Security Assessments differ from Security Audits, as these assessments are designed to help the organization to improve overall security by not only identifying vulnerabilities, but also bringing together the assessor and the assessed to work as a team to provide organization-compatible recommendations for mitigating the vulnerabilities. This is in contrast to an audit findings report, where a vulnerability may be identified (sometimes accurately and sometimes not) without any recommended action. There are several ways that Security Assessments can be performed, but successful security-oriented organizations use all of the following in order to ensure that their systems and data are protected:

* Intra-Team Assessments. Within a team, periodic reviews are performed (as a team, not as an individual) on various areas of the system. An example would be a production support team performing a periodic review of DBA Administrator access levels and controls. Note that the participants in this type of assessment are members of the organization that generally best know the system (and the vulnerabilities), so encouraging this type of review and proper execution can provide tremendous returns.

* Intra-Organization Assessments. Having another team within your organization perform an internal review can be beneficial because it usually stimulates a lot of “why?” questions. “Why” questions are a beneficial tool to identifying and resolving vulnerabilities when they are asked (and answered) in a safe and open environment without fear or retribution. When handled and facilitated properly, these questions often highlight breakdowns in procedures and security issues.

A suggestion to make any of the above Assessments more interesting is to make the process a “fun” competition. Break up into teams and make it a contest to see who can point out the most vulnerabilities. You will be surprised as to how many can be found!

* Third Party Assessment. A third party assessment can be especially beneficial because it brings in knowledgeable security (and preferably E-Business Suite) experts to review your system security and work together as a team to improve security – not just produce a report stating perceived vulnerabilities. As you already know, the E-Business Suite is a complex series of products, tools and utilities delivered as a single system that takes years of practice and experience to master. The reality is that most auditors do not have this extensive domain knowledge and experience about the E-Business Suite (e.g. What do you mean every database user is APPS?”), and therefore, audits are often not a true indication of the security of your system.

Unlike an external audit where an outside party lists what they perceive to be shortcomings, a third party assessment can bring missing E-Business Suite knowledge and a independent perspective to the team to work with the organization to suggest real world security improvements that may not otherwise be detected by audits or internal reviews.

> back to list