governance, risk, and compliancegovernance, risk, and...

Governance, Risk, and ComplianceGovernance, Risk, and ComplianceNot Just for SOX AnymoreBo Weingaertner Retail GRC Product Specialist OracleBo Weingaertner, Retail GRC Product Specialist, OracleDave Nonnemacher, Retail GRC Product Specialist, Oracle

The Big Picture

Obj tiObjectivesStrategic, operational,

customer, compliance and reporting objectives cascaded throughout the organization

Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives

© OCEG

2

The Big Picture

Obj tiss ObjectivesStrategic, operational,


Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O

bsta

cles

Obs

tacl

esObstacles impede progress toward achieving

objectives

OO© OCEG

3

The Big Picture

Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies

Obj tiss ObjectivesStrategic, operational,


Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O

bsta

cles

Obs

tacl

esObstacles impede progress toward achieving

objectives

OO© OCEG

Mandated Boundary Boundary established by external forces including laws, government regulation and other mandates.

4

GRC is the “New Normal”Requirements increase in number and complexity

GRC Programs

People

g

Technology

p

LegalFinance HRSalesSuppliers CustomersBuyers Marketing

Regions

gyApps Server

Data Warehouse Database Mobile DevicesEnterprise

ApplicationsMaster Data

Mgmt

Mandates SOXSOX CSOXCSOX PCIPCI SB 1386SB 1386EU Directives

EU Directives HIPAAHIPAA COOLCOOL ……Patriot

ActPatriot

ActSourcingMandatesSourcingMandates

5


Fi i l R ti

Compliance &Ethics Programs

GRC ProgramsFinancial Reporting

Compliance

People

g

Technology

p


Regions

gyApps Server



Mgmt



ActPatriot


6


Fi i l R ti


GRC Programs Data Privacy

RecordsRetention

Legal

ITGovernance

Financial ReportingCompliance

People

g y& Security

LegalDiscovery

Technology

p


Regions

gyApps Server



Mgmt



ActPatriot


7


SupplierManagement

Supply ChainFi i l R ti


GRC Programs Data Privacy

RecordsRetention

Legal

ITGovernance

Supply ChainTraceability

Financial ReportingCompliance

People

g y& Security

LegalDiscovery

Technology

p


Apps Server

Data Warehouse Database Master Data

MgmtMobile DevicesEnterprise

Applications

Regions

gy



ActPatriot


8

Information Risk Continues UnabatedInformation security becomes part of overarching GRC strategy

9

Good GRC is Good Business

Share-price performance of companiescomplying with SOX rules

28%

Price of control deficiency for$1 billion company

26%

6%Control weakness in 2004 but none

No control weaknesses

Reported control weakness 2004-05

$10 million in higher cost of equity capital

Source: Lord & Benoit, 2006

6%in 2004, but none in 2005

weaknesses in 2004 -05

Source: University of Wisconsin, 2006

Savings on legal liability avoidance Opportunity cost of siloed GRCSavings on legal liability avoidancefrom GRC investment

Spending on Compliance

Savings on Lower Legal Liability $1

Ad hocApproach

Resources for innovation

Opportunity cost of siloed GRC

Cost of GRCM

Source: General Counsel Roundtable, 2006

Legal Liability $1$5

# of GRC projects

PlatformApproach

10

Oracle Governance, Risk, and ComplianceComprehensive Applications Control Costs and Risks

Processes Insight

Only Oracle Delivers a Comprehensive Applications

Risk & Compliance Mgmt

Controls Management

Policy Mgmt

Industry Specific Risk & ControlIntelligence

pPlatform for

Governance, Risk, and ComplianceInfrastructure Services

ApplicationsOracle SAP Custom Legacy Other

OperationalIntelligence

and Compliance Management

Data SecurityIdentity Mgmt

Content MgmtChange Mgmt

Data Audit PerformanceManagement

RepositoryRepository

11

Oracle Governance, Risk, and ComplianceComprehensive Applications Control Costs and Risks

Processes Insight • Standardize onProcesses


Controls Management

Policy Mgmt

Industry Specific

Insight

Risk & ControlIntelligence

best-practice frameworks to meet evolving GRC demands

• Automate key GRC

I f t t S i



Automate key GRC processes for risk assessment, control design, policy creation, hotline intake, control

Infrastructure Services



Data Audit PerformanceM t

monitoring and case management

• Streamline specialized GRC processes forManagement

RepositoryGRC processes for highly-regulated and risk-sensitive industries

12

A World of Paper and Manual Hand Offs Current state of risk and compliance management

Auditors ?

A Fragmented Approach g pp? ?

Business Process Owners

Executives

?

Testers

13

Content Management is the CornerstoneSingle system of record for compliance information

Search

Secure Enterprise SearchDate Effective

Chain of CustodyAll Content TypesSingle Source of

Information

Central Repository

Link policies and procedures to laws, regulations, and standards as evidence of complianceApply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel

14

g

Manage Policies and ProceduresAlign policies to best-practice frameworks

Master Libraries of Policies & Controls

EmbeddedFrameworks

(COSO, COBIT, ITIL)

Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance

15

Manage IT GRC Processes and Content Reduce Cost and Control Risk with Oracle GRC Managerg

CertifySign-off and Publish

• End-to-End IT Governance Process Management

RespondRemediate Retest Optimize

• Centralized IT Governance Content Management

AnalyzeReceive Alerts Review Reports Investigate

Exceptions

Management

Assess

PerformSelf

Assessment

TestManualControls

ScopeAudits

MonitorAutomated

Controls

Document- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention

16

Evidence & Records Retention

Alliance Resource Partners Customer Success Profile

COMPANY OVERVIEW• Leading Coal Production and Marketing

company in North America• Headquartered in Tulsa Oklahoma

CUSTOMER PERSPECTIVE“Some of the products we seriously looked at in • Headquartered in Tulsa, Oklahoma

• ARPL Manages Alliance Coal of Lexington, Kentucky

• $931 million revenue in 2006 • 2,300 employees

p y2004 no longer existed in 2005. We were looking for a company committed for the long-term, committed to the product and enhancing the feature set.” - Guy Mayberry, Manager of Financial Applications

, p y

CHALLENGES/OPPORTUNITIESStreamline burdensome, ad hoc financial compliance management processesAutomate processes based on the COSO

RESULTS

Reduced reliance on manual spreadsheets with a compliance process turnaround time reduction of 28%Licence and implementation costs were recovered Automate processes based on the COSO

standard for internal controlsReduce compliance costs by pushing accountability down to business process ownersManage and archive unstructured data, with the

Licence and implementation costs were recovered within the first year Sustainable, web-based certification and attestation Granular Segregation of Duties tracking and reportingIdentification and management of all in scope g ,

ability to track version historyLeverage the solution for Sarbanes-Oxley and all internal audit needs

GRCM SOLUTIONS

Identification and management of all in- scope structured and unstructured dataLeveraged to a range of operational and environmental compliance management and reporting requirements

17

Oracle GRC Managerreporting requirements

Segregation of Duties for Applications Detect access violations

PRE-DELIVERED CONTENT

PROCESS EVIDENCE

Violation Cleared

Authorized Access

CONTENT

Employee Check for Violations Evidence of

Due Diligence

Cleared Access

!!Violation Detection

Due Diligence

Corrective Measures

Library of SOD Constraints

User access deviations detected across instancesContinuous monitoring through reporting

18

Role-Based Access to Applications Prevent access violations

EmployeeAssignment

of RolesCertification of Who Has Access to What

SOD PolicySet Up of User Profile

Denied Grant of Role

!!Violation

Prevention of RolePrevention

Integrated framework for user provisioningSet up of user profiles with library of constraintsSegregation of duties prevention and certification across heterogeneous systems

19

Segregation of duties prevention and certification across heterogeneous systems

Enforce Proper ConfigurationsApply Key IT Controls with Oracle Configuration Management

Gather Enforce AuditModel Reconcile

Recipient Policy

Recipient Policy

Recipient Policy

• Centrally collect and manage all system configuration information

• Apply database and schema definitions to create baselines

• Evaluate configurations and maintain set-up standards according to policies

• Deploy certified configurations, patches, and images across systems

20

What Customers Are Saying

““ Oracle provides us with a robust content and records managementenvironment that addresses our compliance needs, integrates into our existing business processes, and is easy for our people to use.”

L D IT Di t POWER E i

““

-- Loren Dugan, IT Director, POWER Engineers

By using the application controls monitoring capabilities within Oracle, Vi S t ff ti l d ffi i tl l k th i ti tViaSat can effectively and efficiently look across the organization at critical setups to ensure that the automated controls we rely on aren’t being compromised by various access or change parameters. From a monitoring aspect, it’s a huge efficiency going forward.”

-- Ron Wangerin, CFO, ViaSat

““

Ron Wangerin, CFO, ViaSat

Oracle Governance, Risk, and Compliance Manager enables us to distribute Sarbanes-Oxley activities to employees across Unumdistribute Sarbanes Oxley activities to employees across Unum, helping us become more efficient which in turn allows us to recognize a compliance return on investment .”

-- Danny Waxenberg, Unum, AVP for Internal Controls

21

Oracle Governance, Risk, and ComplianceIntegrated Business Insight Ensures Accountability

Processes Insight• Improve governance

with timely compliance, risk, and performance management info

Processes


Controls Management

Policy Mgmt

Industry Specific

Insight


management info

• Provide evidence of IT and business process control with

I f t t S i



auditor-ready reporting

• Optimize business performance through risk-aware strategic




Data Audit PerformanceM t risk aware strategic

planningManagement

Repository

22

Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards

Oracle GRC Manager

This is to notify you of AML and SOX alerts. The Executive Dashboard is awaiting your review. Please use the following link to access your reportsGo To “Executive Dashboard”

Summarized view of key information highlighting potential trouble areas

23

Getting to the Root of the IssueDrill down from dashboard to detailed transaction

24

Anticipate Auditor Requirements withEvidence of EnforcementEvidence of Enforcement

IT Audit Financial Audit• Prevent unauthorized • Deliver auditor-ready

system configuration changes with diagnostics

yreports for process certification and remediation analysis

• Identify top audit alerts by • Identify trends in control performance y p yapplication, system, and audit event

• Provide evidence of best-practice periodic attestation

y pwith snapshot comparisons

• Review complete audit trail for any changes to control elements

25

Oracle Governance, Risk, and ComplianceBest-in-Class Infrastructure Automates Enforcement

Processes InsightProcesses


Controls Management

Policy Mgmt

Industry Specific

Insight


• Ensure information reliability with content security, records retention, and identity management

I f t t S i



management

• Protect information assets across the entire technology stack




Data Audit PerformanceM t

• Enforce best-practice segregation of duties, configuration and change managementManagement

Repositorychange management procedures

26

Oracle Information Protection & PrivacyApplications

E-Business Suite, PeopleSoft, Siebel, SAP, Custom, Legacy

Web ServicesManager

IdentityFederation

E-SSOSuite

Identity Manager

Directory Services

IdentityManagement Access Manager

y

Audit VaultDatabase VaultData

Advanced Security Option

DataSecurity Label Security

Information Rights Management

27

g g

Control User Access and Authorization Enforce Segregation of Dutiesg g

Exte

rnal InternalPartnersSOA Apps Customers EmployeesIT Staff SOA Apps

Auditingd

Monitoringd

E PartnersSOA Apps Customers EmployeesIT Staff SOA Apps

AccessManagement

IdentityAdministration

andReporting

andManagement

gDirectoryServices

IdentityProvisioning

NOS/DirectoriesOS (Unix)

Systems & RepositoriesApplications

ERP CRM HR MainframeSCM

• Restrict access to applications based on business policy • Certify who had access to what via automated attestation• Automate compliance auditing with out of the box reports

28

What Our Customers are Achieving

-- Reduced risk analysis reporting time by 75%

-- Achieved a 20% improvement in data quality and greater visibility and forecast accuracy

-- Oracle Access Manager and Identity Federation saves $30 a month per employee on password administration$30 a month per employee on password administration for a total savings of US $1.2 million per month

-- Gained visibility, control, and ability to enforce compliance while saving US $700,000 per year on reduced password resets with Oracle Access Manager

29

Secure Privileged User Access Oracle Database Vault

CRITICAL DATA SUPER USER ACCESS CONTROLS

Time of DayNational ID/SSN 782782--0303--02750275

Salary $

₤HR Realm

HR DBA

3pm Monday

DBA IP Address€

Customer Records FIN Realm

FIN DBA

Realms HR Realm

FIN Realm

Realms and command rules enable customers to easily restrict access to application data from the DBA and other powerful usersMulti-factor authorization significantly increases security

30

g y y

Enforce Data PrivacyOracle Advanced Security OptionO ac e d a ced Secu ty Opt o

• Oracle Transparent Data EncryptionOracle Transparent Data Encryption • Easily encrypt sensitive data by columns• Requires no changes to applications

• Network Encryption• Network Encryption• Protect sensitive data as travels across network• Leverage industry leading encryption algorithms

• Data Integrity• Safeguard data from unauthorized modification

• Strong authenticationStrong authentication • ‘Two Factor’ authorization• Password PLUS Key/Dongle/Smart Card (4 standards)

31

Access Control for Distributed Content Oracle Information Rights Managerg g

• Patented “distributed” rights managementrights management

• between centralized server and desktop

C t li d ti• Centralized revocation of rights and up-to-date audit trail

• Transparent mobile access to “sealed” information

• Classification-based rights management g g

• Enterprise-scalable

32

System Audit Consolidation & ReportingOracle Audit Vault

• Lock down audit data in an audit warehousewarehouse

• Leverage protected schema to prevent tampering of audit data

• Centralize audit policy management

• Monitor report and alert on all• Monitor, report, and alert on all audit activity

• Detect suspicious activity andauto escalate increased auditingauto-escalate increased auditing

33

Maintain Control Over Changes Implement Policy-Based Changes with Oracle Change p y g gManagement

• Evaluate, plan for and implement h f li ichanges for new applications

• Compare baselines with current database settings, databases with g ,databases, and schema with schema

• Synchronize databases andSynchronize databases and propagate consistent changes across application systems

• Make policy based changes with• Make policy-based changes with embedded Information Technology Infrastructure Library (ITIL) standards

34

Oracle Technologies for PCIBuild and Maintain a Secure Network

Oracle Audit Vault, Oracle Database Vault, Enterprise Manager, Oracle Advanced Security Option, Oracle Database Configuration Assistant

P C dh ld D O l T t D t E ti O l S B kProtect Cardholder Data Oracle Transparent Data Encryption, Oracle Secure Backup, Oracle Virtual Private Database, Oracle Advanced Security Option, Oracle Application Server, Oracle Retail Applications

Maintain a Vulnerability Enterprise Manager, Change Management Pack, Oracle yManagement Program

g g gApplication Control Manager

Implement Strong Access Control Measures

Oracle Access Manager, Oracle Identity Manager, Oracle Identity Federation, Oracle Database Vault, Oracle Label Security Oracle Virtual Directory Enterprise User SecuritySecurity, Oracle Virtual Directory, Enterprise User Security, Enterprise Manager, Oracle Advanced Security Option, Proxy Authentication, Client Identifiers

Regularly Monitor and Test Oracle Internal Controls Manager, Oracle Identity Manager, g yNetworks Oracle Access Manager, Oracle Audit Vault, Oracle database

fine-grained auditing

Maintain an Information Security Policy

Oracle Enterprise Manager, Enforcement through comprehensive Oracle security solutions

35

Security Policy p y

Oracle Governance, Risk, and Compliance

Simplify GRC and Reduce Costs

Safeguard Brand and Reputation

Run Your Business Better and Prove It

governance, risk, and compliancegovernance, risk, and...

Documents