PeopleSoft Security And Audit Risks
PeopleSoft applications support extensive amounts of enterprise data. Guidelines for secure systems highlight a combination of PeopleSoft security audit processes, best practices, and technology updates for minimizing risk.
Implementing these five PeopleSoft security audit checks can help you identify unauthorized user access and reduce the chance of data exposure.
1. Inactive Employees With Active User Accounts
One of the biggest compliance and security risks that plague organizations include deprovisioning access for terminated employees and users.
Organizations that do not have an IDP solution have to manually provision and deprovision user accounts for terminated employees. This process often goes unchecked, resulting in a large number of user accounts that remain active after the Employee is no longer with the organization.
Public and Higher-Ed organizations run a greater risk as their PeopleSoft systems are often available to users outside of their own private network.
Fortunately, locking user accounts in PeopleSoft is a simple process. However, for large user groups, the process is time-consuming. Using a SQL script or Access Management System, such as Sentinel, is crucial for a sustainable deprovisioning solution.
Step 1 – Select all EMPLID’s in HR that have an I (inactive) status with an Effective Date < Current Date and do not have another active job record.
Step 2 – Update the ACCTLOCK field to 1 on the PSOPRDEFN table for user accounts that match the EMPLID’s from the first query.
2. Deprovision PeopleSoft User Access
Always remove security roles from a terminated user’s account. In the event a user becomes re-hired, this prevents them from automatically regaining their previous access.
Removing roles can be a tedious process, but using an automated solution allows you to easily keep up with deprovisioning user access.
After completing Steps 1 & 2 from above, you can delete the assigned roles in the PSROLEUSER table for the locked User ID’s.
3. Privileged Access
Privileged or restricted access refers to pages or functions dedicated only to authorized users within a department or functional area. While these pages may not necessarily contain sensitive data, improper use could result in system-wide implications.
Security Administration and PeopleTools Setup pages are common to all PeopleSoft applications. However, there are specific pages within PeopleSoft HR, Finance, and Campus Solutions that may require the need for restricting access to only trained and authorized users.
4. Sensitive Data - PII/PCI Data
PII/PCI data includes personal and financial information that should remain private. e.g. Social Security Numbers, Credit Card Information, and Banking Information.
In PeopleSoft, PII/PCI data appears on several pages and the same type of information can even show under different names. This can make the process of PeopleSoft Security Audit Reviews very difficult.
In Sentinel, the various field and page names are mapped to a common name to simplify PeopleSoft Security Audits and Reviews.
5. Segregation of Duties - S.O.D
Segregation of Duties (S.O.D) or Sarbanes Oxley (S.O.X) controls, refers to a specific function or access that, in turn, should prohibit the user from also accessing its corresponding function.
Many organizations cannot enforce these controls due to resource restrictions, therefore, requiring the need to have compensating controls. The process traditionally involves a periodic review of the users with access and the transactions.
Controls differ based on the nature of the application and the types of data accessed. For this reason, PeopleSoft HR, Finance, and Campus Solutions have different S.O.D controls that apply to each system.