04-05-06 - it governance for compliance - tom philpott (2.4mb)
TRANSCRIPT
ETS / 18.04.23 / 2 Software AG
Driving Compliance Action Sarbanes-Oxley Act of 2002 –
Response to financial scandals
Requires public companies to certify the effectiveness of internal controls
Section 404 requires documentation and testing of key process and controls
Compliance has often required: Time-consuming, manual processes Hiring additional people Inadequate software Outsourcing to consultants
ETS / 18.04.23 / 3 Software AG
Compliance Costs Growing
Financial compliance spending alone will grow by more than 19% annually through 2008.
–Gartner Research, August 2005
According to a survey of 217 public companies with average revenues of $5 billion, the average cost of complying with ONLY section 404 of Sarbanes-Oxley will be $4.36 million in 2005.
–Financial Executives International Survey – March, 2005
According to a member survey, nearly half of CEOs of large companies said SOX and other new compliance requirements would cost in excess of $10 million annually.
–Business Roundtable Survey, March, 2005
50% of the companies that generate more than $5B in annual revenue spent in excess of 50,000 hours on SOX compliance in 2004.
–Ernst & Young Research
ETS / 18.04.23 / 4 Software AG
How Technology Can Help
Technology enablement of key compliance processes
Optimize and integrate key business application-level controls
Automate manual controls related to structured and unstructured
data
Improve integration of information security with business needs
Improve IT asset management and patch management processes
Improve IT governance (e.g., change management processes)
ETS / 18.04.23 / 5 Software AG
Why IT Cannot Escape the Burden ofCompliance Requirements
HIPAA
BASEL II
Sarbanes-Oxley
Financial Reporting & Internal Controls
Patient Privacy
Intl Banking:Capital Measurement and Standards
Gramm-Leach Bliley
Privacy of Nonpublic personal information (Financial)
Reg
ula
tio
ns
…
Auditing Requires Understanding Transaction/Information
Flows
Since these flows go through applications & support
systems, the need to provide a control framework for IT has
become mandatory
Regulatory compliance impacts most industries
ETS / 18.04.23 / 6 Software AG
Frameworks Provide the BridgeBetween IT Governance and Compliance
IT Governance is the set of policies, processes, and procedures that direct & control what IT does
Essential Objectives of Internal Control Systems:
Economy and efficiency of operations
• Safeguarding of assets• Achievement of
performance goals Reliability of financial and
management reports Compliance with laws and
regulations
Internal Controls serve to minimize errors and discourage fraud
COBITControl Objectives for Information
and Related Technologies
ITILIT Infrastructure Library
Leading Frameworks include:
IT Governance Institute and the Information Systems Audit and Control Association (ISACA)www.isaca.org/cobit
Office of Government Commerce (OGC) and itSMFwww.itil.co.uk
ISO 17799International Organization for Standardswww.iso.org
Security Standards
ETS / 18.04.23 / 7 Software AG
IT Governance:COBIT IT Processes and Domains
DS1 define and manage service levelsDS2 manage third-party servicesDS3 manage performance and capacityDS4 ensure continuous servicesDS5 ensure systems securityDS6 identify and allocate costsDS7 educate and train usersDS8 assist and advise customersDS9 manage the configurationDS10 manage problems and incidentsDS11manage dataDS12 manage facilitiesDS13 manage operations
DELIVERY & SUPPORT
AI1 identify automated solutionsAI2 acquire and maintain application softwareAI3 acquire and maintain technology infrastructureAI4 develop and maintain proceduresAI5 install and accredit systemsAI6 manage changes
ACQUISITION & IMPLEMENTATION
PO1 define a strategic IT planPO2 define the information architecturePO3 determine the technological directionPO4 define the IT org. and relationshipsPO5 manage the IT investmentPO6 communicate mgmt. aims and directionPO7 manage human resourcesPO8 ensure compliance with external rqmts.PO9 assess risksPO10 manage projectsPO11 manage quality
PLANNING & ORGANIZATION
M1 monitor the processesM2 assess internal control adequacyM3 obtain independent assuranceM4 provide for independent audit
MONITORING
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
INFORMATION
• People• Application systems• Technology• Facilities• Data
IT RESOURCES
ETS / 18.04.23 / 8 Software AG
COBIT IT Control Objectives & PCAOB Auditing Standards for Sarbanes-Oxley
1 Acquire and develop application software2 Acquire technology infrastructure3 Develop and maintain policies and
procedures4 Install and test application software and
technology infrastructure5 Manage changes6 Define and manage service levels7 Manage third-party services8 Ensure systems security9 Manage the configuration10 Manage problems and incidents11 Manage data12 Manage operations
COBIT Control Objective
Program Development
PCAOB IT ControlsProgram
Changes
Computer
Operations
Access to
Programs
& Data
Source: “IT Control Objectives for Sarbanes-Oxley”COBIT Guidance by IT Governance Institute
ETS / 18.04.23 / 9 Software AG
Identifying IT Controls for Sarbanes-Oxley
Source: “IT Control Objectives for Sarbanes-Oxley”COBIT Guidance by IT Governance Institute
Understand financial reporting process
Identify significant systems Determine location
criticality Perform risk assessment
ETS / 18.04.23 / 10 Software AG
Control Challenges of a Complex IT EnvironmentMultiple Access Points to Systems
Multiple Design Environments
Administration
Adabas,IMS, VSAM
SQL, DB2,Oracle, XML
SecuritySecurity MonitoringMonitoring Auditing & LoggingAuditing & Logging
Financial AppsFinancial Apps
Mainframe, Unix, Linux
Design,Wizards,Tools
Multiple Access Points
PortalsPortals
Request/ResponseAsynch MessagingBatch
WebAppsWebApps
SOA/Web
Services
SOA/Web
Services
Process AppsProcess Apps
Logistic AppsLogistic Apps
Multiple Environments
Multiple Databases
Etc...Etc...
NaturalStudio
NaturalStudio
BusinessUserData
Access
Crystal Reports
MS Office
Multiple Applications
ETS / 18.04.23 / 11 Software AG
What if you could…
Confidently demonstrate to your executive management/ compliance officers that you have IT Controls in place to: Secure access to your programs and data Manage the application change management process Monitor the access and changes made to your programs & data Ensure information and operational processes are available when you
need it, as soon as you need it, especially in case of audit
And provide succinct reports that show: WHO accessed WHAT data, WHEN and HOW WHO made WHAT changes to your applications and WHEN
ETS / 18.04.23 / 12 Software AG
Control Objectives supported by Software AG Solutions
Manage Changes Test, validate & authorize changes prior to
move to production
Monitor & Report View of performance, access, errors,
security
Ensure Systems Security Secure to prevent unauthorized use,
disclosure, modification, loss
Access to Programs & Data Ensure Continuous Services and
information availability
IT Controls AccessChangeMgt
Monitoring
Security
ETS / 18.04.23 / 13 Software AG
Create Confidence with Applicable IT Controls forAdabas and Natural Systems
Change Management Predict Application Control (PAC)
Monitoring & Reporting Adabas REVIEW Natural Productivity Pack
Security Natural SAF Security Natural Security Adabas Security Adabas SAF Security
Access to Programs & DataHigh Availability Parallel Services Cluster Services
(IBM Parallel Sysplex Support)Disaster Recovery Event Replicator for AdabasArchiving Adabas Vista
Create Confidence with IT GovernanceIT Controls AccessChange
Mgt
Monitoring
Security
ETS / 18.04.23 / 14 Software AG
Enforce Change Management Procedures withPredict Application Control
Control the System Development Lifecycle (SDLC)
One Change Management Systemto control Programs, DatabaseMaintenance, and Metadata
Controlled migration of Natural, COBOL, JCL, and Assembler Objects
Other Key Features Unique test plan Segregation of duties Synchronization
of changes Easy to use GUI Mixed environment controls Expedited path for
emergencies Migration Security Archiving Auditing Reporting
ETS / 18.04.23 / 24 Software AG
Compliance with COBIT: Manage Changes
COBIT Control Guidance IT Governance Pack Features
Request for changes are standardized, documented and subject to formal change management procedures
Only authorized/approved changes are moved into production
Control migration of changes through SDLC
Requests & Process is documented
Emergency change requests are documented and subject to formal change mgt procedures
Expedited path for Non-scheduled Maintenance
Emergency change requests are executed immediately
Full audit trail Subject to formal change mgt
procedures post implementation
Controls in place to restrict migration to production
Duties segregated between staff responsible for moving program into production and development staff
Setup and Implementation of system software do not jeopardize security of data and programs
Test changes in development before applied to production
Backout procedures exist
Ensures Integrity of Financial Reporting Systems
ETS / 18.04.23 / 25 Software AG
Report Changes & Track Dependencies withNatural Productivity Pack Maintenance Tools
MetricsCoding Standards
Structure Analyzer
Search Tools
Re-documentation & Code Beautifying
Variable Usage
Automatic code changes
Diagramming
ETS / 18.04.23 / 26 Software AG
Monitor Access to Programs and Data withAdabas Review
Report WHO accessed WHAT data, WHEN and HOW Custom reporting for Executive Management Multiple databases captured in single report Select and choose the most relevant information for proper reporting Excellent source for compliance dashboards like Stellent Sarbanes-Oxley Solution
Monitors both Read/Write Access to Adabas from ANY Source on-line, batch Natural, COBOL Java, .NET, SQL, Xquery, etc.
Provides a Single View of all Adabas Instances “Regular” Adabas, Cluster Services & Parallel Services
Detailed Monitoring with Minimal Performance Overhead Leverages Command Logs (CLOG) over Protection Logs (PLOGs)
• CLOGs show ALL read/write access• PLOGs show only write access
Efficient asynchronous handling of CLOGs
ETS / 18.04.23 / 27 Software AG
Compliance with COBIT Control Domain: Monitoring
Monitoring with Accountability
Monitor all database activity
IT Governance Pack Features Centralized Information
Gathering Scaleable to Performance
Needs Maintain Audit History
Reports Integrates to dashboards
like Stellent Sarbanes-Oxely Solution
Real-time and historical tracking
ETS / 18.04.23 / 28 Software AG
Secure Access to Your Programs and Data
Secure Systems to Prevent Unauthorized Use
Protect from fraudulent access under a stolen identity Authenticate against common user databases like RACF, ACF2 or
TopSecret via the SAF (Security Access Facility) API Block password phishing with secure communication channels, like
the Supervisor Call (SVC)
Protect from unauthorized access to data store "Access-/update-level" protection on a file-by-file basis "Value-level" protection for specific values or for value ranges “Dataset encryption” with pass phrase protection
Single Sign On in a heterogeneous environment SAML-based (Security Assertion Markup Language) Web service SAF-based authentication Field-level protection of database records
ETS / 18.04.23 / 29 Software AG
Compliance with COBIT: Ensure Systems Security
COBIT Control Guidance IT Governance Pack Features
Authenticate all users to the system to support validity of transactions
Authenticate against common user databases like RACF, ACF2 or TopSecret via the SAF (Security Access Facility) API
Maintain effectiveness of authentication and access mechanisms
Authentication controls (passwords, IDs, two-factor) are subject to confidentiality requirements
Authentication at multiple levels
Administration monitors and logs security activity, violations are reported
Reporting capabilities
Controls for segregate duties over requesting and granting access
Checks and balances Separation of duties
Provides Assurance Systems Are Secured to Prevent Unauthorized Use, Disclosure, Modification, Damage or Loss of Data
ETS / 18.04.23 / 30 Software AG
Ensure Readily Available Processes &Historical Information
Protection from DB and OS Failure (High Availability) Access when you need it - 24x7x52
• Adabas Parallel Services
• Adabas Cluster Services (IBM Parallel Sysplex Support)
Protection from Facility/Site Failure (Disaster Recovery) Prepare for Disperse Geographical Backups
• Event Replicator for Adabas
Archive Data Instantly Available when Needed Separating relevant/current data from historical
• Adabas Vista
Compliance with PAOCB: Access to Programs and Data
Ensure information and operational processes are available when you need it, as soon as you need it
ETS / 18.04.23 / 31 Software AG
Reduces risk for non-compliance Secure access to your programs and data Manage the application change management process Monitor the access and changes made to your programs & data Ensure information and operational processes are available when you
need it, as soon as you need it, especially in case of audit Keeps documentation in synch with procedures
Reduces costs Automates controls & reporting Reduces time and expense
Prepares you for the future Good IT Governance Practices prepares
Your IT Department for complying withSOX, HIPPAA and other Regulations
Benefits of Leveraging Software AG Solutionsfor IT Governance
ETS / 18.04.23 / 32 Software AG
Now You are Ready to Link intoCompany-wide Compliance Initiatives
Stellent Sarbanes-Oxley Solution
ETS / 18.04.23 / 33 Software AG
Sarbanes-Oxley Section 404Internal Control over Financial Reporting
“Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment.”
– IT Governance Institute, IT Control Objectives for Sarbanes-Oxley
ETS / 18.04.23 / 35 Software AG
High Availability withAdabas Cluster Services
Key Features Increased throughput Better response times for all
users (batch and online) No need to buy a new machine
to improve performance Maximum scalability No changes to applications Administration very similar to
‘regular’ Adabas 24 x 7 availability - no single-
point-of-failure z/OS ONLY Maximum 20 KM
DataDataAssoAsso
OS/390
WorkWork
Update
PLOGPLOG CLOGCLOG
CLOGCLOG
OS/390
WorkWork
Update
CLOGCLOG PLOGPLOG
Read / Write Read / Write
CouplingFacility
PLOGPLOG
Timer
Asynchronous merge
DataDataAssoAsso
OS/390
WorkWork
Update
PLOGPLOG CLOGCLOG
CLOGCLOG
OS/390
WorkWork
Update
CLOGCLOG PLOGPLOG
Read / Write Read / Write
CouplingFacility
PLOGPLOG
Timer
Asynchronous merge
Adabas Cluster Services
Distribute and balance users across multiple processors and operating system images
ETS / 18.04.23 / 36 Software AG
DisasterRecovery
Event Replicator Disaster Recovery Solution
Hot, standby system(s) in a remote facility with ongoing changes transferred in real-time
Ensuring business continuity in event of failure Software Hardware Power Natural disaster
Advantage Avoid time-consuming database recovery
procedures Upon failure hot, standby immediately becomes
primary production DB and continues replication other hot, standby systems
Disaster Recovery withEvent Replicator for Adabas
ProductionAdabas
Hot Standby
Hot Standby
Location 1
Location 3
Location 2
ETS / 18.04.23 / 37 Software AG
Information Archiving and High Availabilitywith Adabas Vista
Adabas Vista
Access relevant information with exceptional performance
Avoid degradation of service and expense of maintaining unnecessary data High availability in a partitioned environment logical ‘ordering’ of data reduces file sizes to improve performance improves performance against files by using multiple CPUs limits the usage of data by ‘hiding’ partitions
Quickly & easily manage large volumes of data Better backup & restore time windows Better load balancing on your environment No change to applications Online and batch The physical files can be on separate Adabas nuclei
ETS / 18.04.23 / 38 Software AG
RMPOSHA
Home Land SecurityLocal Rules
HDDA 45
State Requirements
General LiabilityNASD
FERC
Storm Water
Drinking Water
SECWEEE
FAA
21 CRF Part 11
Regulatory Compliance – A Perfect Storm
Sarbanes-Oxley
Patriot Act
EPA
SECRoHS
Manufacturing Insurance Life Sciences Energy Engineering
The Challenge: Manage the wide range of associated risk while maintaining business efficiency, agility, and creating shareholder value
ELV
hipaa GLBA
FTC
NRC
Basel II TSCA
ETS / 18.04.23 / 39 Software AG
ASSESS
DOCUMENT
MANAGE
REPORT
Other Software AG Solutions
Integrated Compliance Platform
Content Management
Enterprise Process Manager
Single View of Compliance
Enterprise Service
Integrator
GLB BaselII
BASEL II
SOX GLB
Mainframe
ERP
Content Server
AS/400
Enterprise Information Integrator
Stellent Section
404