During Quest Forum Digital Event: Cloud Week, two members of Oracle’s Product Strategy Team for Risk Management Cloud – Dane Roberts and Aman Desouza – spoke about advanced options to protect HCM Cloud data and manage user security. The pair dove into:

• The latest analytical techniques and best practices for robust user security control
• Strategies for automating compliance tasks for data privacy, segregation of duties, SOX, GDPR, fraud prevention, and other obligations
• New HCM Cloud advanced control techniques to automate compliance and security administration

Digital transformation is happening. More and more organizations are seeing the benefits of moving their enterprise and applications to the cloud. As valuable as these transformations are, they bring challenges along with them. One of these challenges is a shift in paradigms of security. Based on statistics:

• The average cost of a data breach in a company is $3.9 million
• Employee data is the No. 1 target of data breaching
• 60 percent of all data breaches are caused by employees
• In the last year, 82 percent of organizations were impacted by fraud (In actuality, this number could be 100 percent if the remaining organizations simply didn’t realize they were being breached)
• IT-only sponsored programs are predicted to experience 3x more breaches

The Solution

Oracle offers a complete solution to data security with a layered approach. There are three building blocks that create effective risk management:

1. Control user access
2. Monitor user activity
3. Streamline compliance

Your cloud service provider takes responsibility for the entire stack. In this case, Oracle is the service provider and is therefore responsible for the infrastructure, platform, and software. However, the whole of security is a shared duty. The customer must manage user access and monitor user activity. These tools of effective risk management help you, the customer, to follow through with your responsibilities.

The bottom layer is all about controlling user access. Who has access and to what (including both privileges and data)? The second layer regards the monitoring of user activity. What activity are users performing? The final layer is that of streamlining compliance. Together, these three layers support each other and combine to form a comprehensive solution.

Not only is this a complete solution with three layers in one product, but there is also full integration with your HCM platform. This is different from the other Risk Management options on the market. The benefits of this integration across all pillars include:

• Continuous security, transaction, and configuration analysis with audit and compliance workflows
• Common user experience and interface
• Common user security, data model, application administration, updates, and patches
• Common extensibility tools — Page composer and flex fields

Essentially, your data stays within the system. You can consume and access all of the data displayed below within your secure Oracle environment:

With HCM in focus, the bottom two layers look like this:

You can ensure employee access is appropriate for their job with secure role design and a deep separation of duties analysis, as well as certifying user access to sensitive data and privileges. Additionally, you can monitor the audit trail of changes to setups and master data and detect suspicious activity with best practice controls. This gives you a combination of access, configuration, and transaction controls that you can then overlay across your process, empowering you with the agility and vigilance to best secure your data.

Within HCM, you automatically receive standard controls:

• Role-based access
• Role mapping
• Audit sample transactions
• Approval hierarchies
• Expense receipt required
• Page composer

The advanced options available in Risk Management complement the given roles with the following specifics:

• Cluster analysis
• Anomaly detection
• Detect ghost employees
• Split Purchase Orders
• Unusual Manual JEs
• Audit 100% of transactions
• Fuzzy Logic, ‘Similar values’
• Setup changes
• Fine-grained User Access
• Benford analysis
• Audit trail analysis
• Unusual changes to payroll

The top layer is for workflows. It is a separate subscription, but it is an organization-wide workflow. All of the layers of the stack integrate. This top layer helps to digitize internal audit certifications, assessments, issues, remediation, and more. It is a streamlined ERM with risk analysis, evaluations, and treatment plans.

Key Use Cases

Accelerate Security Design During HCM Implementations

Accelerate your security design during HCM implementations so that when you deploy, your roles are secure. The No. 1 reason for audit issues is poor role design.

To explain, the seeded roles or HCM are a starting point. They are not intended to cover the entire organization. Every organization needs to review the seeded roles or third-party starting roles for compliance, and then create custom roles as needed.

Accelerating HCM implementation with automated analysis of separation of duties (SoD) and sensitive access allows you to start analyzing security configurations in hours without impacting your HCM project plan. Avoid last-minute user acceptance testing issues and ensure audit readiness by certifying users’ access to sensitive roles before go-live. Eliminate poorly designed roles, which are the leading cause of audit findings after go-live. Building job roles without inherent risk saves thousands of dollars in follow-up expenses.

Automate Separation of Duties (SoD) Compliance Reporting

Advanced options within Risk Management allow you to generate compliance-driven SoD reports with confidence each quarter. You can reduce audit consulting fees by over $100,000 annually. You will be able to quickly tailor SoD reports with embedded tools for creating reports and dashboards. Eliminate the risk of copying and distributing sensitive HCM security data required by third-party systems or external consultants. View SoD restyles in minutes using a pre-built library of 30+ best practice rules and leverage an easy-to-use visual workbench to tailor rules and create your own. It does take knowledge of the product in order to deploy SoD automation. Therefore, Oracle recommends using an implementation partner to get started before bringing it in-house and reaping major benefits.

Continuously Monitor (and Maintain) User Security

If your security was designed with the tools in Step 1, this step is incredibly easy. The controls deployed at implementation carry on for the life of the organization. If you didn’t take Step 1, you may need to take action to create and maintain security throughout quarterly updates, new functionality, HCM changes, and more.

Proactively monitor security and privacy risk beyond compliance. Manage exceptions and status using a simple incident management workflow. Accelerate remediation of incidents with visualizations and simulations. Eliminate noise with accurate security analysis of data security and functional access (privileges). Finally, you can leverage a pre-built library of 30+ best practice rules and author new controls quickly.

Digitize User Access Certification Workflows

No matter how much monitoring you do, you must make sure the right people have the right access. You can automatically certify users’ access to sensitive data and functions and continuously trigger notifications for new user certifications. This eliminates around 250 hours of manual effort each year and reduces the compliance fatigue faced by key business stakeholders. Focus reviews on sensitive HCM roles and users, provide easy-to-use review worksheets, and automate routing to direct manager or any designated process owner.

Continuously Monitor Configuration Changes

From HCM, you can turn on audit. However, the audit trail is useless unless it is being viewed. Review and flag the audit trail with advanced controls, detecting business risks, and breaches through continuous monitoring of HCM master data and setup changes. Automate risk-based tracking of 100+ setups across compensation, payroll, benefits, recruiting, and talent management. For example, you can receive alerts for frequent or unauthorized changes made to employee master data, payroll settings, compensation changes, employee bank accounts, payroll periods, and more. Leverage a library of best-practice rules, and author new audit rules using a built-in visual workbench.

Continuously Monitor Payments and Other Critical Transactions

Analyze 100 percent of employee data, compensation data, payroll runs, and timecards. You can set this up to run before payments are pushed out, allowing you to stop or hold payment until it can be further reviewed. Eliminate the effort and errors associated with manual data extraction, uncontrolled scripts, and ad hoc analysis.

Key Takeaways

If you are planning to deploy HCM, strongly consider advanced HCM controls. There are significant benefits to deploying this option during implementation. Advanced options add a great degree of ease to handling security through the life of your HCM.

Security regards addressing the weakest link in the chain. By investing in Oracle SaaS (Software as a Service), you have invested in a secure application. If you do not handle user access and activity, then this area will become your weakest link. Consider imputing advanced options in your deployment.

If you have already deployed, take advantage of the variety of use cases offered by advanced options. Monitor user activity and utilize advanced option audit reviews for clean-up and remediation over time.

Make no mistake—security is a priority every day, and an extra priority in today’s business landscape.