Audit and Security Strategies for PeopleSoft Implementation

1
Audit and Security Strategies for PeopleSoft
Implementation

• Session 406
• March 6, 2002 1030 am - 1130 am
• HEUG 2002 Conference - Las Vegas

2
Dennis Irwin Internal Auditor University of
Wisconsin-Parkside
3
Dennis Irwin is the Internal Auditor at the
University of Wisconsin-Parkside. He addressed
security issues in the implementation of
PeopleSoft Financials 7.0 and the upgrade to 7.5
and acts a back-up for the system administrator
in maintaining system security. Dennis has
participated in PeopleSoft training provided by
the Association of College and University
Auditors, and MIS. Dennis is also a member of the
Kettle Moraine chapter of the Information Systems
Audit and Control Association.
4
Presentation Goals

• This presentation will highlight auditing
  PeopleSoft implementations and highlight
  opportunities and methods to mitigate security
  vulnerabilities. The set-up of global, operator,
  nVison, SQR, query, object, and process security
  will be reviewed. General IT security methods
  will also be discussed in developing a
  comprehensive PeopleSoft implementation audit.

5
Objectives

• Review the client/server architecture of the
  PeopleSoft application
• Examine the strengths and weaknesses of the
  PeopleSoft layers
• Study how to implement audit, integrity and
  control of the PeopleSoft application
• Identify potential security concerns during the
  implementation process

6
Audit Control Points

• Physical
• Operating System
• Database Management
• Network

7
Audit Control Points contd

• Workstation
• Backup and Recovery
• Change Control
• Business Process Controls

8
Client/Server Architecture of the PeopleSoft
Application

• Two-Tier
• Three-Tier
• Logical Three-Tier

9

Client/Server Architecture

• System Catalog Tables
• PeopleTools Tables
• Application Data Tables

10
Strengths and Weaknesses of PeopleSoft Layers

• Sign On/Operator Security
• Application Security
• Authorization Function
• Security Administrator

11

PeopleSoft Layers

• Audit and Control Reviews
• Audit Trails
• Controlling Objects

12
How to Implement Audit, Integrity and Controls of
the PeopleSoft Application

• Analysis
• Design
• Setup

13
Potential Security Concerns During the
Implementation Process
14

Security Concerns During Implementation
Initial Setup

• When developmental/prototype systems are
  initially installed, the system or security
  manager must change all default Operator Ids and
  passwords

15

Security Concerns During Implementation
Analysis Phase

• Identify members roles and responsibilities
• List the transactions and/or functions they can
  perform
• Organize members into teams
• Map out authorizations that correspond to
  menus/functions of transactions and functions of
  the business process

16

Security Concerns During Implementation
Analysis Phase

• Compare system supplied authorizations and
  profiles for each team to business process
• Follow naming conventions as recommended by
  PeopleSoft, Consultant, or as developed by
  project manager
• Test and document profiles/rights thoroughly
• Consult with Internal Audit

17
Thank YouQuestions?
Dennis Irwin, Internal Auditor University of
Wisconsin-Parksideirwin_at_uwp.edu
HTTP//higheredsig.cua.edu/ (attendees may
download HEUG2002 presentations from the archives
at this location)