450 likes | 601 Views
Governance, Risk, and Compliance Controls In-depth. Presenter Name Presenter Title. Safe Harbor Statement.
E N D
Governance, Risk, and Compliance Controls In-depth Presenter Name Presenter Title
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Agenda • Business Challenges • Oracle’s Leadership in GRC • Solution Overview • Customer Success • Recommended Next Steps
2008 ITRiskMgmt. GRC Prioritization & Evolution 2007 SOX Security & PrivacyRules Operational& GeneralRisk Mgmt. Document& RecordRetention FDA “GreenCompliance” SEC Source: AMR Research - Market Demand for GRC 2007–2008
OAUG Community Agrees Survey question: Which of the following areas do you consider a top priority for improving controls to meet GRC objectives? Segregation of duties Securing sensitive information/data privacy Data change management Application configuration management Managing super-user access Transaction monitoring Managing departmental/functional access Managing temporary access Don’t know/unsure Other Source: IT’s Role in Governance, Risk, and Compliance, February 2007
EmbeddedControls should be applied in a way that is seamless and non-obtrusive to users ContextualControls should differentiate between legitimate business transactions versus fraudulent activities PreventiveControls should automatically prevent out-of-policy actions from occurring Controls by the Business for the Business “Some 68 percent of staff admit to bypassing their employer’s information security controls in order to do their jobs.” Financial Times, May 2008
Integrated Controls Solution 360º Visibility • Single source of GRC Information • Pre-built dashboards • Respond to KRI and issues GRC Reporting & Analytics KRI & Alerts Dashboards Reporting GRC Process Management Centralized GRC Oversight • Common Repository for GRC • Audit and Assessment of Controls • Integrated remediation management Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Embedded Controls • Detective, Preventive, Contextual • Automated controls testing • Pre-built controls library Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls System Security • Integrated identity and GRC controls management • Protect sensitive data • Records management Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt Custom or Legacy Applications
Monitor Control Effectiveness DetectiveControls What’s changed in the process What are the execution patterns What users have done How is the process setup How users execute processes What users can do PreventiveControls Enforce Policies in Context Application Controls ManagementDetect and prevent control failure ACCESS Controls CONFIGURATION Controls TRANSACTION Controls
Access Controls Provide fine grained access control and segregation of duties Know who has access to do what and ensure that someone isn’t given inappropriate privileges Prevention Detection Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies Remediation and analysis via pre-packaged reports & what-if simulation Execute access analysis engine that understands application’s detailed access architecture Handle exceptions with compensating process & transaction analysis policies Real-time enforcement of SOD controls during user provisioning Define SOD conflict & business rules and policies
Segregation of Duties for Applications EVIDENCE POLICY PROCESS Violation Cleared Authorized Access Policy Validation User Access Rights Evidence of Due Diligence ! Library of Access Policies Violation Detected Corrective Measures • Integrated best practice policy library provides reference and controls for proper enforcement of standards • Automated controls are embedded into to the processes • Audit trail for each transaction is recorded as evidence of compliance
Best Practice Policy Library Best practice policy libraries deliver content from years of hands-on customer implementations. The library provides significant policies out-of-box to expedite implementation. • Standard Policies for EBS and PeopleSoft are available out-of-the box • Policies for other enterprise application e.g. SAP, JDE are custom built • Adaptive structure and organization • Organized by business process, objective and class • Easily imported / exported via Excel / XML • Multiple policy types • COSO Risk and Controls Framework • Automated policies / controls by key process flow • Metadata • Cross platform policies • Evolved from real-life implementations • Over 60% directly from Customer implementations
Cross-Platform Support forintegrated applications SAP, JDEdwards orCustom ApplicationUser EBS User PeopleSoft User Application Access Controls Governor Custom or Legacy Applications Manage user access between multiple application platforms Multi-Platform and Cross-Platform Support Multi-Platform Support forstand-alone applications Manage user access within multiple application platforms concurrently SAP, JDE orCustom ApplicationUser EBS User PeopleSoft User Application Access Controls Governor Custom or Legacy Applications
Oracle E-Business Suite Oracle E-Business Suite Account Provisioning Oracle Identity Manager IDENTITY MANAGEMENT GRC Entitlements Added out-of- bounds ! Enforce SoD Policy Oracle Access Controls Governor Violation Detection and Alert Deprovision Entitlements in Violation Event Analysis Assign Remediation Task Integrated Access Controls ExampleSoD Detection and Remediation Out-of-bounds Entitlements Removed
Account Provisioning Oracle Identity Manager Role Assignment Oracle Role Manager ID Recon Oracle Identity Manager IDENTITY MANAGEMENT GRC Enforce SoD Policy Oracle Access Controls Governor Identity Event HRMS Integrated Access Controls ExampleCompliant Access Provisioning ! Set Up User Profile Determine User Role Validate withSOD Policies ViolationsFound New Hire or Transfer ProvisionApplication Access No Violations • Remediate: • Seek Approval • Apply Mitigating Control • Deny Access
Comprehensive Access Controls Integrated Access Controls SOD Detection; Remediation; Compliant Provisioning Application Access Controls Identity Management Controls Monitoring & Enforcement Best Practice Controls & Policies Privilege Level SoD Contextual Authorization Role-based Account Provisioning Attestation Authentication, Authorization, SSO Federation & WS security Data Security DBA Access Management; Information Rights Management; Data Classification; Encryption at rest & in transit; Secured backup Business Applications Apps, Systems & Data Repositories
IT OPERATION BUSINESS OPERATION • Challenge:Unsatisfied with current state of application data access and security • Solution: Automate SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements • Challenge:High percentage of IT budget devoted to compliance, and away from innovation • Solution:Preventive controls and audit reports frees up IT resources • Challenge:Audit data and reports difficult to generate – require significant IT and LOB support • Solution:Audit reports are available for every control, by various dimensions, with no dependence on IT support • Challenge:Need to decrease reliance on manual controls • Solution:Automate entire SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements Access ControlsReview
COMPANY OVERVIEW • Technology leader in communications, electronics, life sciences and chemical analysis • Revenue > $5 Billion • 20,000 employees CUSTOMERPERSPECTIVE “It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.” Ravi Mahajani, ERP Solution Expert, Agilent • CHALLENGES / OPPORTUNITIES • Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units • World’s largest single Oracle EBS instance • 20,000 Active users • 50,000 Oracle responsibilities • RESULTS • Implemented 200 controls in 8 weeks • Eliminated SOD conflicts to meet SOX compliance requirements on time • Avoided 6-month customization effort, millions of dollars • SOLUTIONS • Oracle GRC Controls • Oracle GRC Manager
Monitor Control Effectiveness DetectiveControls What’s changed in the process What are the execution patterns What users have done How is the process setup How users execute processes What users can do PreventiveControls Enforce Policies in Context Application Controls ManagementDetect and prevent control failure ACCESS Controls CONFIGURATION Controls TRANSACTION Controls
Application Configuration Controls Detect and prevent configuration control failure Ensure that critical setups conform to best practices and follow robust change management procedures Prevention Detection Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity Define best practice policies & operating rules Validate that setups and data updates conform to valid values Require conditional approval cycles (e.g., exceed threshold) Record changes to sensitive setup data. Compare before and after values for changes Monitor for setup inconsistencies across multiple instances
Procurement Inventory Accounts Payable Enforce Best-Practice Application Setups Monitoring of changes to price tolerance percentage Monitoring of changes to document numbering Ensure internal requisition source Monitoring of changes to expensing rules Monitoring of discounting rules PurchaseGoods /Services Receive Goods /Services Requisi-tion IssuePayments Invoice PROCURE-TO-PAY EXAMPLE SAP • Monitor key configurations settings across instances • Before and after snapshot of changes to settings • Automatic approval process notify managers as exceptions occur
Employee Update Name John Doe Address 123 Main St Center City, NY 12345 SSN XXX-XX-XXXXX Salary $ 53,000.00 Supervisor Mary Smith OK Cancel Data Privacy and Data Integrity Mask sensitive data, restrict access to actions Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS interface and workflow technology Employees can only view the salary field (can’t update) Conceal SSN number if User is NOT from HR dept Disable Invoice Approval for Invoices created by same user
Comprehensive Configuration Controls Integrated Configuration Controls Management Best practices set-up; Change Management; Continuous Monitoring Configuration Controls Enterprise Manager Key setups monitored for changes Change tracking records the “who, what, where, and when” Approval workflows and notifications Detect and record changes to sensitive setup data Best practice control library Lifecycle management Service level management Configuration management Data masking for database System configuration management Dashboards Business Applications Apps, Systems & Data Repositories
IT OPERATION BUSINESS OPERATION • Challenge:Unable to enforce best-practices for configuration and change management • Solution:Field level value changes are managed based on best practice protocol and documented for audit purposes • Challenge:Data privacy and protection of sensitive data requires extensive application customization • Solution:Policy based access to any field data within the application can be easily restricted without any application downtime • Challenge: Critical application setups are changed without proper authorization • Solution:Embedded testing of application controls and proper validation through approval workflow ensures policy adherence and proactive issue identification • Challenge: Ineffective controls for system integrity and security • Solution:Application configuration controls are available on field value changes, action buttons and sensitive data based on company policy and risk appetite Configuration ControlsReview
Federal Aviation Administration • COMPANY OVERVIEW • Revenues > $250B • 52,160 employees • 1 of 4 Federal Centers of Excellence (COE) CUSTOMERPERSPECTIVE “After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.” Michelle Overstreet, Program Manager, FAA • CHALLENGES / OPPORTUNITIES • Mask sensitive data to comply with Privacy Act • Lack of tools to identify & remediate control violations and establish effective monitoring process • Difficulty satisfying management and audit requirements • RESULTS • Eliminated programming time for application customization • Reduced detection and remediation time for control violations • Developed a sustainable model to manage regulatory compliance • SOLUTIONS • GRC Control Suite – Access & Configuration Controls
Monitor Control Effectiveness DetectiveControls What’s changed in the process What are the execution patterns What users have done How is the process setup How users execute processes What users can do PreventiveControls Enforce Policies in Context Application Controls ManagementDetect and prevent control failure ACCESS Controls CONFIGURATION Controls TRANSACTION Controls
Transaction Controls Detect and prevent erroneous and fraudulent transactions Monitor transactions to detect business policy violations or unacceptable levels of risk or inefficiency Prevention Detection Define Transaction Controls Perform Transaction Analysis Review and AddressSuspects PreventiveTransactionControl Identify transactions violating policy (e.g. un-approved vendor) Initiate review / approval cycle based on automated policies Detect patterns representing aggregate risk (e.g. micro-payments) Approvals based on transaction data thresholds
Transaction Controls Continuous monitoring to identify suspects DECISION-MAKING POLICY MONITORING ControlMonitor ! BusinessProcess Control Violation Detected Case Manager to Investigate & Approve Data Library of Transaction Monitors • Integrated library of transaction monitors provides characterization and procedures for handling suspects • Continuous monitoring identifies suspects • Seamless approval workflow facilitate decision-making
Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity • Test against Material Thresholds • Journal Entry > $ threshold • Employee Checks (individual & sum) > $ threshold • Search for Anomalies • PO terms differ from vendor • Sales orders > acceptable $ range • Sampling of Transactions • 4th quarter invoices • Days sales outstanding balances • Detect Fraudulent Behavior • PO changes after approval • Duplicate suppliers with same address • Embed Contextual / Automated Compensating Controls • Alert on customer transactions over $ threshold • Prevent journals from being entered and posted by same individual
IT OPERATION BUSINESS OPERATION • Challenge:IT is asked repeatedly to create new reports/queries for the business to perform transaction analysis • Solution:Easy to use interface lets business administrators manage threshold values and generate parameterized reports as required • Challenge:IT is asked to design compensating or programmatic controls • Solution:Transaction control library provides readily available audit reports of suspicious activities in the system and distributes them to key personnel for necessary action • Challenge:Continuously monitor controls to prevent error and fraud from happening • Solution:Automated transaction controls will validate application and systems control effectiveness, identify suspect transactions, and route to process owners for visibility before material issues arise • Challenge:Presence of unauthorized user access makes the system vulnerable and warrants additional testing and scrutiny by external auditors • Solution:Automatic transaction validation and testing can compensate for areas where duties cannot be segregated or forensic analysis is warranted Transaction ControlsReview
Approved Preventive TransactionControl Updates > ThresholdRequire Manager Approval Exception Remediation General Mgr (P&L) Controller > $25K Access Control: SOD Yes Exception Reporting Preventive ConfigurationControl DetectiveTransaction Monitor No Unable to modify sensitive account settings Excessive Debt GeneralLedger ! Reportable Event Risk Example: Bad Debt Management Financial Supervisor POST Bad-Debt Approval ENTRY POST POST ENTRY ENTER Bad-Debt Account Financial Clerk ! ! !
GRC Reporting & Analytics KRI & Alerts Dashboards Reporting GRC Process Management Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Systems Mgmt Identity Mgmt Digital Rights Records & Content Mgmt Custom or Legacy Applications Oracle Solutions for GRC Purpose-built business solutions for key industries and GRC initiatives Best-in-class GRC core solutions to support all mandates and regulations Pre-integrated with Oracle applications and technology, supports heterogeneous environments
Evaluating Your Organizational GRC state Level of Automation Time & Cost of Audit Frequency of Audit • What percentage of internal controls are manual? • How many applications needs SOD enforcement? • Estimate the total number of application users for those applications • How much time do business groups spend reviewing, analyzing and provisioning application access? • How much time do IT spent supporting application access review, remediation & certification? • How much time do internal audit spend on application access control testing & remediation? • How often are audits performed, monthly / quarterly? • What percentage of internal audit test results are External auditors relying upon for their assessments? • Estimated time to be spent by external audit application access control testing this year? Manual Automated Low High Weekly Annually
Progress in GRC Maturity with Oracle Optimized Proactive Reactive • GRC objectives embedded throughout the organization • Analyze and trend • Automated risk mitigation / Predictive risk assessments Informal • Unified, standardized & strategic approach • Policies are enforced • Automated process • Prevent policy violation • Tactical approach • Risks are documented • Manual risk assessment and reporting • After the fact reporting • Adhoc approach • Compliant but at a high cost to business • Manual control • No best practices Maturity GRC Intelligence GRC Manager GRC Application Controls GRC Infrastructure Controls Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next Time
Q & A
<Insert Picture Here> Appendix (select from the following slides to briefly introduce GRC intelligence and GRC Manager.)
Oracle GRC Reporting & Analytics 360º Visibility • Single source of GRC Information • Pre-built dashboards • Respond to KRI and issues GRC Reporting & Analytics KRI & Alerts Dashboards Reporting GRC Process Management Centralized GRC Oversight • Common Repository for GRC • Audit and Assessment of Controls • Integrated remediation management Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Embedded Controls • Detective, Preventive, Contextual • Automated controls testing • Pre-built controls library Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt System Security • Integrated identity and GRC controls management • Protect sensitive data • Records management Custom or Legacy Applications
Enterprise Visibility to GRC InformationSecured and targeted delivery of role-based dashboards
Getting to the Root of the IssueDrill down from dashboard to detailed transaction
Oracle GRC Process Management 360º Visibility • Single source of GRC Information • Pre-built dashboards • Respond to KRI and issues GRC Reporting & Analytics KRI & Alerts Dashboards Reporting Centralized GRC Oversight • Common Repository for GRC • Audit and Assessment of Controls • Integrated remediation management GRC Process Management Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Embedded Controls • Detective, Preventive, Contextual • Automated controls testing • Pre-built controls library Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt System Security • Integrated identity and GRC controls management • Protect sensitive data • Records management Custom or Legacy Applications
Manage Risk and Compliance ProcessUnify risk and compliance documentation and orchestrate processes Sign-off and Publish Certify • GRC System of Record • End-to-End GRC Process Management • Integrated Control Management • Closed-loop Issue Remediation Remediate Retest Optimize Respond InvestigateExceptions Receive Alerts Review Reports Analyze PerformSelf Assessment TestManualControls MonitorAutomated Controls Scope Audits Assess • Risk-Control Matrix • COSO/COBIT Frameworks • Policies and Procedures • Evidence & Records Retention Document