governance, risk, and compliance controls in-depth presenter name presenter title

Governance, Risk, and Compliance Controls In-depth

Presenter Name

Presenter Title

2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Safe Harbor Statement

3

• Business Challenges

• Oracle’s Leadership in GRC

• Solution Overview

• Customer Success

• Recommended Next Steps

Agenda

4

GRC Prioritization & Evolution

Source: AMR Research - Market Demand for GRC 2007–2008

SOX Security& PrivacyRules

Operational& GeneralRisk Mgmt.

Document& RecordRetention

FDA “GreenCompliance”

SEC

20072008

ITRiskMgmt.

5

Majority of Controls are in Your IT Systems

SOX Sec 17A-4

Gramm-Leach-Bliley

HIPAA 21CFR Part II

Basel II OMB A-123

CA SB 1386

ERP Applications

Business Intelligence

Policy Management

Data Warehousing

Records Management

Access & Data Security

Reusability ofAutomated Controls and

Audit Reports

● ● ● ● ●

● ● ●

● ● ● ● ● ● ● ●

● ● ● ● ● ●

● ● ● ● ●

● ● ● ● ● ● ● ●

6

OAUG Community Agrees

Segregation of duties

Securing sensitive information/data privacy

Data change management

Application configuration management

Managing super-user access

Transaction monitoring

Managing departmental/functional access

Managing temporary access

Don’t know/unsure

Other

Source: IT’s Role in Governance, Risk, and Compliance, February 2007

Survey question: Which of the following areas do you consider a top priority for improving controls to meet GRC objectives?

7

Controls by the Business for the Business

ContextualControls should differentiate between legitimate business transactions versus fraudulent activities

EmbeddedControls should be applied in a way that is seamless and non-obtrusive to users

PreventiveControls should automatically prevent out-of-policy actions from occurring

“Some 68 percent of staff admit to bypassing their employer’s information security controls in order to do their jobs.”

Financial Times, May 2008

8

System Security• Integrated identity and GRC

controls management • Protect sensitive data• Records management

Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library

Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management

360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues

Integrated Controls Solution

GRC Application Controls

TransactionMonitoring

SOD & Access

Application Configuration

Reporting KRI & AlertsDashboards

GRC Reporting & Analytics

GRC Process Management

AuditManagement Assessment

Custom or Legacy Applications

GRC Infrastructure Controls

ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt

Issue & Remediation

Event & Loss Mgmt

9

What usershave done

What’s changed in the

process

What are the execution patterns

Detective Controls

What userscan do

How is the process setup

How users execute

processes

Preventive Controls

CONFIGURATIONControls


TRANSACTIONControls

TRANSACTIONControls

Enforce Policies in Context

Monitor Control Effectiveness

Application Controls ManagementDetect and prevent control failure

ACCESSControlsACCESSControls

10

Access Controls Provide fine grained access control and segregation of duties

Know who has access to do what and ensure that someone isn’t given inappropriate privileges

Access Analysis

Compensating Policies

Define AccessControls

Remediation(Clean-up)

PreventiveProvisioning

PreventionDetection

Define SOD conflict & business rules and policies

Execute access analysis engine that understands application’s detailed access architecture

Remediation and analysis via pre-packaged reports & what-if simulation

Real-time enforcement of SOD controls during user provisioning

Handle exceptions with compensating process & transaction analysis policies

11

User Access Rights

Segregation of Duties for Applications

Policy Validation

!!Violation Detected

Evidence of Due Diligence

Violation Cleared

Authorized Access

Corrective Measures

Library of Access Policies

PROCESS EVIDENCEPOLICY

Integrated best practice policy library provides reference and controls for proper enforcement of standards

Automated controls are embedded into to the processes Audit trail for each transaction is recorded as evidence of

compliance

12

• Standard Policies for EBS and PeopleSoft are available out-of-the box

• Policies for other enterprise application e.g. SAP, JDE are custom built

• Adaptive structure and organization• Organized by business process, objective and class

• Easily imported / exported via Excel / XML

• Multiple policy types• COSO Risk and Controls Framework

• Automated policies / controls by key process flow

• Metadata

• Cross platform policies

• Evolved from real-life implementations• Over 60% directly from Customer implementations

Best practice policy libraries deliver content from years of hands-on customer implementations. The library provides significant policies out-of-box to expedite implementation.

Best practice policy libraries deliver content from years of hands-on customer implementations. The library provides significant policies out-of-box to expedite implementation.

Best Practice Policy Library

13

Manage user access within multiple application platforms concurrently

Multi-Platform Support forstand-alone applications

Custom or Legacy

Applications

Cross-Platform Support forintegrated applications

Manage user access between multiple application platforms

EBS User PeopleSoft User

Application Access Controls Governor

Custom or Legacy

Applications

SAP, JDEdwards orCustom Application

UserEBS User PeopleSoft User

SAP, JDE orCustom Application

User

Application Access Controls Governor

Multi-Platform and Cross-Platform Support

14

Deprovision Entitlements in Violation

!! EntitlementsAdded out-of-

bounds

Out-of-bounds Entitlements

Removed

Event Analysis

ViolationDetectionand Alert

GRC

Assign Remediation

Task

IDENTITY MANAGEMENT

Oracle E-Business Suite

Oracle E-Business Suite

Account Provisioning

Oracle Identity Manager

Enforce SoD Policy

Oracle Access Controls Governor

Integrated Access Controls Example SoD Detection and Remediation

15

New Hire or

Transfer

Set Up User Profile

ProvisionApplication Access

Determine User Role

Validate withSOD Policies

ViolationsFound

!!

Remediate: •Seek Approval•Apply Mitigating Control•Deny Access

No Violations

GRCIDENTITY MANAGEMENT

Identity Event

HRMS

ID Recon

Oracle Identity

Manager

Role Assignment

Oracle Role Manager

Account Provisioning

Oracle Identity Manager

Enforce SoD Policy

Oracle Access Controls Governor

Integrated Access Controls Example Compliant Access Provisioning

16

Comprehensive Access Controls

Role-based Account Provisioning

Attestation

Authentication, Authorization, SSO

Federation & WS security

Identity Management

Controls Monitoring & Enforcement

Best Practice Controls & Policies

Privilege Level SoD

Contextual Authorization

Application Access Controls

Apps, Systems & Data RepositoriesBusiness Applications

Integrated Access Controls

SOD Detection; Remediation; Compliant Provisioning

Data Security

DBA Access Management; Information Rights Management; Data Classification; Encryption at rest & in transit; Secured backup

17

Access ControlsReview

• Challenge: Unsatisfied with current state of application data access and security

• Solution: Automate SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements

• Challenge: High percentage of IT budget devoted to compliance, and away from innovation

• Solution: Preventive controls and audit reports frees up IT resources

IT OPERATION • Challenge: Audit data and reports difficult to

generate – require significant IT and LOB support

• Solution: Audit reports are available for every control, by various dimensions, with no dependence on IT support

• Challenge: Need to decrease reliance on manual controls

• Solution: Automate entire SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements

BUSINESS OPERATION

18

CHALLENGES / OPPORTUNITIES

• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units

• World’s largest single Oracle EBS instance

• 20,000 Active users

• 50,000 Oracle responsibilities

SOLUTIONS

• Oracle GRC Controls

• Oracle GRC Manager

CUSTOMER PERSPECTIVE“It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.”

Ravi Mahajani, ERP Solution Expert, Agilent

RESULTS

• Implemented 200 controls in 8 weeks

• Eliminated SOD conflicts to meet SOX compliance requirements on time

• Avoided 6-month customization effort, millions of dollars

COMPANY OVERVIEW

• Technology leader in communications, electronics, life sciences and chemical analysis

• Revenue > $5 Billion

• 20,000 employees

19

What usershave done


process


Detective Controls

What userscan do


How users execute

processes

Preventive Controls

TRANSACTIONControls

TRANSACTIONControls







20

Ensure that critical setups conform to best practices and follow robust change

management procedures

Application Configuration Controls Detect and prevent configuration control failure

Document orCompare

Configurations

Manage Data

Integrity

Define Configuration

Controls

Monitor Configuration

Changes

EnforceChange Control

PreventionDetection

Define best practice policies & operating rules

Record changes to sensitive setup data. Compare before and after values for changes

Monitor for setup inconsistencies across multiple instances

Require conditional approval cycles (e.g., exceed threshold)

Validate that setups and data updates conform to valid values

21

Requisi-tion

Requisi-tion

PurchaseGoods /Services

PurchaseGoods /Services

Receive Goods /Services

Receive Goods /Services

InvoiceInvoice IssuePayments

IssuePayments

SAP

Monitoring of changes to expensing

rules

Monitoring of changes to

price tolerance

percentage

Monitoring of changes to document numbering

Monitoring of discounting

rules

Monitor key configurations settings across instances Before and after snapshot of changes to settings Automatic approval process notify managers as exceptions occur

PROCURE-TO-PAY EXAMPLEPROCURE-TO-PAY EXAMPLE

Enforce Best-Practice Application Setups

Procurement Inventory Accounts Payable

Ensure internal

requisition source

22

John DoeJohn Doe

123 Main StCenter City, NY 12345

123 Main StCenter City, NY 12345

$ 53,000.00$ 53,000.00

CancelCancelOKOK

Name

Address

Salary

Employee Update

XXX-XX-XXXXXXXX-XX-XXXXXSSN

SupervisorMary Smith

Mary Smith

Conceal SSN number if User is NOT from HR dept

Employees can only view the salary field (can’t update) Disable Invoice Approval for

Invoices created by same user

Data Privacy and Data Integrity Mask sensitive data, restrict access to actions

Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS

interface and workflow technology

Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS

interface and workflow technology

23

Comprehensive Configuration Controls

Lifecycle management

Service level management

Configuration management

Data masking for database

System configuration management

Dashboards

Enterprise Manager

Key setups monitored for changes

Change tracking records the “who, what, where, and when”

Approval workflows and notifications

Detect and record changes to sensitive setup data

Best practice control library

Configuration Controls

Apps, Systems & Data RepositoriesBusiness Applications

Integrated Configuration Controls Management

Best practices set-up; Change Management; Continuous Monitoring

24

Configuration ControlsReview

• Challenge: Unable to enforce best-practices for configuration and change management

• Solution: Field level value changes are managed based on best practice protocol and documented for audit purposes

• Challenge: Data privacy and protection of sensitive data requires extensive application customization

• Solution: Policy based access to any field data within the application can be easily restricted without any application downtime

IT OPERATION

• Challenge: Critical application setups are changed without proper authorization

• Solution: Embedded testing of application controls and proper validation through approval workflow ensures policy adherence and proactive issue identification

• Challenge: Ineffective controls for system integrity and security

• Solution: Application configuration controls are available on field value changes, action buttons and sensitive data based on company policy and risk appetite

BUSINESS OPERATION

25

CHALLENGES / OPPORTUNITIES

• Mask sensitive data to comply with Privacy Act

• Lack of tools to identify & remediate control violations and establish effective monitoring process

• Difficulty satisfying management and audit requirements

SOLUTIONS

• GRC Control Suite – Access & Configuration Controls

CUSTOMER PERSPECTIVE“After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.”

Michelle Overstreet, Program Manager, FAA

RESULTS

• Eliminated programming time for application customization

• Reduced detection and remediation time for control violations

• Developed a sustainable model to manage regulatory compliance

COMPANY OVERVIEW

• Revenues > $250B

• 52,160 employees

• 1 of 4 Federal Centers of Excellence (COE)

Federal Aviation Administration

26

What usershave done


process


Detective Controls

What userscan do


How users execute

processes

Preventive Controls







TRANSACTIONControls

TRANSACTIONControls

27

Monitor transactions to detect business policy violations or unacceptable levels

of risk or inefficiency

Transaction Controls Detect and prevent erroneous and fraudulent transactions

Perform Transaction

Analysis

Define Transaction

Controls

Review and AddressSuspects

PreventiveTransaction

Control

PreventionDetection

Identify transactions violating policy (e.g. un-approved vendor)

Detect patterns representing aggregate risk (e.g. micro-payments)

Initiate review / approval cycle based on automated policies

Approvals based on transaction data thresholds

28

Case Managerto Investigate

& Approve

Transaction Controls Continuous monitoring to identify suspects

Library of Transaction

Monitors

MONITORING DECISION-MAKING

POLICY

BusinessProcess

Data

ControlMonitor

!!Control

Violation Detected

Integrated library of transaction monitors provides characterization and procedures for handling suspects

Continuous monitoring identifies suspects Seamless approval workflow facilitate decision-making

29

• Test against Material Thresholds• Journal Entry > $ threshold• Employee Checks (individual & sum) > $ threshold

• Search for Anomalies

• PO terms differ from vendor• Sales orders > acceptable $ range

• Sampling of Transactions

• 4th quarter invoices • Days sales outstanding balances

• Detect Fraudulent Behavior

• PO changes after approval• Duplicate suppliers with same address

• Embed Contextual / Automated Compensating Controls• Alert on customer transactions over $ threshold• Prevent journals from being entered and posted by same

individual

Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity

30

Transaction ControlsReview

• Challenge: IT is asked repeatedly to create new reports/queries for the business to perform transaction analysis

• Solution: Easy to use interface lets business administrators manage threshold values and generate parameterized reports as required

• Challenge: IT is asked to design compensating or programmatic controls

• Solution: Transaction control library provides readily available audit reports of suspicious activities in the system and distributes them to key personnel for necessary action

IT OPERATION

• Challenge: Continuously monitor controls to prevent error and fraud from happening

• Solution: Automated transaction controls will validate application and systems control effectiveness, identify suspect transactions, and route to process owners for visibility before material issues arise

• Challenge: Presence of unauthorized user access makes the system vulnerable and warrants additional testing and scrutiny by external auditors

• Solution: Automatic transaction validation and testing can compensate for areas where duties cannot be segregated or forensic analysis is warranted

BUSINESS OPERATION

31


Control


ControlUpdates > ThresholdRequire Manager Approval

> $25K> $25KYe

s

No

General Mgr

(P&L)

Financial Supervisor

POSTBad-DebtApproval

POSTPOSTENTRYENTRY

GeneralLedger

PreventiveConfiguration

Control

PreventiveConfiguration

ControlUnable to

modify sensitive account settings

Example: Bad Debt Management

Financial Clerk

ENTERBad-DebtAccount

ENTRENTRYY

POSTPOST

Access Control: SOD

!!!! Reportable Event Risk

DetectiveDetectiveTransaction Transaction

MonitorMonitor

Excessive Debt

Exception Exception ReportingReportingException Exception ReportingReporting

ExceptionExceptionRemediationRemediation

ExceptionExceptionRemediationRemediation Controller

!!!!!!!!!!!!

Approved

32

Oracle Solutions for GRC

Pre-integrated with Oracle applications and technology, supports heterogeneous environments

Purpose-built business solutions for key industries and GRC initiatives

Best-in-class GRC core solutions to support all mandates and regulations



SOD & Access








SystemsMgmt

Digital Rights

Data Security

Identity Mgmt

Records & Content Mgmt

Issue & Remediation

Event & Loss Mgmt

33

Evaluating Your Organizational GRC state

• What percentage of internal controls are manual?

• How many applications needs SOD enforcement?

• Estimate the total number of application users for those applications

Level of Automation

• How much time do business groups spend reviewing, analyzing and provisioning application access?

• How much time do IT spent supporting application access review, remediation & certification?

• How much time do internal audit spend on application access control testing & remediation?

Time & Cost of Audit

• How often are audits performed, monthly / quarterly?

• What percentage of internal audit test results are External auditors relying upon for their assessments?

• Estimated time to be spent by external audit application access control testing this year?

Frequency of Audit

Manual Automated Weekly AnnuallyLow High

34

Time

Progress in GRC Maturity with Oracle

InformalReactive

ProactiveOptimized

Mat

urity

Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next


GRC Manager

GRC Intelligence

• Adhoc approach

• Compliant but at a high cost to business

• Manual control

• No best practices

• Tactical approach

• Risks are documented

• Manual risk assessment and reporting

• After the fact reporting

• Unified, standardized & strategic approach

• Policies are enforced

• Automated process

• Prevent policy violation

• GRC objectives embedded throughout the organization

• Analyze and trend

• Automated risk mitigation / Predictive risk assessments


35

AQ&

37

<Insert Picture Here>

Appendix

(select from the following slides to briefly introduce GRC intelligence and GRC Manager.)

38

Oracle GRC Reporting & Analytics








SOD & Access







ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


Issue & Remediation

Event & Loss Mgmt

39

Enterprise Visibility to GRC InformationSecured and targeted delivery of role-based dashboards

40

Getting to the Root of the Issue Drill down from dashboard to detailed transaction

41

Oracle GRC Process Management



SOD & Access






ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


Issue & Remediation

Event & Loss Mgmt







42

• GRC System of Record

• End-to-End GRC Process Management

• Integrated Control Management

• Closed-loop Issue Remediation

Manage Risk and Compliance Process Unify risk and compliance documentation and orchestrate processes

Document

- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention

Assess

PerformSelf

Assessment

TestManualControls

Scope Audits

MonitorAutomated

Controls

AnalyzeReceive Alerts Review Reports Investigate

Exceptions

Respond

Remediate Retest Optimize

Certify

Sign-off and Publish

governance, risk, and compliance controls in-depth presenter name presenter title

Documents

grc controls management

majority of controls

business contextual

users preventive controls

contextual automated

grc audit

grc objectives

presenter title slide