Why GRC is important to you and your customers/prospects What do we mean by GRC? How does it relate to Oracle? Brian Gregory, ACA, EMEA GRC

Transcription

1 Why GRC is important to you and your customers/prospects What do we mean by GRC? How does it relate to Oracle? Brian Gregory, ACA, EMEA GRC

2 Safe Harbor Statements The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

3 Safe Harbor Statement Caution The following presentation will challenge your current views. The presenter has no responsibility for any distress you may suffer from having your views changed and/or your sales horizons expanded. In the event of a panic attack take deep breaths and if necessary hold the hand of the person next to you!

4 3 X 2 Compelling Reasons

5

6 One Product alone could be worth 82m in UK One sale this year was just short of $1 Million

7 Competition

8 3 rd Reason Confidence and Trust

9

10

11 But what is Governance, Risk and Compliance?

12 Governance What does GRC Mean? Set and evaluate performance against objectives Authorize business strategy & model to achieve objectives Risk Identify, assess, and address potential obstacles to achieving objectives Identify / address violation of mandated and voluntary boundaries Compliance Encourage / require compliance with established policies and boundaries Detect non-compliance and respond accordingly

13 Governance Or put another way Managing the business efficiently and effectively Ensuring No Surprises Risk Identifying and seeking to mitigating risks that could lead to surprises For example, compliance fails [SOX, Basel II] but also operational risks Data Security [HMRC] Ethics [Primark] Compliance The obvious one legal and regulatory failures

14 It is about trying to prevent Surprises from happening

15 GRC Terminology Processes Risks Best Practices Financial Governance (COSO) Operational Risk Management (ISO, 6Sigma) IT Governance (COBIT, ITIL) Risk Assurance Partners Specialists Audit Firms Controls Automated Controls Detective & Preventative Reports/Documentation Attestation ( I confirm that... )

16 Governance Risk Compliance Compliance

17 What is the Oracle GRC Strategy?

18 Oracle GRC Has Come A Long Way July 2006 May 2008 SAP definitely in my mind has the lead on Oracle in developing a very comprehensive strategy for GRC. Michael Rasmussen, Forrester July 5, 2006 SAP needs to put urgency into fleshing out its GRC management capabilities to match its vision Until SAP does so, enterprise GRC platform buyers should look to Oracle and the many bestof-breed EGRC platform vendors. * French Caldwell, Gartner May 22, 2008 Shift Happens! *As Quoted in Article by Courtney Bjorlin, News Editor29 May 2008 SearchSAP.com

19 Acquired Innovation Timeline: Scale, technology and vertical specialization drive growth across all product lines 4 Acquisitions 15 Acquisitions* 12 Acquisitions** 16 Acquisitions Oracle FY2005 Oracle Fiscal Year 2006 Oracle Fiscal Year 2007 Oracle FY 2008 YTD * Excludes acquisitions of Covansys and Hexaware operations. ** Acquisition of Mantas through majority-owned i-flex solutions company.

20 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms Committing adequate investment to an aggressive development road map with plans for many vertical-specific versions of GRC Manager A suite of controls products, such as Oracle Application Access Controls Governor and Oracle Transaction Controls Governor, that is integrated into the GRC Manager platform

21

22 New Products Applications Shift Has Happened GRC Controls [aka LogicalApps] Automated Detection and Enforcement of key, foundational controls Any ERP customer Technology Identity Management and Database Vault now certified for EBS

23 How Oracle GRC Solutions help Challenge: Solution: Multiple Consolidate Requirements, Fragmented Response Regulation Regulation Risk Standard Standard A A BB C C R1 R2 R3 R1 R1 R2 R2 R3 R3 R1 R2 R3 C1a C2a C3a C1b C2b C3b C1c C2c C3c C5a C6a C7a C5b C6b C7b C5c C6c C7c C9a C10a C11a C9b C10b C11b C9c C10c C11c Challenge: Solution: Insufficient Automate Resources, Manual Efforts Challenge: Solution: GRC Embed as an Afterthought Or Holding Up the Business Process Reporting & Diagnostics Policy Remediation GRC Risk Issues GRC Business Business Process Processes Assessment Detective Control Preventive Control Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

24 Oracle Solutions for GRC Access Policy KPIs Documentation & Reporting Identity Mgmt SOD & Access GRC Reporting & Analytics GRC Infrastructure Controls Data Security Risk & Control KPIs GRC Process Management Management Assessments GRC Application Controls Application Configuration Systems Mgmt Certification KPIs Issues & Remediation Transaction Monitoring Records & Content Mgmt Digital Rights Purpose-built business solutions for key industries and GRC initiatives Best-in-class GRC core solutions to support all mandates and regulations Pre-integrated with Oracle applications and technology, supports heterogeneous environments Custom or Legacy Applications

25 Oracle GRC Product Set GRC Reporting and Analytics Fusion GRC Intelligence Dashboards Audit Identity Mgmt SOD & Access GRC Reporting & Analytics Reporting GRC Process Management Management Assessment GRC Application Controls Application Configuration GRC Infrastructure Controls Data Security Systems Mgmt Issue & Remediation Records & Content Mgmt Custom or Legacy Applications KRI & Alerts Event & Loss Mgmt Transaction Monitoring Digital Rights GRC Process Management GRC Manager GRC Application Controls Application Access Controls Governor Configuration Controls Governor Transaction Controls Governor Preventive Controls Governor GRC Infrastructure Controls Identity Manager Access Manager Role Manager Database Vault Audit Vault Advanced Security Secure Backup Enterprise Manager Universal Content Management Universal Records Management Information Rights Management

26 Step 5 Secure the IT Infrastructure. User Indemnity Management across all systems, security of data, availability of systems etc are all important. Of course you also need to be able to show that the IT policies and procedures are adequate and functioning Policies and Procedures Document, Evaluate, Verify and Conclude Step 1 - Understand what your policies and procedures are and whether they are adequate. Where are the weaknesses and are there any mitigating controls Secure IT Infrastructure User Access and Provisioning, Data Security, Availability People Align required skills and competencies with staff Step 4 Plan your business and have Business Intelligence systems that monitor performance and alert to possible deviations. Of course you should understand the processes for creating the budgets and forecasts. Step 2 - Ensure that your staff have the necessary skills and experience to undertake their duties. Of course this is an on-going process Plan, Forecast and Monitor Create, Manage, Update and Report Step 3 Automate the flow of transactions and approvals as much as possible. Of course this requires a link to HR. Simplify the number of processes and ERP. Automate Controls, Approvals and Business flows

27 Oracle GRC Reporting & Analytics Run your Business Better and Prove It IT Governance Financial Compliance Dashboards Policy & Procedures Regulatory Policy Mgmt Environmental Information Privacy GRC Reporting & Analytics Reporting GRC Process Management Issues & Remediation Global Trade Mgmt Product Quality &Safety GRC Application Controls Public Sector Financial Services Life Sciences KRI & Alerts Certification Retail High Tech Pre-built dashboards aggregate information from all sources Combine performance & GRC information Respond to KRI and issues Produce attestations and disclosures Configure to meet your specific needs SOD & Access Application Configuration Transaction Monitoring GRC Infrastructure Controls Identity Mgmt Data Security Change Mgmt Records Mgmt Digital Rights Custom or Legacy Applications

28 Oracle GRC Intelligence Better decisions, more timely access to information, balanced performance Pre-built dashboards aggregate information from all sources Combine performance & GRC information Respond to KRI and issues Role based Configure to meet your specific needs

29 Consolidated view of financial balances and risk rating

30 GRC Intelligence for SOD

31 Oracle GRC Process Management Simplify GRC and Reduce Costs IT Governance Financial Compliance Regulatory Policy Mgmt Environmental Information Privacy Global Trade Mgmt Product Quality &Safety Reporting & Analytics Public Sector Financial Services Life Sciences Retail High Tech Dashboards Reporting KRI & Alerts Audit SOD & Access GRC Process Management Management Assessment GRC Application Controls Application Configuration Issue & Remediation Event & Loss Mgmt Transaction Monitoring GRC system of record End-to-end GRC process management Platform independent Integrated control management Closed-loop issue remediation GRC Infrastructure Controls Identity Mgmt Data Security Change Mgmt Records Mgmt Digital Rights Custom or Legacy Applications

32 GRC Manager

33 Example of a process: basics

34 Example of a process: Risks

35 Example of a process: Controls

36 Is it time to do an assessment again? Manage Compliance Processes Automate Labor Intensive, Manual Processes

37 Oracle GRC Applications Controls Protect Brand and Reputation IT Governance Financial Compliance Regulatory Policy Mgmt Environmental Information Privacy Global Trade Mgmt Product Quality &Safety Reporting & Analytics Public Sector Financial Services Life Sciences Retail High Tech Dashboards Reporting KRI & Alerts GRC Process Management Audit Management Assessment Issue & Remediation Event & Loss Mgmt SOD & Access GRC Application Controls Application Configuration GRC Infrastructure Controls Transaction Monitoring Preventive and detective controls What-if risk simulation Automated controls testing Identity Mgmt Data Security Change Mgmt Records Mgmt Digital Rights Custom or Legacy Applications

38 Oracle GRC Controls Monitor Control Effectiveness What users have done Detective Controls What s changed in the environment What are the execution patterns ACCESS Controls CONFIGURATION Controls TRANSACTION Controls What users can do How the environment is setup Preventive Controls Enforce Policies in Context How users execute processes

39 Oracle GRC Controls Monitor Control Effectiveness What users have done Detective Controls What s changed in the environment What are the execution patterns ACCESS Controls CONFIGURATION Controls TRANSACTION Controls What users can do How the environment is setup Preventive Controls Enforce Policies in Context How users execute processes

40 Segregation of Duties You mean I can t approve my own expenses?

41 Integrity of Accounting Segregation of Duties [SOD] Fraud Accuracy Foundation to ANY accounting system Strong control is essential to ALL accounting operations X-Industry - Private, Public, Public Sector, Not for Profit etc NOT DRIVEN BY ANY SPECIFIC LEGISLATION

42 Oracle Application Access Controls Governor Enforce proper segregation of duties in applications Policy Library Conflict Paths Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with pre-delivered controls library Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies

43 Conflict Analysis Define Access Controls Conflict Analysis Remediation (Clean-up) Preventive Provisioning Compensating Controls View detailed conflict reports by various dimensions (e.g. by Application)

44 Compensating Controls Define Access Controls Conflict Analysis Remediation (Clean-up) Preventive Provisioning Compensating Controls Implement compensating SOD control by removing the payment tab to enforce policy

45 Compensating Controls Define Access Controls Conflict Analysis Remediation (Clean-up) Preventive Provisioning Compensating Controls Payment tab is removed

46 What should I be looking for? 4 Simple Questions Are you interested in understanding who has access to your systems? Are you interested to know what access they have? Are you interested in finding potential conflicts in access rights? Are you interested in enforcing access controls and preventing inappropriate access?

47 Oracle GRC Controls Monitor Control Effectiveness What users have done Detective Controls What s changed in the environment What are the execution patterns ACCESS Controls CONFIGURATION Controls TRANSACTION Controls What users can do How the environment is setup Preventive Controls Enforce Policies in Context How users execute processes

48 Configuration Management As you can see there have been some changes to the computer systems

49 Integrity of Accounting Integrity of Financial System Changes Monitor Prevent Track Assess Strong control is essential to ALL accounting operations X-Industry - Private, Public, Public Sector, Not for Profit etc NOT DRIVEN BY ANY SPECIFIC LEGISLATION

50 Oracle Configuration Controls Governor Ensure integrity of critical application setups Achieve consistent application setup and operating standards across multiple instances Track complete audit trails for changes to key configurations Tightly control change management to accelerate development and test time Detection Prevention Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity

51 Data Privacy and Data Integrity Mask sensitive data, disable buttons, validate data input, etc. Granular user interface Employee Update Name John Doe Conceal SSN number if User Address is NOT from 123 HR Main dept St Center City, NY restrictions Restrict access to data or actions Embedded control enforcement SSN Salary XXX-XX-XXXXX $ 53, Supervisor Mary Smith John Jones Phil Johnson Sue Thompson Sally Struthers Bill Seibel OK Employees can only view the Salary field (can t update) Cancel Disable Invoice action button for Invoices created by same user

52 What should I be looking for? 4 Simple Questions Are you interested in understanding what changes have been made to your configuration? Are changes have been made to key data in your systems? Are you interested in being able to report on differences between configurations both over time and between different instances? Are you interested in enforcing controls over changes?

53 Transaction Management So isn t it strange that this user is raising a number of POs just under their approval level?

54 Integrity of Accounting Detection and Prevention of Unusual transactions Continuous monitoring of Transaction Master data Strong control is essential to ALL accounting operations X-Industry - Private, Public, Public Sector, Not for Profit etc NOT DRIVEN BY ANY SPECIFIC LEGISLATION

55 Oracle Transaction Controls Governor Identify inaccurate or fraudulent transactions Pre-delivered Transaction Controls Suspect Transactions Continuously monitor accuracy of transactions and mitigate exposure to fraud Test against thresholds Search for anomalies Perform transaction sampling Detection Prevention Define Transaction Controls Perform Transaction Analysis Review and Address Suspects Preventive Transaction Controls

56 What should I be looking for? 4 Simple Questions Are you interested in being able to identify unusual transactions in your systems? Are you interested in being able to identify users trying to circumvent authority limits by undertaking multiple transactions? Are you interested in being able to speed your period close process? Are you interested in being able to enforce controls over transactions?

57 Oracle GRC Reporting & Analytics Run your Business Better and Prove It IT Governance Financial Compliance Regulatory Policy Mgmt Environmental Information Privacy Global Trade Mgmt Product Quality &Safety GRC Reporting & Analytics Public Sector Financial Services Life Sciences Retail High Tech Dashboards Reporting KRI & Alerts GRC Process Management Policy & Procedures Issues & Remediation Certification Identity Mgmt SOD & Access GRC Application Controls Application Configuration GRC Infrastructure Controls Data Security Change Mgmt Records Mgmt Transaction Monitoring Digital Rights Secure the IT Infrastructure Extend user access and SOD to cover ALL systems Secure data inside and outside IT environment Protect sensitive data from unauthorized access Manage flow of data between systems Custom or Legacy Applications

58 Oracle Identity & Access Management End Users Administrator Info. Sec, Auditor Strong Authentication Risk Based Authorization Federation Self-Service Identity Admin Account Admin Organization Admin Role Management Delegated Admin Reporting & Analytics Attestation Segregation of Duties Fraud Detection Oracle Identity Management & Security Platform Provisioning Reconciliation Password Mgmt. WS Security LDAP Storage LDAP Synchronization LDAP Virtualization DB User Security Java Platform Security Authentication For Operating Systems Business Apps, HR Directories, DB App Server, OS

59 Compliant Access Provisioning Segregation of Duties in User Provisioning IDENTITY MANAGEMENT GRC CONTROLS! Set Up User Profile Determine User Role Validate with SOD Policies Violations Found New Hire, Change of Role Provision Application Access No Violations Remediate: Seek Approval Apply Mitigating Control Deny Access

60 Oracle Database Security Defense-in-Depth for Security and Compliance Configuration Management Audit Vault Total Recall Database Vault Label Security Advanced Security Secure Backup Data Masking

61 Oracle Database Vault Controls on privileged users Restrict highly privileged users from application data Provide Separation of Duty Security for database and information consolidation Real time access controls Control who, when, where and how data is accessed Make decision based on IP address, time, auth Reports Command Rules Protection Realms Multi-Factor Authorization Separation of Duty

62 Patented distributed rights management between centralized server and desktop Centralized revocation of rights and up-todate audit trail Transparent mobile access to sealed information Classification-based rights management Enterprise-scalable Oracle Information Rights Management

63 Summary GRC is a huge opportunity Oracle is unique in the depth and breadth of our offering For every EBS and P/Soft customer [new and existing] you should include: GRC Controls SOD is the lead Extend GRC C with Technology for complete Every system we sell is in order to automate and improve business processes so why not talk to them about GRC Manager and GRC Intelligence to record the processes? UPK and/or Tutor to enable staff effectiveness? Think beyond your comp plan GRC is Never about 1 product Our strength is the completeness of offering Engage with Partners

64 Resources for Accelerating Growth

65 Resources for Accelerating Growth

66 Partner Communities Partner Communities Live Partner Communities for BI, ECM, IDM, Persuasive, SOA Material available from Partner Communities Technology: white papers, documentations, downloads Sales: sales kits, cheat sheets, references, ROI calculator Marketing: brochures, presentations, industry papers Education: Online Training & Assessments & Certification Activities Regular updates available in OPN Monthly newsletters Monthly webcasts Quarterly Partner Community Forums Online Discussion Forums Next step Sign up for the communities: ology/home.html

67