Planning Security and Business Process Controls into Oracle Cloud
People have different views as to what “Cloud ERP” actually is. To some it’s a hosted “own version” ERP solution. And to many, the future lies in a true Cloud-based subscriber type ERP solution. Oracle’s own marketing and messages also makes it somewhat blurry as to what “Oracle Cloud” is.
Whatever your view, Oracle ERP Security and Controls needs focus, strategy and action when a move to Oracle Cloud ERP is planned.
So what is Security and Control?
Security and Control covers a number of different areas which inter-relate and affect each other. The underlying aims are to ensure confidentiality, integrity, auditability and availability. Clearly there is the need to ensure people can’t hack the system or access information they shouldn’t, as well as to ensure business process exceptions and oddities are prevented and that the ERP system is monitored closely and subsequently improved upon. The requirements are met by a combination of good practice auditing/monitoring, process controls, access controls and security.
Cloud Considerations…
Moving to a Cloud solution raises a number of questions for you to think about. None of these are ‘outsourced’ to Oracle even if you go for Oracle Cloud ERP:
Who “owns” security in a Cloud solution?
Who “owns” business process risk management and control?
What are the key business changes enforced by Cloud?
How do these changes impact on Security and Controls?
What are the risks involved in moving to Cloud?
What can you do NOW if you’re thinking about a move to Cloud?
Some key changes to be aware of
With Hosted Cloud comes hosted operations and patching. And with Oracle Cloud ERP comes additional changes such as application changes, licensing vs subscription challenges and a number of additional features.
These changes, in our expert view, impact in varying degrees on Security and Controls and therefore we strive to educate our clients to be prepared.
So what can be done to prepare for Cloud?
Firstly, realise the risk of rushing an implementation – please don’t! Whilst marketing materials from Oracle and others will talk about Oracle Cloud ERP implementations in a matter of weeks, this is usually high risk for both the project and the business and systems processes it will leave behind. It will rely on default user access roles, generic documentation, minimal use of the available business process controls, very limited engagement with risk, controls and audit functions – and can cause huge pain in the future.
The best approach is to design security and controls into the project from the outset. You should split your thinking into two strands – project risk management and process risk management and consider both of these as part of the usual design, build, test, implement project phases. At Systems Risk Services, we also add “define” to the very start of a project – understanding who is responsible for agreeing the risks identified and suggested controls is key in ensuring they are not overlooked. We then add “optimise” into the final stage – again this is so important as it’s about making sure that the controls are efficient and do not require excessive efforts to operate and monitor. You can read more about how we work here.
If you’re already running Oracle E-Business Suite and are considering a move to cloud, we’ve identified 11 key Oracle EBS security and control challenges and we estimate that 8 of these would impact on Cloud ERP too.
So if you’re thinking about Oracle Cloud ERP this list is a great place to start.
Find out more…
We presented on this topic in more detail at the Oracle User Group Apps 16 Conference on the 7th December – if you would like a copy of the presentation slides please email matt.luscombe@systemsriskservices.com.
Otherwise, if you would like to discuss the issues raised in this blog, please do get in touch!