Governance, Risk, and Compliance Governance, Risk, and Compliance Not Just for SOX Anymore Bo Weingaertner Retail GRC Product Specialist Oracle Bo Weingaertner , Retail GRC Product Specialist, Oracle Dave Nonnemacher, Retail GRC Product Specialist, Oracle
38
Embed
Governance, Risk, and ComplianceGovernance, Risk, and ...secure.lenos.com/lenos/emp/OracleCrossTalkpmpd2007/Governance R… · Governance, Risk, and ComplianceGovernance, Risk, and
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Governance, Risk, and ComplianceGovernance, Risk, and ComplianceNot Just for SOX AnymoreBo Weingaertner Retail GRC Product Specialist OracleBo Weingaertner, Retail GRC Product Specialist, OracleDave Nonnemacher, Retail GRC Product Specialist, Oracle
The Big Picture
Obj tiObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives
Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies
Obj tiss ObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O
RepositoryGRC processes for highly-regulated and risk-sensitive industries
12
A World of Paper and Manual Hand Offs Current state of risk and compliance management
Auditors ?
A Fragmented Approach g pp? ?
Business Process Owners
Executives
?
Testers
13
Content Management is the CornerstoneSingle system of record for compliance information
Search
Secure Enterprise SearchDate Effective
Chain of CustodyAll Content TypesSingle Source of
Information
Central Repository
Link policies and procedures to laws, regulations, and standards as evidence of complianceApply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel
14
g
Manage Policies and ProceduresAlign policies to best-practice frameworks
Master Libraries of Policies & Controls
EmbeddedFrameworks
(COSO, COBIT, ITIL)
Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance
15
Manage IT GRC Processes and Content Reduce Cost and Control Risk with Oracle GRC Managerg
CertifySign-off and Publish
• End-to-End IT Governance Process Management
RespondRemediate Retest Optimize
• Centralized IT Governance Content Management
AnalyzeReceive Alerts Review Reports Investigate
Exceptions
Management
Assess
PerformSelf
Assessment
TestManualControls
ScopeAudits
MonitorAutomated
Controls
Document- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention
COMPANY OVERVIEW• Leading Coal Production and Marketing
company in North America• Headquartered in Tulsa Oklahoma
CUSTOMER PERSPECTIVE“Some of the products we seriously looked at in • Headquartered in Tulsa, Oklahoma
• ARPL Manages Alliance Coal of Lexington, Kentucky
• $931 million revenue in 2006 • 2,300 employees
p y2004 no longer existed in 2005. We were looking for a company committed for the long-term, committed to the product and enhancing the feature set.” - Guy Mayberry, Manager of Financial Applications
, p y
CHALLENGES/OPPORTUNITIESStreamline burdensome, ad hoc financial compliance management processesAutomate processes based on the COSO
RESULTS
Reduced reliance on manual spreadsheets with a compliance process turnaround time reduction of 28%Licence and implementation costs were recovered Automate processes based on the COSO
standard for internal controlsReduce compliance costs by pushing accountability down to business process ownersManage and archive unstructured data, with the
Licence and implementation costs were recovered within the first year Sustainable, web-based certification and attestation Granular Segregation of Duties tracking and reportingIdentification and management of all in scope g ,
ability to track version historyLeverage the solution for Sarbanes-Oxley and all internal audit needs
GRCM SOLUTIONS
Identification and management of all in- scope structured and unstructured dataLeveraged to a range of operational and environmental compliance management and reporting requirements
17
Oracle GRC Managerreporting requirements
Segregation of Duties for Applications Detect access violations
PRE-DELIVERED CONTENT
PROCESS EVIDENCE
Violation Cleared
Authorized Access
CONTENT
Employee Check for Violations Evidence of
Due Diligence
Cleared Access
!!Violation Detection
Due Diligence
Corrective Measures
Library of SOD Constraints
User access deviations detected across instancesContinuous monitoring through reporting
18
Role-Based Access to Applications Prevent access violations
EmployeeAssignment
of RolesCertification of Who Has Access to What
SOD PolicySet Up of User Profile
Denied Grant of Role
!!Violation
Prevention of RolePrevention
Integrated framework for user provisioningSet up of user profiles with library of constraintsSegregation of duties prevention and certification across heterogeneous systems
19
Segregation of duties prevention and certification across heterogeneous systems
Enforce Proper ConfigurationsApply Key IT Controls with Oracle Configuration Management
Gather Enforce AuditModel Reconcile
Recipient Policy
Recipient Policy
Recipient Policy
• Centrally collect and manage all system configuration information
• Apply database and schema definitions to create baselines
• Evaluate configurations and maintain set-up standards according to policies
• Deploy certified configurations, patches, and images across systems
20
What Customers Are Saying
““ Oracle provides us with a robust content and records managementenvironment that addresses our compliance needs, integrates into our existing business processes, and is easy for our people to use.”
L D IT Di t POWER E i
““
-- Loren Dugan, IT Director, POWER Engineers
By using the application controls monitoring capabilities within Oracle, Vi S t ff ti l d ffi i tl l k th i ti tViaSat can effectively and efficiently look across the organization at critical setups to ensure that the automated controls we rely on aren’t being compromised by various access or change parameters. From a monitoring aspect, it’s a huge efficiency going forward.”
-- Ron Wangerin, CFO, ViaSat
““
Ron Wangerin, CFO, ViaSat
Oracle Governance, Risk, and Compliance Manager enables us to distribute Sarbanes-Oxley activities to employees across Unumdistribute Sarbanes Oxley activities to employees across Unum, helping us become more efficient which in turn allows us to recognize a compliance return on investment .”
-- Danny Waxenberg, Unum, AVP for Internal Controls
21
Oracle Governance, Risk, and ComplianceIntegrated Business Insight Ensures Accountability
Processes Insight• Improve governance
with timely compliance, risk, and performance management info
Processes
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific
Insight
Risk & ControlIntelligence
management info
• Provide evidence of IT and business process control with
I f t t S i
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
auditor-ready reporting
• Optimize business performance through risk-aware strategic
Infrastructure Services
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceM t risk aware strategic
planningManagement
Repository
22
Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards
Oracle GRC Manager
This is to notify you of AML and SOX alerts. The Executive Dashboard is awaiting your review. Please use the following link to access your reportsGo To “Executive Dashboard”
Summarized view of key information highlighting potential trouble areas
23
Getting to the Root of the IssueDrill down from dashboard to detailed transaction
24
Anticipate Auditor Requirements withEvidence of EnforcementEvidence of Enforcement
IT Audit Financial Audit• Prevent unauthorized • Deliver auditor-ready
system configuration changes with diagnostics
yreports for process certification and remediation analysis
• Identify top audit alerts by • Identify trends in control performance y p yapplication, system, and audit event
• Provide evidence of best-practice periodic attestation
y pwith snapshot comparisons
• Review complete audit trail for any changes to control elements
25
Oracle Governance, Risk, and ComplianceBest-in-Class Infrastructure Automates Enforcement
Processes InsightProcesses
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific
Insight
Risk & ControlIntelligence
• Ensure information reliability with content security, records retention, and identity management
I f t t S i
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
management
• Protect information assets across the entire technology stack
Infrastructure Services
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceM t
• Enforce best-practice segregation of duties, configuration and change managementManagement
Repositorychange management procedures
26
Oracle Information Protection & PrivacyApplications
Control User Access and Authorization Enforce Segregation of Dutiesg g
Exte
rnal InternalPartnersSOA Apps Customers EmployeesIT Staff SOA Apps
Auditingd
Monitoringd
E PartnersSOA Apps Customers EmployeesIT Staff SOA Apps
AccessManagement
IdentityAdministration
andReporting
andManagement
gDirectoryServices
IdentityProvisioning
NOS/DirectoriesOS (Unix)
Systems & RepositoriesApplications
ERP CRM HR MainframeSCM
• Restrict access to applications based on business policy • Certify who had access to what via automated attestation• Automate compliance auditing with out of the box reports
28
What Our Customers are Achieving
-- Reduced risk analysis reporting time by 75%
-- Achieved a 20% improvement in data quality and greater visibility and forecast accuracy
-- Oracle Access Manager and Identity Federation saves $30 a month per employee on password administration$30 a month per employee on password administration for a total savings of US $1.2 million per month
-- Gained visibility, control, and ability to enforce compliance while saving US $700,000 per year on reduced password resets with Oracle Access Manager
29
Secure Privileged User Access Oracle Database Vault
CRITICAL DATA SUPER USER ACCESS CONTROLS
Time of DayNational ID/SSN 782782--0303--02750275
Salary $
₤HR Realm
HR DBA
3pm Monday
DBA IP Address€
Customer Records FIN Realm
FIN DBA
Realms HR Realm
FIN Realm
Realms and command rules enable customers to easily restrict access to application data from the DBA and other powerful usersMulti-factor authorization significantly increases security
30
g y y
Enforce Data PrivacyOracle Advanced Security OptionO ac e d a ced Secu ty Opt o
• Oracle Transparent Data EncryptionOracle Transparent Data Encryption • Easily encrypt sensitive data by columns• Requires no changes to applications
• Network Encryption• Network Encryption• Protect sensitive data as travels across network• Leverage industry leading encryption algorithms
• Data Integrity• Safeguard data from unauthorized modification
P C dh ld D O l T t D t E ti O l S B kProtect Cardholder Data Oracle Transparent Data Encryption, Oracle Secure Backup, Oracle Virtual Private Database, Oracle Advanced Security Option, Oracle Application Server, Oracle Retail Applications
Maintain a Vulnerability Enterprise Manager, Change Management Pack, Oracle yManagement Program