Oracle GRC Overview

Dane Roberts, GRC Principal Strategy Manager

Robert Armstrong, Applications Unlimited Security Strategy

Ananthalakshmi Anbuselvan, Security Lead

2The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracles products remains at the sole discretion of Oracle.

3Oracle Confidential 3

Agenda

Why you care

Application Security Framework Data

Users

Administrators

Governance Risk and Compliance

Q&A

4The Cost of Compliance Continues to Rise

Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.

The Governance, Risk Management, and Compliance Spending Report, 20082009,

-- AMR Research

$29Billion

$32Billion

55%

20%

24% 44%

7%

Improving Compliance Performance

Over 5 years

3 to 5 years

1 to 3 years

Less than 1 year

Will begin within 1 year

64% of surveyed organization have devoted resources to improving compliance for at least

three years. Source: Aberdeen Group

6Good Security Policy

Begins with a Secure Deployment Hardened Systems Control System Administration

Incorporates Principles of Secure Operation Authentication Authorization Audit

Balances theoretical perfection with reality Cost versus risk/benefit Human Nature Automate-ability

7Security Inside Out

4

Comprehensive Data Protection

Identity & Access Management

1

Audit and Controls Enforcement

2

Application Security

3

8Comprehensive Identity & Access

Management

Store & Virtualize Identities

Provision Identities & Roles

Manage Access to Systems

Manage Entitlements

Federate Identities

1

9Comprehensive Data Protection2

When Data Is In Motion

When Data Is At Rest

When Data Is Cloned

When Data Is Administered

When Applications Are Targeted

10

Comprehensive Controls Enforcement3

Consolidate Compliance Activities

Proactively Manage Risk

Automate Internal Controls

11Oracle Confidential 11

Encryption and Masking

Privileged User Controls

Multi-Factor Authorization

Activity Monitoring and Audit

Secure Configuration

Identity Management

Governance Audit and Control

Databases

Applications

Content

Oracle Security Inside Out

Infrastructure

User Provisioning

Role Management

Entitlements Management

Risk-Based Access Control

Virtual Directories

Automated Internal Controls

Segregation of Duties

Proactive Risk Management

Centralized Policy Administration

Information

Database Security

12

Database Auditing and Applications Work with your Auditors

Monitor privileged application user accounts for non-compliant activity Audit non-application access to sensitive data (credit card, financial data,

personal identifiable information, etc)

Verify that no one is trying to bypass the application controls/security PO line items are changed so it does not require more approvals

Verify shared accounts are not be abused by non-privileged users Application bypass - Use of application accounts to view application data

13

Oracle Audit Vault

Applications are validated by Default Database auditing is underneath the Application

Application User Auditing Application can set the database Client Identifier to tie application user

with application shared account

Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)

14

Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor

Automated Oracle and non-Oracle database activity monitoring

Detect and alert on suspicious activities

Out-of-the box compliance reports

Custom forensic reports

15

Database Vault

DB Vault Separation of Duties for DBA roles

Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data

16

Customizing DB Vault

Default realm we ship with contains all Apps objects

We now support realms that are subsets of this

Need to ensure that all the procedures and patches in Support Notes are followed

Any subsets will be treated as certified

Any additions will be treated as customizations

Detailed example of extending EBS realms in Support Notes

1717

Oracle Database VaultPrivileged User Access Control and Multifactor Authorization

Procurement

HR

Finance

Application

select * from finance.customers

DBA

Keep privileged database users from abusing their powers

Address Separation of Duties requirements

Enforce security policies and block unauthorized database activities

Prevent application by-pass to protect application data

18Oracle Confidential 18

Database Security

Identity Management

Databases

Applications

Content

Oracle Security Inside Out

Infrastructure

Information

Automated Internal Controls

Segregation of Duties

Proactive Risk Management

Centralized Policy Administration

Governance Audit and Control

19

Conflict

Analysis

Define SOD conflict and restricted access business rules

Ex. Maintain Employees vs. Process Payroll

Execute access analysis engine that understands

applications detailed access architecture

Ex. PeopleSoft page level, operator preferences, authorized actions.

Real-time enforcement of SOD controls during user

provisioning

Ex. Prevent, monitor, or allow with approval.

Define Access

Controls

Remediation

(Clean-up)

Prevention

Provisioning

Access Control LifecycleD

ete

ction

Pre

vention

Faster, easier remediation and analysis via pre-packaged

reports, work queue management, and what-if simulationEx. Conflict impact of removing a page from a menu

20

Known Security, Sustainable Compliance

Enforce Controls

Segregation of duties Access control

Streamline Processes

Attestation / Recertification

Automate Reporting

Out-of-the-box compliance reports

Customized reports

Monitor Controls

Who accessed what? Who changed what?Oracle

Security Solutions

ENFORCE

CONTROLS

STREAMLINE

PROCESSES

MONITOR

CONTROLS

AUTOMATE

REPORTING

21

Oracle Solutions for GRC

Pre-integrated with

Oracle applications and

technology, supports

heterogeneous

environments

Purpose-built business

solutions for key

industries and GRC

initiatives

Best-in-class GRC core

solutions to support all

mandates and regulations

GRC Application Controls

Transaction

MonitoringSOD &

Access

Application

Configuration

Reporting KRI & AlertsDashboards

GRC Reporting & Analytics

GRC Process Management

AuditManagement

Assessment

Custom or Legacy Applications

GRC Infrastructure Controls

Systems

MgmtDigital

Rights

Data

Security

Identity

Mgmt Records &

Content Mgmt

Issue &

Remediation

Event & Loss

Mgmt

22

Consolidate Compliance ActivitiesOracle Enterprise GRC Manager

Why? What? How?

Mandates

PCI

SOX 404

HIPAA

FFIEC

CASB 1386

EU Privacy

Directive

FDA

Business Process

Framework

ISO | COSO | COBIT | ITIL

Risk

Impact

Likelihood

System

Identify

Requirements

Establish

Objectives

Remediate

Issues

Assess RiskEvaluate

Controls

Process

Report &

Respond

Review &

Improve

85% of internal controls at an average firm are manual.

- Financial Executives Research Foundation

Leverage Reusable Automated Controls

SOX Sec 17A-

4

Gramm-

Leach-

Bliley

HIPAA 21CFR

Part II

Basel II OMB A-

123

CA SB

1386

ERP Applications

Business Intelligence

Policy Management

Data Warehousing

Records Management

Access & Data Security

Reusability of

Automated Controls and

Audit Reports

25

What usershave done

Whats changed in the

process

What are the execution patterns

Detective Controls

What userscan do

How is the process setup

How users execute

processes

Preventive Controls

ACCESSControls

CONFIGURATION

ControlsTRANSACTION

Controls

Enforce Policies in Context

Monitor Control Effectiveness

Automate Internal ControlsOracle GRC Controls

26

Paul From Accounting

Trusted long-time employee

Created phony invoices to pay himself

3.7 million (US$6M) over three years

Companys financial automation never noticed Paul was caught only because a tipster turned him in

timesonline.co.uk

27

Howd He Do It?

Only a few details published so far:

Managed the purchasing ledger

Stole 100k-300k at a time

The money is long gone

One way he could have done it:

Could this have been detected?

Purchase Order #1

To: Supplier A

Invoice

Re: Purch. Order #1

From: Supplier BSupplier B Remit-To

Override

28

GRC Would Have Flagged Pauls Transactions

29

GRC Would Have Flagged Pauls Transactions

30

GRC Would Have Flagged Pauls Transactions

31

GRC Would Have Flagged Pauls Transactions

32

GRC Would Have Flagged Pauls Transactions

33

GRC Would Have Flagged Creation of

Questionable Suppliers

34

GRC Would Have Flagged Creation of

Questionable Suppliers

35

GRC Would Have Flagged Pauls Setup Changes

36

GRC Would Have Flagged Pauls Setup Changes

37

GRC Would Have Flagged Pauls Overly-broad Access

38

GRC Would Have Flagged Pauls Overly-broad Access

39

GRC Would Have Warned Us that

Warning Action

Paul is creating invoices from parties who dont match the POs suppliers

LHAMILTON is defeating, then re-enabling, the control so Paul can evade it

Prevent defeat of the

control by requiring

third-party approval

of any changes

40

GRC Could Require Approval of

Setup Change

41

GRC Could Require Approval of

Setup Change

42

GRC Would Have Warned Us that

Warning Action

Paul is creating both Suppliers and Invoices

Paul, along with other users, have unintentional permission to create both Suppliers and Invoices

Review

responsibility

assignments,

and if necessary,

redefine

responsibilities

43

The Oracle Difference Enterprise GRC Platform Leader*

3Role-Based Dashboards Provide

Real Time Insight

21One Platform Satisfies

Multiple Regulations

GRC Controls Integration

Enforces Policy

Controls

*Source: Gartner Magic Quadrant for Enterprise GRC Platforms, 2009

Financial Reporting

GreenCompliance

DataPrivacy

R1 R2 R3

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

44

Time

Progress in GRC Maturity with Oracle

Informal

ReactiveProactive

Optimized

Ma

turity

Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next

GRC Application Controls

GRC Manager

GRC Intelligence

Adhoc approach

Compliant but at a high cost to business

Manual control

No best practices

Tactical approach

Risks are documented

Manual risk assessment and reporting

After the fact reporting

Unified, standardized & strategic approach

Policies are enforced

Automated process

Prevent policy violation

GRC objectives embedded throughout the organization

Analyze and trend

Automated risk mitigation / Predictive risk assessments

GRC Infrastructure Controls

45

46