Content
content related to segregation of duties, single-function risk, and access to sensitive data is the most
approach to building our rules and have mapped the content to function level - Oracle's lowest level of
object-driven security.

Process-centric
The content is process-centric in that it take into account risks at the process level where Oracle's
security is deficient.  For example, entering of credit memos in AR is a common risk for
organizations.  However, in Oracle there is no single function you can point to that allows you to
identify the users that have the ability to enter a credit memo.  In this case, the process-centric risk is
noted with an appropriate risk description that includes further description on these risks.  The risk
description includes this comment "In many Oracle instances, access to the transactions form allow
for the entry of a negative transaction (check your transaction types setups for creation sign)."   
Because of the process-centric nature of the content, much of the content can be leveraged in your
risk assessments related to other systems.

Application-centric
The content is also application-centric.  We recognize there are risks that are unique to Oracle E-
Business Suite that need to be specifically spelled out.  For example, the forms that allow for the
embedding of a SQL statement or OS statement are unique to Oracle E-Business Suite.  Each of
these forms is spelled out as a high-risk single function.

Content addresses the following:

  • Over 600 SOD conflicts and single function risks
  • Addresses risk regarding inquiry access to sensitive data
  • Specific risk description for each conflict / single function risk
  • Common mitigating controls
  • Template to perform risk assessment for each conflict / single function risk
  • Common SOX and Fraud Risk
  • Consideration of manual processes that happen outside the system
  • Mapping to the function level for each system-related risk
  • Updates twice a year based on latest patches by Oracle

The content is geared towards those with a risk advisory, corporate governance, or internal audit
background.

Contact us for pricing and more details regarding this offering.
Other links:
CPE
Policies
About Us