Case Study: Oracle Financials Security Audit |
Abstract
The upgrade of Oracle Financials necessitated a multitude of changes across a number of platforms and systems. The complexity and extent of changes meant that specific examination of these changes and their potential to affect other areas was required.
Challenge
Oracle Financials version 10.6 was implemented by this large manufacturing company in 1998 running on Windows NT. Since then they have upgraded to 10.7 and then 11.5.3. Recently, they have decided to upgrade to version 11.5.10. This project had taken longer than originally envisaged. Upgrading any system is a complex change, involving changes to a wide variety of platforms, applications and databases. The Oracle Financial Project Board decided that due to the complexity of the change they would need external consultants.
Approach
- A review of Logical Security was performed.
- We evaluated user privileges and access rights.
- We tested the business policies for monitoring and responding to events.
- Review of procedures to manage, restore and schedule backups
- We considered the project management for the upgrade project to ensure that an appropriate and robust methodology was employed to ensure a successful and controlled implementation. The review was performed by conducting interviews with key personnel with responsibility for the system and an examination of relevant project documentation.
Solution
- Use of default responsibilities within Oracle Financials allowed unauthorised access to be granted to users unintentionally, as these responsibilities were inherently unsecured.
- The configuration settings for the security of the Oracle database were not secure.
- Access to sensitive functions and transactions within Oracle Financials was more widely available than expected.
- The resources allocated to completing the upgrade to Oracle Financials were inadequate.
- The overall project plan was not kept up-to-date and project deadlines were not adhered to.
