Governance, Risk, and ComplianceGovernance, Risk, and ComplianceNot Just for SOX AnymoreBo Weingaertner Retail GRC Product Specialist OracleBo Weingaertner, Retail GRC Product Specialist, OracleDave Nonnemacher, Retail GRC Product Specialist, Oracle
The Big Picture
Obj tiObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives
© OCEG
2
The Big Picture
Obj tiss ObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O
bsta
cles
Obs
tacl
esObstacles impede progress toward achieving
objectives
OO© OCEG
3
The Big Picture
Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies
Obj tiss ObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O
bsta
cles
Obs
tacl
esObstacles impede progress toward achieving
objectives
OO© OCEG
Mandated Boundary Boundary established by external forces including laws, government regulation and other mandates.
4
GRC is the “New Normal”Requirements increase in number and complexity
GRC Programs
People
g
Technology
p
LegalFinance HRSalesSuppliers CustomersBuyers Marketing
Regions
gyApps Server
Data Warehouse Database Mobile DevicesEnterprise
ApplicationsMaster Data
Mgmt
Mandates SOXSOX CSOXCSOX PCIPCI SB 1386SB 1386EU Directives
EU Directives HIPAAHIPAA COOLCOOL ……Patriot
ActPatriot
ActSourcingMandatesSourcingMandates
5
GRC is the “New Normal”Requirements increase in number and complexity
Fi i l R ti
Compliance &Ethics Programs
GRC ProgramsFinancial Reporting
Compliance
People
g
Technology
p
LegalFinance HRSalesSuppliers CustomersBuyers Marketing
Regions
gyApps Server
Data Warehouse Database Mobile DevicesEnterprise
ApplicationsMaster Data
Mgmt
Mandates SOXSOX CSOXCSOX PCIPCI SB 1386SB 1386EU Directives
EU Directives HIPAAHIPAA COOLCOOL ……Patriot
ActPatriot
ActSourcingMandatesSourcingMandates
6
GRC is the “New Normal”Requirements increase in number and complexity
Fi i l R ti
Compliance &Ethics Programs
GRC Programs Data Privacy
RecordsRetention
Legal
ITGovernance
Financial ReportingCompliance
People
g y& Security
LegalDiscovery
Technology
p
LegalFinance HRSalesSuppliers CustomersBuyers Marketing
Regions
gyApps Server
Data Warehouse Database Mobile DevicesEnterprise
ApplicationsMaster Data
Mgmt
Mandates SOXSOX CSOXCSOX PCIPCI SB 1386SB 1386EU Directives
EU Directives HIPAAHIPAA COOLCOOL ……Patriot
ActPatriot
ActSourcingMandatesSourcingMandates
7
GRC is the “New Normal”Requirements increase in number and complexity
SupplierManagement
Supply ChainFi i l R ti
Compliance &Ethics Programs
GRC Programs Data Privacy
RecordsRetention
Legal
ITGovernance
Supply ChainTraceability
Financial ReportingCompliance
People
g y& Security
LegalDiscovery
Technology
p
LegalFinance HRSalesSuppliers CustomersBuyers Marketing
Apps Server
Data Warehouse Database Master Data
MgmtMobile DevicesEnterprise
Applications
Regions
gy
Mandates SOXSOX CSOXCSOX PCIPCI SB 1386SB 1386EU Directives
EU Directives HIPAAHIPAA COOLCOOL ……Patriot
ActPatriot
ActSourcingMandatesSourcingMandates
8
Information Risk Continues UnabatedInformation security becomes part of overarching GRC strategy
9
Good GRC is Good Business
Share-price performance of companiescomplying with SOX rules
28%
Price of control deficiency for$1 billion company
26%
6%Control weakness in 2004 but none
No control weaknesses
Reported control weakness 2004-05
$10 million in higher cost of equity capital
Source: Lord & Benoit, 2006
6%in 2004, but none in 2005
weaknesses in 2004 -05
Source: University of Wisconsin, 2006
Savings on legal liability avoidance Opportunity cost of siloed GRCSavings on legal liability avoidancefrom GRC investment
Spending on Compliance
Savings on Lower Legal Liability $1
Ad hocApproach
Resources for innovation
Opportunity cost of siloed GRC
Cost of GRCM
Source: General Counsel Roundtable, 2006
Legal Liability $1$5
# of GRC projects
PlatformApproach
10
Oracle Governance, Risk, and ComplianceComprehensive Applications Control Costs and Risks
Processes Insight
Only Oracle Delivers a Comprehensive Applications
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific Risk & ControlIntelligence
pPlatform for
Governance, Risk, and ComplianceInfrastructure Services
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
and Compliance Management
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceManagement
RepositoryRepository
11
Oracle Governance, Risk, and ComplianceComprehensive Applications Control Costs and Risks
Processes Insight • Standardize onProcesses
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific
Insight
Risk & ControlIntelligence
best-practice frameworks to meet evolving GRC demands
• Automate key GRC
I f t t S i
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
Automate key GRC processes for risk assessment, control design, policy creation, hotline intake, control
Infrastructure Services
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceM t
monitoring and case management
• Streamline specialized GRC processes forManagement
RepositoryGRC processes for highly-regulated and risk-sensitive industries
12
A World of Paper and Manual Hand Offs Current state of risk and compliance management
Auditors ?
A Fragmented Approach g pp? ?
Business Process Owners
Executives
?
Testers
13
Content Management is the CornerstoneSingle system of record for compliance information
Search
Secure Enterprise SearchDate Effective
Chain of CustodyAll Content TypesSingle Source of
Information
Central Repository
Link policies and procedures to laws, regulations, and standards as evidence of complianceApply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel
14
g
Manage Policies and ProceduresAlign policies to best-practice frameworks
Master Libraries of Policies & Controls
EmbeddedFrameworks
(COSO, COBIT, ITIL)
Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance
15
Manage IT GRC Processes and Content Reduce Cost and Control Risk with Oracle GRC Managerg
CertifySign-off and Publish
• End-to-End IT Governance Process Management
RespondRemediate Retest Optimize
• Centralized IT Governance Content Management
AnalyzeReceive Alerts Review Reports Investigate
Exceptions
Management
Assess
PerformSelf
Assessment
TestManualControls
ScopeAudits
MonitorAutomated
Controls
Document- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention
16
Evidence & Records Retention
Alliance Resource Partners Customer Success Profile
COMPANY OVERVIEW• Leading Coal Production and Marketing
company in North America• Headquartered in Tulsa Oklahoma
CUSTOMER PERSPECTIVE“Some of the products we seriously looked at in • Headquartered in Tulsa, Oklahoma
• ARPL Manages Alliance Coal of Lexington, Kentucky
• $931 million revenue in 2006 • 2,300 employees
p y2004 no longer existed in 2005. We were looking for a company committed for the long-term, committed to the product and enhancing the feature set.” - Guy Mayberry, Manager of Financial Applications
, p y
CHALLENGES/OPPORTUNITIESStreamline burdensome, ad hoc financial compliance management processesAutomate processes based on the COSO
RESULTS
Reduced reliance on manual spreadsheets with a compliance process turnaround time reduction of 28%Licence and implementation costs were recovered Automate processes based on the COSO
standard for internal controlsReduce compliance costs by pushing accountability down to business process ownersManage and archive unstructured data, with the
Licence and implementation costs were recovered within the first year Sustainable, web-based certification and attestation Granular Segregation of Duties tracking and reportingIdentification and management of all in scope g ,
ability to track version historyLeverage the solution for Sarbanes-Oxley and all internal audit needs
GRCM SOLUTIONS
Identification and management of all in- scope structured and unstructured dataLeveraged to a range of operational and environmental compliance management and reporting requirements
17
Oracle GRC Managerreporting requirements
Segregation of Duties for Applications Detect access violations
PRE-DELIVERED CONTENT
PROCESS EVIDENCE
Violation Cleared
Authorized Access
CONTENT
Employee Check for Violations Evidence of
Due Diligence
Cleared Access
!!Violation Detection
Due Diligence
Corrective Measures
Library of SOD Constraints
User access deviations detected across instancesContinuous monitoring through reporting
18
Role-Based Access to Applications Prevent access violations
EmployeeAssignment
of RolesCertification of Who Has Access to What
SOD PolicySet Up of User Profile
Denied Grant of Role
!!Violation
Prevention of RolePrevention
Integrated framework for user provisioningSet up of user profiles with library of constraintsSegregation of duties prevention and certification across heterogeneous systems
19
Segregation of duties prevention and certification across heterogeneous systems
Enforce Proper ConfigurationsApply Key IT Controls with Oracle Configuration Management
Gather Enforce AuditModel Reconcile
Recipient Policy
Recipient Policy
Recipient Policy
• Centrally collect and manage all system configuration information
• Apply database and schema definitions to create baselines
• Evaluate configurations and maintain set-up standards according to policies
• Deploy certified configurations, patches, and images across systems
20
What Customers Are Saying
““ Oracle provides us with a robust content and records managementenvironment that addresses our compliance needs, integrates into our existing business processes, and is easy for our people to use.”
L D IT Di t POWER E i
““
-- Loren Dugan, IT Director, POWER Engineers
By using the application controls monitoring capabilities within Oracle, Vi S t ff ti l d ffi i tl l k th i ti tViaSat can effectively and efficiently look across the organization at critical setups to ensure that the automated controls we rely on aren’t being compromised by various access or change parameters. From a monitoring aspect, it’s a huge efficiency going forward.”
-- Ron Wangerin, CFO, ViaSat
““
Ron Wangerin, CFO, ViaSat
Oracle Governance, Risk, and Compliance Manager enables us to distribute Sarbanes-Oxley activities to employees across Unumdistribute Sarbanes Oxley activities to employees across Unum, helping us become more efficient which in turn allows us to recognize a compliance return on investment .”
-- Danny Waxenberg, Unum, AVP for Internal Controls
21
Oracle Governance, Risk, and ComplianceIntegrated Business Insight Ensures Accountability
Processes Insight• Improve governance
with timely compliance, risk, and performance management info
Processes
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific
Insight
Risk & ControlIntelligence
management info
• Provide evidence of IT and business process control with
I f t t S i
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
auditor-ready reporting
• Optimize business performance through risk-aware strategic
Infrastructure Services
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceM t risk aware strategic
planningManagement
Repository
22
Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards
Oracle GRC Manager
This is to notify you of AML and SOX alerts. The Executive Dashboard is awaiting your review. Please use the following link to access your reportsGo To “Executive Dashboard”
Summarized view of key information highlighting potential trouble areas
23
Getting to the Root of the IssueDrill down from dashboard to detailed transaction
24
Anticipate Auditor Requirements withEvidence of EnforcementEvidence of Enforcement
IT Audit Financial Audit• Prevent unauthorized • Deliver auditor-ready
system configuration changes with diagnostics
yreports for process certification and remediation analysis
• Identify top audit alerts by • Identify trends in control performance y p yapplication, system, and audit event
• Provide evidence of best-practice periodic attestation
y pwith snapshot comparisons
• Review complete audit trail for any changes to control elements
25
Oracle Governance, Risk, and ComplianceBest-in-Class Infrastructure Automates Enforcement
Processes InsightProcesses
Risk & Compliance Mgmt
Controls Management
Policy Mgmt
Industry Specific
Insight
Risk & ControlIntelligence
• Ensure information reliability with content security, records retention, and identity management
I f t t S i
ApplicationsOracle SAP Custom Legacy Other
OperationalIntelligence
management
• Protect information assets across the entire technology stack
Infrastructure Services
Data SecurityIdentity Mgmt
Content MgmtChange Mgmt
Data Audit PerformanceM t
• Enforce best-practice segregation of duties, configuration and change managementManagement
Repositorychange management procedures
26
Oracle Information Protection & PrivacyApplications
E-Business Suite, PeopleSoft, Siebel, SAP, Custom, Legacy
Web ServicesManager
IdentityFederation
E-SSOSuite
Identity Manager
Directory Services
IdentityManagement Access Manager
y
Audit VaultDatabase VaultData
Advanced Security Option
DataSecurity Label Security
Information Rights Management
27
g g
Control User Access and Authorization Enforce Segregation of Dutiesg g
Exte
rnal InternalPartnersSOA Apps Customers EmployeesIT Staff SOA Apps
Auditingd
Monitoringd
E PartnersSOA Apps Customers EmployeesIT Staff SOA Apps
AccessManagement
IdentityAdministration
andReporting
andManagement
gDirectoryServices
IdentityProvisioning
NOS/DirectoriesOS (Unix)
Systems & RepositoriesApplications
ERP CRM HR MainframeSCM
• Restrict access to applications based on business policy • Certify who had access to what via automated attestation• Automate compliance auditing with out of the box reports
28
What Our Customers are Achieving
-- Reduced risk analysis reporting time by 75%
-- Achieved a 20% improvement in data quality and greater visibility and forecast accuracy
-- Oracle Access Manager and Identity Federation saves $30 a month per employee on password administration$30 a month per employee on password administration for a total savings of US $1.2 million per month
-- Gained visibility, control, and ability to enforce compliance while saving US $700,000 per year on reduced password resets with Oracle Access Manager
29
Secure Privileged User Access Oracle Database Vault
CRITICAL DATA SUPER USER ACCESS CONTROLS
Time of DayNational ID/SSN 782782--0303--02750275
Salary $
₤HR Realm
HR DBA
3pm Monday
DBA IP Address€
Customer Records FIN Realm
FIN DBA
Realms HR Realm
FIN Realm
Realms and command rules enable customers to easily restrict access to application data from the DBA and other powerful usersMulti-factor authorization significantly increases security
30
g y y
Enforce Data PrivacyOracle Advanced Security OptionO ac e d a ced Secu ty Opt o
• Oracle Transparent Data EncryptionOracle Transparent Data Encryption • Easily encrypt sensitive data by columns• Requires no changes to applications
• Network Encryption• Network Encryption• Protect sensitive data as travels across network• Leverage industry leading encryption algorithms
• Data Integrity• Safeguard data from unauthorized modification
• Strong authenticationStrong authentication • ‘Two Factor’ authorization• Password PLUS Key/Dongle/Smart Card (4 standards)
31
Access Control for Distributed Content Oracle Information Rights Managerg g
• Patented “distributed” rights managementrights management
• between centralized server and desktop
C t li d ti• Centralized revocation of rights and up-to-date audit trail
• Transparent mobile access to “sealed” information
• Classification-based rights management g g
• Enterprise-scalable
32
System Audit Consolidation & ReportingOracle Audit Vault
• Lock down audit data in an audit warehousewarehouse
• Leverage protected schema to prevent tampering of audit data
• Centralize audit policy management
• Monitor report and alert on all• Monitor, report, and alert on all audit activity
• Detect suspicious activity andauto escalate increased auditingauto-escalate increased auditing
33
Maintain Control Over Changes Implement Policy-Based Changes with Oracle Change p y g gManagement
• Evaluate, plan for and implement h f li ichanges for new applications
• Compare baselines with current database settings, databases with g ,databases, and schema with schema
• Synchronize databases andSynchronize databases and propagate consistent changes across application systems
• Make policy based changes with• Make policy-based changes with embedded Information Technology Infrastructure Library (ITIL) standards
34
Oracle Technologies for PCIBuild and Maintain a Secure Network
Oracle Audit Vault, Oracle Database Vault, Enterprise Manager, Oracle Advanced Security Option, Oracle Database Configuration Assistant
P C dh ld D O l T t D t E ti O l S B kProtect Cardholder Data Oracle Transparent Data Encryption, Oracle Secure Backup, Oracle Virtual Private Database, Oracle Advanced Security Option, Oracle Application Server, Oracle Retail Applications
Maintain a Vulnerability Enterprise Manager, Change Management Pack, Oracle yManagement Program
g g gApplication Control Manager
Implement Strong Access Control Measures
Oracle Access Manager, Oracle Identity Manager, Oracle Identity Federation, Oracle Database Vault, Oracle Label Security Oracle Virtual Directory Enterprise User SecuritySecurity, Oracle Virtual Directory, Enterprise User Security, Enterprise Manager, Oracle Advanced Security Option, Proxy Authentication, Client Identifiers
Regularly Monitor and Test Oracle Internal Controls Manager, Oracle Identity Manager, g yNetworks Oracle Access Manager, Oracle Audit Vault, Oracle database
fine-grained auditing
Maintain an Information Security Policy
Oracle Enterprise Manager, Enforcement through comprehensive Oracle security solutions
35
Security Policy p y
Oracle Governance, Risk, and Compliance
Simplify GRC and Reduce Costs
Safeguard Brand and Reputation
Run Your Business Better and Prove It
37
38