GRC Compliance Intro NorCal OAUG1

8/3/2019 GRC Compliance Intro NorCal OAUG1

1/28

Evolving from Financial Compliance to NextGeneration GRC

Gary PrincePrincipal Solution Specialist - GRC


2/28

2

Agenda

Business Challenges

Oracles Leadership in Governance, Risk andCompliance

Solution Overview

Solution Demo


3/28

3

Financial Compliance is Only the First StepPressure mounts to fortify financial compliance foundation

3

Real-Time PublicExposure of Misdeeds

Instantaneous mediacommunication increases

risk of reputational damage

2

Vulnerability toInformation Breaches

Growing recognition thatinformation breaches stemfrom inside the organization

1

Regulations Go BeyondFinancial Reporting

Increasing number ofregulations pose challenge

to sustainable GRC

ITGovernance Patriot

Act

E-Discovery

HIPAA

AML

ERM

RecordsRetention

PCI

Basel II

NERC/FERC

OFAC

CFR


4/284

ITGovernance

Supply ChainSupply ChainTraceabilityTraceability

Service LevelService LevelComplianceCompliance

FinancialReporting

Compliance

Compliance &Compliance &Ethics ProgramsEthics Programs

AuditAuditManagementManagement

Data Privacy

RecordsRetention

LegalLegalDiscoveryDiscovery

AntiAnti--MoneyMoneyLaunderingLaundering

AppsServer

DataWarehouse Database Mainframes Mobile Devices

EnterpriseApplications

GRC is the New NormalRequirements Increase in Number and Complexity

Mandates

Regions

Technology

People

LegalFinance HRSalesSuppliers CustomersR&D Mfg

SOXSOX JSOXJSOX HIPAAHIPAA Basel IIBasel IIEU

DirectivesEU

Directives GLBAGLBA PCIPCI Patriot

ActPatriot

Act SB1386SB1386

Source: Open Compliance and Ethics Group


5/285

New Risks to Your Business:Credit Card / Identity Theft

TJ Maxx8 class-action lawsuits filed as of March 23; a Massachusetts-ledinvestigation by attorneys general from 30 states; a pretaxcharge of $25 million spent to date.

Source: 2006 Annual Report, March 2007

ChipotleFast food chain stored full range of customer data from creditcard accounts. Roughly 2,000 fraudulent charges againstChipotle customers totalled $1.3M, additional fines from Visaand Mastercard amounted to $1.7M, and legal fees racked up

another $1.3M. Source: Computerworld, December 2005

Dollar TreeCustomers of the discount store have reported money stolenfrom their bank accounts due to unauthorized ATM withdrawals.Cyber-thieves have stolen as much as $700,000 from personal

accounts during the last two months. Source: Eweek, August 2006

Life is GoodBoston-based retailer today disclosed a security breach in whichhackers accessed a database containing 9,250 customers'credit card numbers.

Source: Boston.com, Sept. 2006


6/286

Security Breaches are increasingly Expensive

Costs are increasing Breaches cost companies an average of $182 per compromised record

This was a 31% increase over 2005

In 2006 31 companies experienced a data breach.

The total costs for each loss ranged from $1 Million to over $22 MillionSource: The Ponemon Institute, October 2006

Penalties are Severe

Companies can be barred from processing credit card transactions, higher

processing fees can be applied; and in the event of a serious security breach,fines of up to $500,000 can be levied for each instance of non-compliance.

Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html


7/287

Proactive Security Is Cheaper

The cost of a breach can reach at least $90 per customer,

for companies with at least 100,000 accounts, versus $6 to$16 per account per year to strongly protect that data.

Source Gartner Study:

16 September 2005 Data Protection is less costly than breaches


8/28

8

Complementary Compliance Efforts

Sarbanes-Oxley Requires that public companies have effective internal controls on

financial information with independent auditor attestation.

Prudent private companies comply as well.

It comes down to this:

Access control: Who has access to what information?

Auditability: Can you monitor and track access to information?

Gramm-Leach-Bliley Act

Requires that financial institutions safeguard PersonallyIdentifiable information (PII)

Prudent retailers consider GLBA compliance a best practice Personal service depends on secure access to PII.

Data Privacy: Do your best customers trust you?


9/28

9

Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve

DEFINE

AUTOMATE,MONITOR &

VERIFY

RATIONALIZE

Number ofControls

Year 1 & 2 Year 3 Year 4+

Cost

EMBEDDED GRC &OPERATIONALEXCELLENCE

REMEDIATION &STANDARDIZATION

MANUAL,REDUNDANT

EFFORTS

New AS5 Guidance:

Top-down risk-basedapproach

Tailor audit to specificcompany profile

External auditors canuse work of others asevidence


10/28

10

Agenda

Business Challenges

Oracles Leadership in Governance, Risk andCompliance

Solution Overview

Customer Success


11/28

11

Oracles Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise

ControlManagement

Analytics &

PerformanceManagement

Policy and

ProcessManagement

End-to-End Policy & Process Management GovernsRisk and Compliance Activities

Enterprise Control Management Detects and PreventsControl Failures

Integrated Analytics Deliver Actionable Insight

!!


12/28

12

Oracle Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise

ControlManagement

Analytics &


Policy and

ProcessManagement




!!


13/28

13

A World of Paper and Manual Hand OffsCurrent state of risk and compliance management

BusinessProcessOwners

Executives

Auditors

Testers

A Fragmented Approach?

?

?

?


14/28

14

Content Management is the CornerstoneSingle system of record for compliance information

Date EffectiveChain of CustodyAll Content TypesSecure Enterprise Search

Single Source ofInformation

Search

Central Repository

Link policies and procedures to laws, regulations, and standardsas evidence of compliance

Apply and track permission-based access to policy and proceduredocuments

Leverage advanced search function with familiar look and feel


15/28

15

Manage Policies and ProceduresAlign policies to best-practice frameworks

EmbeddedFrameworks

(COSO, COBIT, ITIL)

Master Libraries ofPolicies & Controls

Frameworks align corporate policies and associated controls to standards Link shared policies and controls in master libraries for easy maintenance


16/28

16

Manage Financial Compliance ProcessAutomate and streamline compliance process

Assess/Audit

Analyze

Inbox Notifyingof Tasks

Document

Respond

Certify

workflow

workflow

workflow

workflow

workflow71% 69%

32%

15%10%

65% of companies say they have beenadversely impacted by redundant or

inconsistent GRC processes. What are the

resulting effects?

Increasedgeneral

operatingexpenses

Increasedcost of

reconcilinginformation

Reducedmargins

Highercost fromsuppliers

Highercost ofcapital

Source: 2007 OCEG Benchmark Series


17/28

17

Oracle Financial Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise

ControlManagement

Analytics &


Policy &

ProcessManagement




!!

S f f


18/28

18

Segregation of Duties for ApplicationsDetect access violations

EmployeeCheck for

Violations

!!ViolationDetection

Evidence ofDue Diligence

ViolationCleared

AuthorizedAccess

CorrectiveMeasures

Library of SODConstraints

PRE-DELIVEREDCONTENT

PROCESS EVIDENCE

User access deviations detected across instances Continuous monitoring through reporting

R l B d A t A li ti


19/28

19

Role-Based Access to ApplicationsPrevent access violations

Assignment

of Roles

Certification of Who

Has Access to WhatEmployee

!!

SOD PolicySet Up of

User Profile

Violation

Prevention

Denied Grant

of Role

Integrated framework for user provisioning Set up of user profiles with library of constraints Segregation of duties prevention and certification across heterogeneous systems

C l P i il d U A


20/28

20

SUPER DBADBA TRIES TO ACCESSFINANCIAL TABLES DURINGQUIET PERIOD

ACCESS DENIED

HR Realm

FIN Realm

DBA

ACCESS

Control Privileged User AccessTake away the keys of the kingdom

Protect from insider threats by ensuring powerful users haveaccess to only what they need do their job

Restrict access to sensitive data and ascertain that users arewho they state themselves to be

C t l P i il d U A


21/28

21

Control Privileged User AccessTake away the keys of the kingdom

CRITICAL DATA SUPER USER ACCESS CONTROLS

Time of DayNational ID/SSN

Salary$

Customer Records

782782--0303--02750275

HR Realm

FIN Realm

FIN DBA

HR DBA

3pm Monday

DBA IP Address

RealmsHR Realm

FIN Realm

Protect from insider threats by ensuring powerful users haveaccess to only what they need do their job

Restrict access to sensitive data and ascertain that users arewho they state themselves to be

V if S t C fi ti


22/28

22

Requisi-tion

Requisi-tion

PurchaseGoods /Services

PurchaseGoods /Services

ReceiveGoods /Services

ReceiveGoods /Services

InvoiceInvoiceIssue

Payments

IssuePayments

SAP

Monitoring ofchanges toexpensing

rules

Monitoring ofchanges to

pricetolerance

percentage

Monitoring ofchanges todocumentnumbering

Monitoring ofdiscounting

rules

Monitors over 500 key configurations settings across instances

Before and after snapshot of changes to settings with ability torevert back

Automatic alerts notify managers as exceptions occur

PROCUREPROCURE--TOTO--PAYPAY

Verify System ConfigurationsAutomate and monitor application controls

Procurement Inventory Accounts Payable

Ensureinternal

requisitionsource

Anticipate Auditor Requirements with


23/28

23

p qEvidence of Enforcement

Prevent unauthorizedsystem configurationchanges with diagnostics

Deliver auditor-readyreports for processcertification andremediation analysis

Identify top audit alerts byapplication, system, and audit event

Provide evidence of best-practiceperiodic attestation

Identify trends in control performancewith snapshot comparisons

Review complete audit trail for anychanges to control elements

IT AuditIT Audit Financial AuditFinancial Audit

O l Fi i l C li S l ti


24/28

24


Cross-Enterprise

Infrastructure

Enterprise

ControlManagement

Analytics &


Policy and

ProcessManagement




!!



25/28

25

Integrated financial

complianceanalytics deliveractionable insight

Integrated financial

complianceanalytics deliveractionable insight

Enterprise controlmanagement detects

and prevents controlfailure

Enterprise controlmanagement detects

and prevents controlfailure

Policy and processmanagement governrisk and complianceactivities

Policy and processmanagement governrisk and complianceactivities

Oracle Financial Compliance SolutionSummary

Control user access & enforce segregation of duties withbusiness-driven rules

Reduce risk of fraud with continuous monitoring of automatedcontrols

Enforce effective preventive and detective controls across allsystems

Leverage a single source of GRC information acrossdepartments, units and locations

Improve risk responsiveness with timely control andperformance analytics

Tailor GRC intelligence to the needs of your specificorganization and function

Reduce cost and complexity by managing multiple globalfinancial mandates with one system

Rely on tamper-proof chain of evidence for all financialcompliance processes

Align policies and processes with best practice risk and control

frameworks

Why Choose Oracle GRC?


26/28

26

Why Choose Oracle GRC?

Only Oracle

Governs Risk and Compliance Activities with Policy & Process Mgmt Reduce cost and complexity by managing global financial mandates with one system Rely on tamper-proof chain of evidence for all compliance processes

Align polices and processes with best-practice risk and control frameworks

!!

Detects and Prevents Control Failures with Enterprise Control Mgmt

Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems

Delivers GRC Insight for Better Business Performance Leverage a single source of GRC information across departments and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function


27/28

Oracle Governance, Risk, and Compliance

Simplify GRC and Reduce Costs

Safeguard Brand and Reputation

Run Your Business Better and Prove It


28/28

GRC Compliance Intro NorCal OAUG1

Documents