the Oracle Applications Implementors Journal at ITtoolbox. I talked about the first post on this blog which related to performing a Threat and Risk Assessment for Oracle Applications (TRA). I subsequently spoke to author of this post and asked if there was anywhere on the Internet where I could find a document layout/template that would assist in the preparation of such an assessment. I was provided with a link to a Threat and Risk Assessment Working Guide where you can download a fairly comprehensive 132 page document. According to the site: -

"This document entitled Threat and Risk Assessment Working Guide
provides guidance to an individual (or a departmental team) carrying out a
Threat and Risk Assessment (TRA) for an existing or proposed IT system. This
document will help determine which critical assets are most at risk within that
system, and leads to recommendations for safeguards that will reduce any risks
to acceptable levels.

By following the guidance given therein, a TRA can be carried out such
that it results in a concise report that:

defines the IT system under assessment;

states the aim of the assessment, along with the desired security level to be attained;

identifies potentially vulnerable parts of the system;

states the potential impacts of successful threat events on: the IT system; the business functions that the IT system supports; and the applications used carry out the business functions, in terms of confidentiality, integrity and availability; and

provides recommendations that would lower the risks to acceptable levels".

I am sure the TRA working guide will be useful to any organisation who wants to perform some type of security evaluation on their systems. You will also find other useful IT Security documentation at the Government of Canada’s knowledge centre