governance, risk, and compliance controls in-depth presenter name presenter title
Post on 22-Dec-2015
218 Views
Preview:
TRANSCRIPT
2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor Statement
3
• Business Challenges
• Oracle’s Leadership in GRC
• Solution Overview
• Customer Success
• Recommended Next Steps
Agenda
4
GRC Prioritization & Evolution
Source: AMR Research - Market Demand for GRC 2007–2008
SOX Security& PrivacyRules
Operational& GeneralRisk Mgmt.
Document& RecordRetention
FDA “GreenCompliance”
SEC
20072008
ITRiskMgmt.
5
Majority of Controls are in Your IT Systems
SOX Sec 17A-4
Gramm-Leach-Bliley
HIPAA 21CFR Part II
Basel II OMB A-123
CA SB 1386
ERP Applications
Business Intelligence
Policy Management
Data Warehousing
Records Management
Access & Data Security
Reusability ofAutomated Controls and
Audit Reports
● ● ● ● ●
● ● ●
● ● ● ● ● ● ● ●
● ● ● ● ● ●
● ● ● ● ●
● ● ● ● ● ● ● ●
6
OAUG Community Agrees
Segregation of duties
Securing sensitive information/data privacy
Data change management
Application configuration management
Managing super-user access
Transaction monitoring
Managing departmental/functional access
Managing temporary access
Don’t know/unsure
Other
Source: IT’s Role in Governance, Risk, and Compliance, February 2007
Survey question: Which of the following areas do you consider a top priority for improving controls to meet GRC objectives?
7
Controls by the Business for the Business
ContextualControls should differentiate between legitimate business transactions versus fraudulent activities
EmbeddedControls should be applied in a way that is seamless and non-obtrusive to users
PreventiveControls should automatically prevent out-of-policy actions from occurring
“Some 68 percent of staff admit to bypassing their employer’s information security controls in order to do their jobs.”
Financial Times, May 2008
8
System Security• Integrated identity and GRC
controls management • Protect sensitive data• Records management
Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library
Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management
360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues
Integrated Controls Solution
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
AuditManagement Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Issue & Remediation
Event & Loss Mgmt
9
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Application Controls ManagementDetect and prevent control failure
ACCESSControlsACCESSControls
10
Access Controls Provide fine grained access control and segregation of duties
Know who has access to do what and ensure that someone isn’t given inappropriate privileges
Access Analysis
Compensating Policies
Define AccessControls
Remediation(Clean-up)
PreventiveProvisioning
PreventionDetection
Define SOD conflict & business rules and policies
Execute access analysis engine that understands application’s detailed access architecture
Remediation and analysis via pre-packaged reports & what-if simulation
Real-time enforcement of SOD controls during user provisioning
Handle exceptions with compensating process & transaction analysis policies
11
User Access Rights
Segregation of Duties for Applications
Policy Validation
!!Violation Detected
Evidence of Due Diligence
Violation Cleared
Authorized Access
Corrective Measures
Library of Access Policies
PROCESS EVIDENCEPOLICY
Integrated best practice policy library provides reference and controls for proper enforcement of standards
Automated controls are embedded into to the processes Audit trail for each transaction is recorded as evidence of
compliance
12
• Standard Policies for EBS and PeopleSoft are available out-of-the box
• Policies for other enterprise application e.g. SAP, JDE are custom built
• Adaptive structure and organization• Organized by business process, objective and class
• Easily imported / exported via Excel / XML
• Multiple policy types• COSO Risk and Controls Framework
• Automated policies / controls by key process flow
• Metadata
• Cross platform policies
• Evolved from real-life implementations• Over 60% directly from Customer implementations
Best practice policy libraries deliver content from years of hands-on customer implementations. The library provides significant policies out-of-box to expedite implementation.
Best practice policy libraries deliver content from years of hands-on customer implementations. The library provides significant policies out-of-box to expedite implementation.
Best Practice Policy Library
13
Manage user access within multiple application platforms concurrently
Multi-Platform Support forstand-alone applications
Custom or Legacy
Applications
Cross-Platform Support forintegrated applications
Manage user access between multiple application platforms
EBS User PeopleSoft User
Application Access Controls Governor
Custom or Legacy
Applications
SAP, JDEdwards orCustom Application
UserEBS User PeopleSoft User
SAP, JDE orCustom Application
User
Application Access Controls Governor
Multi-Platform and Cross-Platform Support
14
Deprovision Entitlements in Violation
!! EntitlementsAdded out-of-
bounds
Out-of-bounds Entitlements
Removed
Event Analysis
ViolationDetectionand Alert
GRC
Assign Remediation
Task
IDENTITY MANAGEMENT
Oracle E-Business Suite
Oracle E-Business Suite
Account Provisioning
Oracle Identity Manager
Enforce SoD Policy
Oracle Access Controls Governor
Integrated Access Controls Example SoD Detection and Remediation
15
New Hire or
Transfer
Set Up User Profile
ProvisionApplication Access
Determine User Role
Validate withSOD Policies
ViolationsFound
!!
Remediate: •Seek Approval•Apply Mitigating Control•Deny Access
No Violations
GRCIDENTITY MANAGEMENT
Identity Event
HRMS
ID Recon
Oracle Identity
Manager
Role Assignment
Oracle Role Manager
Account Provisioning
Oracle Identity Manager
Enforce SoD Policy
Oracle Access Controls Governor
Integrated Access Controls Example Compliant Access Provisioning
16
Comprehensive Access Controls
Role-based Account Provisioning
Attestation
Authentication, Authorization, SSO
Federation & WS security
Identity Management
Controls Monitoring & Enforcement
Best Practice Controls & Policies
Privilege Level SoD
Contextual Authorization
Application Access Controls
Apps, Systems & Data RepositoriesBusiness Applications
Integrated Access Controls
SOD Detection; Remediation; Compliant Provisioning
Data Security
DBA Access Management; Information Rights Management; Data Classification; Encryption at rest & in transit; Secured backup
17
Access ControlsReview
• Challenge: Unsatisfied with current state of application data access and security
• Solution: Automate SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements
• Challenge: High percentage of IT budget devoted to compliance, and away from innovation
• Solution: Preventive controls and audit reports frees up IT resources
IT OPERATION • Challenge: Audit data and reports difficult to
generate – require significant IT and LOB support
• Solution: Audit reports are available for every control, by various dimensions, with no dependence on IT support
• Challenge: Need to decrease reliance on manual controls
• Solution: Automate entire SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements
BUSINESS OPERATION
18
CHALLENGES / OPPORTUNITIES
• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units
• World’s largest single Oracle EBS instance
• 20,000 Active users
• 50,000 Oracle responsibilities
SOLUTIONS
• Oracle GRC Controls
• Oracle GRC Manager
CUSTOMER PERSPECTIVE“It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.”
Ravi Mahajani, ERP Solution Expert, Agilent
RESULTS
• Implemented 200 controls in 8 weeks
• Eliminated SOD conflicts to meet SOX compliance requirements on time
• Avoided 6-month customization effort, millions of dollars
COMPANY OVERVIEW
• Technology leader in communications, electronics, life sciences and chemical analysis
• Revenue > $5 Billion
• 20,000 employees
19
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Application Controls ManagementDetect and prevent control failure
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
20
Ensure that critical setups conform to best practices and follow robust change
management procedures
Application Configuration Controls Detect and prevent configuration control failure
Document orCompare
Configurations
Manage Data
Integrity
Define Configuration
Controls
Monitor Configuration
Changes
EnforceChange Control
PreventionDetection
Define best practice policies & operating rules
Record changes to sensitive setup data. Compare before and after values for changes
Monitor for setup inconsistencies across multiple instances
Require conditional approval cycles (e.g., exceed threshold)
Validate that setups and data updates conform to valid values
21
Requisi-tion
Requisi-tion
PurchaseGoods /Services
PurchaseGoods /Services
Receive Goods /Services
Receive Goods /Services
InvoiceInvoice IssuePayments
IssuePayments
SAP
Monitoring of changes to expensing
rules
Monitoring of changes to
price tolerance
percentage
Monitoring of changes to document numbering
Monitoring of discounting
rules
Monitor key configurations settings across instances Before and after snapshot of changes to settings Automatic approval process notify managers as exceptions occur
PROCURE-TO-PAY EXAMPLEPROCURE-TO-PAY EXAMPLE
Enforce Best-Practice Application Setups
Procurement Inventory Accounts Payable
Ensure internal
requisition source
22
John DoeJohn Doe
123 Main StCenter City, NY 12345
123 Main StCenter City, NY 12345
$ 53,000.00$ 53,000.00
CancelCancelOKOK
Name
Address
Salary
Employee Update
XXX-XX-XXXXXXXX-XX-XXXXXSSN
SupervisorMary Smith
Mary Smith
Conceal SSN number if User is NOT from HR dept
Employees can only view the salary field (can’t update) Disable Invoice Approval for
Invoices created by same user
Data Privacy and Data Integrity Mask sensitive data, restrict access to actions
Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS
interface and workflow technology
Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS
interface and workflow technology
23
Comprehensive Configuration Controls
Lifecycle management
Service level management
Configuration management
Data masking for database
System configuration management
Dashboards
Enterprise Manager
Key setups monitored for changes
Change tracking records the “who, what, where, and when”
Approval workflows and notifications
Detect and record changes to sensitive setup data
Best practice control library
Configuration Controls
Apps, Systems & Data RepositoriesBusiness Applications
Integrated Configuration Controls Management
Best practices set-up; Change Management; Continuous Monitoring
24
Configuration ControlsReview
• Challenge: Unable to enforce best-practices for configuration and change management
• Solution: Field level value changes are managed based on best practice protocol and documented for audit purposes
• Challenge: Data privacy and protection of sensitive data requires extensive application customization
• Solution: Policy based access to any field data within the application can be easily restricted without any application downtime
IT OPERATION
• Challenge: Critical application setups are changed without proper authorization
• Solution: Embedded testing of application controls and proper validation through approval workflow ensures policy adherence and proactive issue identification
• Challenge: Ineffective controls for system integrity and security
• Solution: Application configuration controls are available on field value changes, action buttons and sensitive data based on company policy and risk appetite
BUSINESS OPERATION
25
CHALLENGES / OPPORTUNITIES
• Mask sensitive data to comply with Privacy Act
• Lack of tools to identify & remediate control violations and establish effective monitoring process
• Difficulty satisfying management and audit requirements
SOLUTIONS
• GRC Control Suite – Access & Configuration Controls
CUSTOMER PERSPECTIVE“After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.”
Michelle Overstreet, Program Manager, FAA
RESULTS
• Eliminated programming time for application customization
• Reduced detection and remediation time for control violations
• Developed a sustainable model to manage regulatory compliance
COMPANY OVERVIEW
• Revenues > $250B
• 52,160 employees
• 1 of 4 Federal Centers of Excellence (COE)
Federal Aviation Administration
26
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
CONFIGURATIONControls
CONFIGURATIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Application Controls ManagementDetect and prevent control failure
ACCESSControlsACCESSControls
TRANSACTIONControls
TRANSACTIONControls
27
Monitor transactions to detect business policy violations or unacceptable levels
of risk or inefficiency
Transaction Controls Detect and prevent erroneous and fraudulent transactions
Perform Transaction
Analysis
Define Transaction
Controls
Review and AddressSuspects
PreventiveTransaction
Control
PreventionDetection
Identify transactions violating policy (e.g. un-approved vendor)
Detect patterns representing aggregate risk (e.g. micro-payments)
Initiate review / approval cycle based on automated policies
Approvals based on transaction data thresholds
28
Case Managerto Investigate
& Approve
Transaction Controls Continuous monitoring to identify suspects
Library of Transaction
Monitors
MONITORING DECISION-MAKING
POLICY
BusinessProcess
Data
ControlMonitor
!!Control
Violation Detected
Integrated library of transaction monitors provides characterization and procedures for handling suspects
Continuous monitoring identifies suspects Seamless approval workflow facilitate decision-making
29
• Test against Material Thresholds• Journal Entry > $ threshold• Employee Checks (individual & sum) > $ threshold
• Search for Anomalies
• PO terms differ from vendor• Sales orders > acceptable $ range
• Sampling of Transactions
• 4th quarter invoices • Days sales outstanding balances
• Detect Fraudulent Behavior
• PO changes after approval• Duplicate suppliers with same address
• Embed Contextual / Automated Compensating Controls• Alert on customer transactions over $ threshold• Prevent journals from being entered and posted by same
individual
Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity
30
Transaction ControlsReview
• Challenge: IT is asked repeatedly to create new reports/queries for the business to perform transaction analysis
• Solution: Easy to use interface lets business administrators manage threshold values and generate parameterized reports as required
• Challenge: IT is asked to design compensating or programmatic controls
• Solution: Transaction control library provides readily available audit reports of suspicious activities in the system and distributes them to key personnel for necessary action
IT OPERATION
• Challenge: Continuously monitor controls to prevent error and fraud from happening
• Solution: Automated transaction controls will validate application and systems control effectiveness, identify suspect transactions, and route to process owners for visibility before material issues arise
• Challenge: Presence of unauthorized user access makes the system vulnerable and warrants additional testing and scrutiny by external auditors
• Solution: Automatic transaction validation and testing can compensate for areas where duties cannot be segregated or forensic analysis is warranted
BUSINESS OPERATION
31
PreventiveTransaction
Control
PreventiveTransaction
ControlUpdates > ThresholdRequire Manager Approval
> $25K> $25KYe
s
No
General Mgr
(P&L)
Financial Supervisor
POSTBad-DebtApproval
POSTPOSTENTRYENTRY
GeneralLedger
PreventiveConfiguration
Control
PreventiveConfiguration
ControlUnable to
modify sensitive account settings
Example: Bad Debt Management
Financial Clerk
ENTERBad-DebtAccount
ENTRENTRYY
POSTPOST
Access Control: SOD
!!!! Reportable Event Risk
DetectiveDetectiveTransaction Transaction
MonitorMonitor
Excessive Debt
Exception Exception ReportingReportingException Exception ReportingReporting
ExceptionExceptionRemediationRemediation
ExceptionExceptionRemediationRemediation Controller
!!!!!!!!!!!!
Approved
32
Oracle Solutions for GRC
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
Purpose-built business solutions for key industries and GRC initiatives
Best-in-class GRC core solutions to support all mandates and regulations
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
AuditManagement Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
SystemsMgmt
Digital Rights
Data Security
Identity Mgmt
Records & Content Mgmt
Issue & Remediation
Event & Loss Mgmt
33
Evaluating Your Organizational GRC state
• What percentage of internal controls are manual?
• How many applications needs SOD enforcement?
• Estimate the total number of application users for those applications
Level of Automation
• How much time do business groups spend reviewing, analyzing and provisioning application access?
• How much time do IT spent supporting application access review, remediation & certification?
• How much time do internal audit spend on application access control testing & remediation?
Time & Cost of Audit
• How often are audits performed, monthly / quarterly?
• What percentage of internal audit test results are External auditors relying upon for their assessments?
• Estimated time to be spent by external audit application access control testing this year?
Frequency of Audit
Manual Automated Weekly AnnuallyLow High
34
Time
Progress in GRC Maturity with Oracle
InformalReactive
ProactiveOptimized
Mat
urity
Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next
GRC Application Controls
GRC Manager
GRC Intelligence
• Adhoc approach
• Compliant but at a high cost to business
• Manual control
• No best practices
• Tactical approach
• Risks are documented
• Manual risk assessment and reporting
• After the fact reporting
• Unified, standardized & strategic approach
• Policies are enforced
• Automated process
• Prevent policy violation
• GRC objectives embedded throughout the organization
• Analyze and trend
• Automated risk mitigation / Predictive risk assessments
GRC Infrastructure Controls
37
<Insert Picture Here>
Appendix
(select from the following slides to briefly introduce GRC intelligence and GRC Manager.)
38
Oracle GRC Reporting & Analytics
System Security• Integrated identity and GRC
controls management • Protect sensitive data• Records management
Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library
Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management
360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
AuditManagement Assessment
Issue & Remediation
Event & Loss Mgmt
41
Oracle GRC Process Management
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
AuditManagement Assessment
Issue & Remediation
Event & Loss Mgmt
GRC Process Management
System Security• Integrated identity and GRC
controls management • Protect sensitive data• Records management
Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library
Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management
360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues
42
• GRC System of Record
• End-to-End GRC Process Management
• Integrated Control Management
• Closed-loop Issue Remediation
Manage Risk and Compliance Process Unify risk and compliance documentation and orchestrate processes
Document
- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention
Assess
PerformSelf
Assessment
TestManualControls
Scope Audits
MonitorAutomated
Controls
AnalyzeReceive Alerts Review Reports Investigate
Exceptions
Respond
Remediate Retest Optimize
Certify
Sign-off and Publish
top related