2010sprconforaclegrcoverview
DESCRIPTION
GRCTRANSCRIPT
-
Oracle GRC Overview
Dane Roberts, GRC Principal Strategy Manager
Robert Armstrong, Applications Unlimited Security Strategy
Ananthalakshmi Anbuselvan, Security Lead
-
2The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracles products remains at the sole discretion of Oracle.
-
3Oracle Confidential 3
Agenda
Why you care
Application Security Framework Data
Users
Administrators
Governance Risk and Compliance
Q&A
-
4The Cost of Compliance Continues to Rise
Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.
The Governance, Risk Management, and Compliance Spending Report, 20082009,
-- AMR Research
$29Billion
$32Billion
-
55%
20%
24% 44%
7%
Improving Compliance Performance
Over 5 years
3 to 5 years
1 to 3 years
Less than 1 year
Will begin within 1 year
64% of surveyed organization have devoted resources to improving compliance for at least
three years. Source: Aberdeen Group
-
6Good Security Policy
Begins with a Secure Deployment Hardened Systems Control System Administration
Incorporates Principles of Secure Operation Authentication Authorization Audit
Balances theoretical perfection with reality Cost versus risk/benefit Human Nature Automate-ability
-
7Security Inside Out
4
Comprehensive Data Protection
Identity & Access Management
1
Audit and Controls Enforcement
2
Application Security
3
-
8Comprehensive Identity & Access
Management
Store & Virtualize Identities
Provision Identities & Roles
Manage Access to Systems
Manage Entitlements
Federate Identities
1
-
9Comprehensive Data Protection2
When Data Is In Motion
When Data Is At Rest
When Data Is Cloned
When Data Is Administered
When Applications Are Targeted
-
10
Comprehensive Controls Enforcement3
Consolidate Compliance Activities
Proactively Manage Risk
Automate Internal Controls
-
11Oracle Confidential 11
Encryption and Masking
Privileged User Controls
Multi-Factor Authorization
Activity Monitoring and Audit
Secure Configuration
Identity Management
Governance Audit and Control
Databases
Applications
Content
Oracle Security Inside Out
Infrastructure
User Provisioning
Role Management
Entitlements Management
Risk-Based Access Control
Virtual Directories
Automated Internal Controls
Segregation of Duties
Proactive Risk Management
Centralized Policy Administration
Information
Database Security
-
12
Database Auditing and Applications Work with your Auditors
Monitor privileged application user accounts for non-compliant activity Audit non-application access to sensitive data (credit card, financial data,
personal identifiable information, etc)
Verify that no one is trying to bypass the application controls/security PO line items are changed so it does not require more approvals
Verify shared accounts are not be abused by non-privileged users Application bypass - Use of application accounts to view application data
-
13
Oracle Audit Vault
Applications are validated by Default Database auditing is underneath the Application
Application User Auditing Application can set the database Client Identifier to tie application user
with application shared account
Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)
-
14
Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
Automated Oracle and non-Oracle database activity monitoring
Detect and alert on suspicious activities
Out-of-the box compliance reports
Custom forensic reports
-
15
Database Vault
DB Vault Separation of Duties for DBA roles
Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data
-
16
Customizing DB Vault
Default realm we ship with contains all Apps objects
We now support realms that are subsets of this
Need to ensure that all the procedures and patches in Support Notes are followed
Any subsets will be treated as certified
Any additions will be treated as customizations
Detailed example of extending EBS realms in Support Notes
-
1717
Oracle Database VaultPrivileged User Access Control and Multifactor Authorization
Procurement
HR
Finance
Application
select * from finance.customers
DBA
Keep privileged database users from abusing their powers
Address Separation of Duties requirements
Enforce security policies and block unauthorized database activities
Prevent application by-pass to protect application data
-
18Oracle Confidential 18
Database Security
Identity Management
Databases
Applications
Content
Oracle Security Inside Out
Infrastructure
Information
Automated Internal Controls
Segregation of Duties
Proactive Risk Management
Centralized Policy Administration
Governance Audit and Control
-
19
Conflict
Analysis
Define SOD conflict and restricted access business rules
Ex. Maintain Employees vs. Process Payroll
Execute access analysis engine that understands
applications detailed access architecture
Ex. PeopleSoft page level, operator preferences, authorized actions.
Real-time enforcement of SOD controls during user
provisioning
Ex. Prevent, monitor, or allow with approval.
Define Access
Controls
Remediation
(Clean-up)
Prevention
Provisioning
Access Control LifecycleD
ete
ction
Pre
vention
Faster, easier remediation and analysis via pre-packaged
reports, work queue management, and what-if simulationEx. Conflict impact of removing a page from a menu
-
20
Known Security, Sustainable Compliance
Enforce Controls
Segregation of duties Access control
Streamline Processes
Attestation / Recertification
Automate Reporting
Out-of-the-box compliance reports
Customized reports
Monitor Controls
Who accessed what? Who changed what?Oracle
Security Solutions
ENFORCE
CONTROLS
STREAMLINE
PROCESSES
MONITOR
CONTROLS
AUTOMATE
REPORTING
-
21
Oracle Solutions for GRC
Pre-integrated with
Oracle applications and
technology, supports
heterogeneous
environments
Purpose-built business
solutions for key
industries and GRC
initiatives
Best-in-class GRC core
solutions to support all
mandates and regulations
GRC Application Controls
Transaction
MonitoringSOD &
Access
Application
Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
AuditManagement
Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
Systems
MgmtDigital
Rights
Data
Security
Identity
Mgmt Records &
Content Mgmt
Issue &
Remediation
Event & Loss
Mgmt
-
22
Consolidate Compliance ActivitiesOracle Enterprise GRC Manager
Why? What? How?
Mandates
PCI
SOX 404
HIPAA
FFIEC
CASB 1386
EU Privacy
Directive
FDA
Business Process
Framework
ISO | COSO | COBIT | ITIL
Risk
Impact
Likelihood
System
Identify
Requirements
Establish
Objectives
Remediate
Issues
Assess RiskEvaluate
Controls
Process
Report &
Respond
Review &
Improve
-
85% of internal controls at an average firm are manual.
- Financial Executives Research Foundation
-
Leverage Reusable Automated Controls
SOX Sec 17A-
4
Gramm-
Leach-
Bliley
HIPAA 21CFR
Part II
Basel II OMB A-
123
CA SB
1386
ERP Applications
Business Intelligence
Policy Management
Data Warehousing
Records Management
Access & Data Security
Reusability of
Automated Controls and
Audit Reports
-
25
What usershave done
Whats changed in the
process
What are the execution patterns
Detective Controls
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
ACCESSControls
CONFIGURATION
ControlsTRANSACTION
Controls
Enforce Policies in Context
Monitor Control Effectiveness
Automate Internal ControlsOracle GRC Controls
-
26
Paul From Accounting
Trusted long-time employee
Created phony invoices to pay himself
3.7 million (US$6M) over three years
Companys financial automation never noticed Paul was caught only because a tipster turned him in
timesonline.co.uk
-
27
Howd He Do It?
Only a few details published so far:
Managed the purchasing ledger
Stole 100k-300k at a time
The money is long gone
One way he could have done it:
Could this have been detected?
Purchase Order #1
To: Supplier A
Invoice
Re: Purch. Order #1
From: Supplier BSupplier B Remit-To
Override
-
28
GRC Would Have Flagged Pauls Transactions
-
29
GRC Would Have Flagged Pauls Transactions
-
30
GRC Would Have Flagged Pauls Transactions
-
31
GRC Would Have Flagged Pauls Transactions
-
32
GRC Would Have Flagged Pauls Transactions
-
33
GRC Would Have Flagged Creation of
Questionable Suppliers
-
34
GRC Would Have Flagged Creation of
Questionable Suppliers
-
35
GRC Would Have Flagged Pauls Setup Changes
-
36
GRC Would Have Flagged Pauls Setup Changes
-
37
GRC Would Have Flagged Pauls Overly-broad Access
-
38
GRC Would Have Flagged Pauls Overly-broad Access
-
39
GRC Would Have Warned Us that
Warning Action
Paul is creating invoices from parties who dont match the POs suppliers
LHAMILTON is defeating, then re-enabling, the control so Paul can evade it
Prevent defeat of the
control by requiring
third-party approval
of any changes
-
40
GRC Could Require Approval of
Setup Change
-
41
GRC Could Require Approval of
Setup Change
-
42
GRC Would Have Warned Us that
Warning Action
Paul is creating both Suppliers and Invoices
Paul, along with other users, have unintentional permission to create both Suppliers and Invoices
Review
responsibility
assignments,
and if necessary,
redefine
responsibilities
-
43
The Oracle Difference Enterprise GRC Platform Leader*
3Role-Based Dashboards Provide
Real Time Insight
21One Platform Satisfies
Multiple Regulations
GRC Controls Integration
Enforces Policy
Controls
*Source: Gartner Magic Quadrant for Enterprise GRC Platforms, 2009
Financial Reporting
GreenCompliance
DataPrivacy
R1 R2 R3
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
-
44
Time
Progress in GRC Maturity with Oracle
Informal
ReactiveProactive
Optimized
Ma
turity
Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next
GRC Application Controls
GRC Manager
GRC Intelligence
Adhoc approach
Compliant but at a high cost to business
Manual control
No best practices
Tactical approach
Risks are documented
Manual risk assessment and reporting
After the fact reporting
Unified, standardized & strategic approach
Policies are enforced
Automated process
Prevent policy violation
GRC objectives embedded throughout the organization
Analyze and trend
Automated risk mitigation / Predictive risk assessments
GRC Infrastructure Controls
-
45
-
46