Let’s assume, for the moment, that you care about Access Control in Oracle EBS (that’s a safe bet given that you are reading this article!) and the means to manage it. While you care, that is probably not true for others in your organization. There are many sexy ideas in business - the kind you read about in self-help books and success manuals - and not a single one of them involves controls or security. Trust me, I’ve tried coming home and chatting with my wife about Oracle EBS Access Controls, and we rarely get past the words “Oracle EBS Access Controls”. That said, security and controls are important, and do matter, yet in many companies the largest roadblock to healthy application security management is a misunderstanding why it matters. Let’s try to fix that.
Identify and communicate your core purpose statement
The first step in managing access in your Oracle EBS installation is to ensure you are focused on a core purpose and that you can communicate that purpose. The term “elevator pitch” gets bandied about often in business, but for good reason: being able to communicate concisely and emphatically is absolutely key!
“If you can’t explain it simply, you don’t understand it well enough” – Albert Einstein
Let’s start first by addressing the easiest argument: public companies. Public companies are subject to SEC filing regulations including Sarbanes-Oxley (SOX). This means that public filers must comply with Section 404a (self-assessment over internal control structure and effectiveness) and 404b (control structure and effectiveness assessment by external auditor) when filing their financial statements. This is a pervasive, driving force for good hygiene in your financial system, and rarely finds significant pushback from above. But what about when it does, and what about everyone else?
The primary driving force behind good behaviors is protection of company assets.
Private companies are allowed to manage themselves as they see fit, assuming that they comply with criminal laws, civil precedent, and tax regulation. As Access Control in Oracle EBS doesn’t clearly tie to any of these drivers, any immediate leverage is now missing. This can make encouraging good habits harder, but not necessarily. Here’s why: the primary driving force behind good behaviors and habits is protection of company assets.
- Many private companies don’t have a formal HR organization or drafted policy, but norms and mores drive good behaviors, and CEOs care about lawsuits.
- Keys and locks are used to keep computers from going missing.
- Banks are used to retain cash.
If securing the physical assets of a company are important, then your ERP security should be a key priority. No single part of your business is more pervasive than your financial system! As financial systems allow for more and more automation to enable companies to be more efficient with less people, they also introduce the opportunity for repeatable and hard-to-identify errors as well as an increased risk of fraud.
So why should you (or your boss) care about Access Controls in your Oracle EBS installation? Because your financial system touches more of your money in more places than any other part of your business – shouldn’t you know what’s going on in there?
The next article in this 4 part series will introduce concepts in access control, read on here.