Table of Contents:

The audit program contains 49 tests designed to help (1) evaluate effectiveness of the key configuration settings that control system security; (2) assess access appropriateness to a variety of sensitive forms and screens in Oracle E-Business Suite, including:

Processing and administration of concurrent programs
Control framework to determine if access to submit concurrent requests is appropriately controlled:

• Access to the concurrent manager administration functions in Oracle EBS
• Access to the concurrent program administration functions in Oracle EBS
• Access to submit sensitive requests and request sets
• Monitoring completion and resolution of processing errors

End-user authorization and administration functions in Oracle E-Business Suit
A set of controls and testing guidance to determine if access to perform end-user administration functions is restricted to appropriate authorized user administrators:

• Access restriction to users- and access- administration functions
• Tests to ensure that access to the Oracle EBS system is restricted to valid employees based on explicit approvals from management
• Access recertification procedures by application owners
• Effectiveness of the access disablement procedures for employees no longer requiring access
• Security of the default (seeded) user accounts, including the effectiveness of the mitigating controls implemented by management to lower the risks associated with SYSADMIN and Guest access

Password restriction mechanisms
Controls and testing procedures to assess the effectiveness of the password restriction mechanisms implemented by management to protect the system from unauthorized access attempts:

• Effectiveness of the password requirements (length, complexity, failed login attempts, password reuse, inactivity time-out, expiration, etc.)
• End-user access to circumvent password requirements implemented by management
• Effectiveness of the procedures to mitigate password decryption risk

Privileged system administration access
Controls and test steps to determine if privileged system administration access is appropriately restricted:

• Access to modify system security setup
• Security of the forms that accept SQL statements or allow adding or editing executable code
• Access to view/modify data directly at the database level, circumventing application level controls
• Security of the proxy feature
• Access to configure and administer the system using the Oracle Applications Manager (OAM) tool
• Security of the alert management functionality
• Restriction of access to change the behavior of the screens using Forms and OAF personalization features
• Access restriction to the login requests that originate from trusted machines (server security, server trust levels features)
• Security of the process flow functionality in the Oracle forms-based applications navigator
• Access restriction to sensitive/private/confidential data

Disclosure of sensitive system information
Controls and testing procedures to assess the effectiveness of the information security techniques to prevent the disclosure of sensitive information about the system:

• Oracle Application Server (OAS) Banner
• Excessive filesystem access
• Oracle Default Error Pages 
• Information disclosure through unnecessary/unused modules
• Default Oracle Application Framework (OAF) pages and default functions for OAF pages
• Access restriction to allowed Java Server Pages (JSP)

Information security techniques to detect, record, report and respond to security events
Effectiveness of the procedures to detect, log, report and address security events:

• User sign-ons, responsibility selection, and form access logs
• Application level audit trail
• Reporting security related events using Oracle Alert functionality
  

Information security techniques to identify and address vulnerabilities
Effectiveness of the procedures to identify and address vulnerabilities in a timely manner:

• Effectiveness of the patching procedures established by management
• Test steps to determine if SQL and HTML injection vulnerabilities have been appropriately mitigated by management

Change management and control
Audit guidelines to determine if changes to the setup (application object library) data, code changes, patches and fixes are appropriately managed to minimize the likelihood of disruption, unauthorized alterations, and errors:

• Separation of environments
• Effectiveness of the change control process established by management 

Everything has been conveniently pre-documented with fill-in fields for company-specific information which will allow you to proceed with your assessment immediately.

Please click here to view an excerpt from the audit program.
 
Price: $65.00 (Instant Download)