Supplier Portal Recommendations

In today's rapidly evolving digital landscape, safeguarding sensitive information and ensuring data integrity are paramount to the success and reputation of any organization. We would like to recommend an approach on how you can leverage existing PeopleSoft functionality to enhance the security of your PeopleSoft Supplier Portal.

PeopleSoft Public and Secure Supplier Portals serve as vital gateways for collaboration, communication, and business transactions with your valued suppliers. With cyber threats becoming increasingly sophisticated, your organization must remain proactive in fortifying your digital infrastructure against potential vulnerabilities. Within our PeopleSoft system, powerful tools and functionalities are available designed to enhance security and protect both your and the supplier’s vital assets.

We have a list of recommended actions that will bolster the resilience of your portals. These actions are not only practical and cost-effective but also capitalize on the existing capabilities of our PeopleSoft system. By strategically leveraging these recommended tools you will protect your organization's proprietary information but also foster a culture of trust and reliability with your supplier community.

Here are some recommendations in the following key areas:

  • User Access Controls: We recommend your organization implements robust user access controls, ensuring that only authorized individuals can access sensitive information and perform critical functions within the portals. By adopting a strict role-based security model, you can streamline access management and reduce the risk of unauthorized access.

    One of the actions we suggest is to remove the option under the Registration tile on the Public Portal that offers the option for Guest users to Request a New User ID. This capability should only be reserved for approved and credentialed users after logging into the Secure Supplier Portal.

  • Two-Factor Authentication (2FA)/ Multi-Factor Authentication (MFA): The benefits of implementing 2FA/MFA for your Public and Secure Supplier Portals could ensure only truly authorized users can access the Secure Supplier Portal. Once they have used their login to access the Secure Portal, they should be asked for a secondary authentication before allowing access. Two/multi-factor authentication serves as an additional layer of security, mitigating the risks associated with password-based attacks and unauthorized login attempts.

    For additional information on this authentication, see: Oracle Identity Cloud Services.

    2FA/MFA should also be used to protect privilege escalation, for example, access to sensitive transaction or updates and unusual/inappropriate access attempts.

  • Require Approvals of Self-Service Registration and Supplier Profile Changes: When an individual, wishing to do business with your organization, self-registers through the Public Supplier Portal, you capture the information they provide but do not create a permanent Supplier record. A team of stakeholders for the different departments in your organization should review the registration information and validate they are truly a valid provider of the goods and/or services they claim. This may involve manual research, access to external sources for financial information, social responsibility and more.

    One of the screening capabilities we offer is the ability to download data from the US Department of the Treasury Office of Foreign Asset Control (OFAC). This Denied Parties list is provided to identify organizations involved in unlawful activities and should not be allowed to do business with any concerned organization. By downloading this list and providing a simple page to enter the pertinent registration information, PeopleSoft will return the scoring results of that screening activity so you can determine if you wish to pursue requesting more information from the OFAC office or take action to reject the Supplier’s application. This review process should be implemented prior to the approval of the potential Supplier and before the Supplier tables are updated with the new Supplier information. For more information, see Understanding the Financial Sanctions Service.

    It is also recommended organizations implement a notification directed to a Supplier Administrator when key Supplier fields, especially for payment-related changes are requested by a self-service portal user. These types of changes should be carefully investigated with a trusted individual in the Supplier Organization to ensure this change or update is valid.

    Do not allow social interactions like phone calls from individuals claiming to be from the Supplier organization who requests changing sensitive information. If you do accommodate this type of interaction, ask a challenge question where the answer resides in the current Supplier Profile data. For example: Who is the main contact and what is the email address of the main contact at your organization?

  • Install and Identify the Virus Scanning software implemented on your servers: Stopping viruses and malware from entering your system is a must. Since Suppliers are allowed to add attachments to the Registration and in other areas of the Secure Portal, it is important we scan those attachments for viruses and malware. If your virus scanning software is installed, anytime an attachment window is opened for a user to link attachments to a PeopleSoft application page, a scan is run and if a virus or malware object is detected, it will not allow the user to continue their operation.

    For more information, see Enabling Virus Scanning for Web Servers topic in PeopleTools: Security Administration.

  • Understand and Implement Data Masking with the Data Privacy Framework: PeopleSoft Data Privacy Framework provide pages for identifying and maintaining Personally Identifiable and sensitive information. Personally Identifiable Information (PII) is any information that directly or indirectly helps to determine the identity of an individual. A common example for PII is a person's name. Examples for sensitive information might include bank account numbers, bank routing codes and remit-to addresses for your Suppliers. PeopleSoft captures many data elements that can be considered PII, sensitive, or both.

    Please ensure you have enabled data masking on fields where sensitive data is captured and stored. To read more about how to update your sensitive data fields in the Supplier Record, see Understanding Data Privacy.

  • Regular Security Audits: It is important to conduct regular security audits and assessments with your suppliers to identify potential vulnerabilities and proactively address them before they can be exploited. One of these audits you may want to conduct on a regular basis is to have the Supplier review their list of authorized User ID’s and either remove them from the Contact list or advise you of employees that have left their organization, moved to another department and should no longer have Supplier Portal access.

    In addition, your organization should request the authorized Supplier Portal users change their passwords every X number of days or on a regular schedule.

  • Monitoring and Incident Response: Finally, we would like to highlight the significance of continuous monitoring and a well-defined incident response plan. Rapid identification and containment of security incidents are critical in minimizing potential damages and ensuring a swift recovery. Encourage your suppliers to quickly report or identify anything on the Portal that seems foreign or strange to them. You may want to provide a form where your suppliers can easily report anything that appears out of line with their expected activity, data or anything they see that looks suspicious.

  • Disclosure Controls: Personnel should be reminded that information like EIN and TIN should be regarded as privileged information, as private and confidential as their own SSN or bank number. No matter how public that information would seem to be, divulging it requires authorized approval.

  • Other Action: Remember you do not have to wait for the application team to deliver additional protection.

    1. Implement Zero Trust protection as offered by your trusted vendor/partners.

    2. Make sure public service personnel, for example front desk, understand that sometimes being helpful is being too helpful.

    3. eMail servers have multiple layers of protection which needs to be enabled, this includes defining a Bounce Back address identify invalid addresses and to reduce the number of emails going astray.

    4. Implement outbound protection.

    5. Ensure privileged users understand they can be a target for Business Email Compromise.

    6. Be aware of wrong number voice and text scams.

    7. Identify and encourage Security Champions.

    8. Changes in any personal information requires validation.

    9. Consider, or extend, system monitoring to identify, and alert on, out of hours “busyness.”

    10. Remember to securely shred (think HIPAA) before shredding or recycling any documents that contain sensitive information.

    11. Occasionally run very visible security audits.

By leveraging the existing robustness of our PeopleSoft system and implementing the recommended actions, you can enhance the security of your Public and Secure Supplier Portals. Your commitment to embracing these measures will undoubtedly foster trust, strengthen partnerships, and reinforce your position as a leading and responsible organization in today's interconnected world.