Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Similar documents
Oracle Database Vault

Oracle Buys Automated Applications Controls Leader LogicalApps

Creating Custom Project Administrator Role to Review Project Performance and Analyze KPI Categories

Frequently Asked Questions Oracle Content Management Integration. An Oracle White Paper June 2007

Oracle Risk Management Cloud

Technical Upgrade Guidance SEA->SIA migration

An Oracle White Paper October The New Oracle Enterprise Manager Database Control 11g Release 2 Now Managing Oracle Clusterware

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

JD Edwards EnterpriseOne Licensing

Oracle Database Vault

Centrally Managed SSH

Information Lifecycle Management for Business Data. An Oracle White Paper September 2005

Oracle Database Vault

Transparent Solutions for Security and Compliance with Oracle Database 11g. An Oracle White Paper September 2008

Generate Invoice and Revenue for Labor Transactions Based on Rates Defined for Project and Task

Oracle Flashback Data Archive (FDA) O R A C L E W H I T E P A P E R M A R C H

Benefits of an Exclusive Multimaster Deployment of Oracle Directory Server Enterprise Edition

A Distinctive View across the Continuum of Care with Oracle Healthcare Master Person Index ORACLE WHITE PAPER NOVEMBER 2015

Oracle Database 10g Release 2 Database Vault - Restricting the DBA From Accessing Business Data

An Oracle White Paper September Security and the Oracle Database Cloud Service

April Understanding Federated Single Sign-On (SSO) Process

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Improve Data Integration with Changed Data Capture. An Oracle Data Integrator Technical Brief Updated December 2006

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

INTELLIGENCE DRIVEN GRC FOR SECURITY

Migration Best Practices for Oracle Access Manager 10gR3 deployments O R A C L E W H I T E P A P E R M A R C H 2015

Rapid Bottleneck Identification A Better Way to do Load Testing. An Oracle White Paper June 2008

October Oracle Application Express Statement of Direction

August Oracle - GoldenGate Statement of Direction

Oracle Data Provider for.net Microsoft.NET Core and Entity Framework Core O R A C L E S T A T E M E N T O F D I R E C T I O N F E B R U A R Y

1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

An Oracle White Paper June Oracle Audit Vault and Database Firewall

Regulatory Compliance Using Identity Management

Complete document security

Fabrizio Patriarca. Come creare valore dalla GDPR

Oracle Enterprise Performance Management Cloud

Oracle Data Masking and Subsetting

Tutorial on How to Publish an OCI Image Listing

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

An Oracle White Paper November Primavera Unifier Integration Overview: A Web Services Integration Approach

Oracle Fusion General Ledger Hierarchies: Recommendations and Best Practices. An Oracle White Paper April, 2012

Tracking and Reporting

August 6, Oracle APEX Statement of Direction

Oracle WebLogic Portal O R A C L E S T A T EM EN T O F D I R E C T IO N F E B R U A R Y 2016

Overview. Business value

An Oracle White Paper April Oracle Technology for Government Cybersecurity

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

Oracle Database Security Assessment Tool

Oracle Secure Backup. Getting Started. with Cloud Storage Devices O R A C L E W H I T E P A P E R F E B R U A R Y

Oracle Warehouse Builder 10g Release 2 Integrating Packaged Applications Data

PeopleSoft Fluid Navigation Standards

Leverage the Oracle Data Integration Platform Inside Azure and Amazon Cloud

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Next-Generation SOA Infrastructure. An Oracle White Paper May 2007

Oracle Application Server 10g Integration Interconnect. An Oracle Technical White Paper January 2005

Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

TABLE OF CONTENTS DOCUMENT HISTORY 3

Privileged Identity Management

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Repairing the Broken State of Data Protection

Protecting Your Investment in Java SE

Oracle FLEXCUBE Direct Banking Release Dashboard Widgets Transfer Payments User Manual. Part No. E

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

See What's Coming in Oracle Taleo Business Edition Cloud Service

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Differentiate Your Business with Oracle PartnerNetwork. Specialized. Recognized by Oracle. Preferred by Customers.

An Oracle Technical White Paper September Oracle VM Templates for PeopleSoft

Oracle API Platform Cloud Service

Governance and Control of Privileged Identities to Reduce Risk

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

PeopleSoft Applications Portal and WorkCenter Pages

Oracle Linux Management with Oracle Enterprise Manager 13c O R A C L E W H I T E P A P E R J U L Y

Oracle FLEXCUBE Direct Banking Release Dashboard Widgets Customer Services User Manual. Part No. E

An Oracle White Paper March Oracle Database Vault for SAP

Oracle Database 10g Resource Manager. An Oracle White Paper October 2005

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Oracle Database Lite. Automatic Synchronization White Paper. An Oracle White Paper August 2008

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Portal 9.1 PeopleBook: Internal Controls Enforcer

Oracle Application Access Controls Governor. Release Notes Release 8.0.1

INTEGRATION CLOUD SERVICE. Accelerate Your Application Integration Across the Cloud and On Premises

Correction Documents for Poland

An Oracle Technical White Paper May Deploying Oracle Beehive with BlackBerry Enterprise Server for MDS Applications

DevOps for Oracle Forms Using Developer Cloud Service

Oracle Privileged Account Manager

CA Security Management

SECURITY & PRIVACY DOCUMENTATION

CERTIFICATE POLICY CIGNA PKI Certificates

VANGUARD POLICY MANAGERTM

An Oracle White Paper December, 3 rd Oracle Metadata Management v New Features Overview

Demonstrating Compliance in the Financial Services Industry with Veriato

Extreme Performance Platform for Real-Time Streaming Analytics

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Oracle Data Cloud ( ODC ) Inbound Security Policies

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Oracle Best Practices for Managing Fusion Application: Discovery of Fusion Instance in Enterprise Manager Cloud Control 12c

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

Transcription:

An Oracle White Paper January 2010 Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Table of Contents 1. Executive Summary... 4 2. Building a GRC Framework with Identity-Related Controls... 4 3. Criteria for Selecting an Identity-Based Solution for Controls... 8 4. Using Oracle Identity Management to Institute Controls... 9 5. Conclusion... 10 3

1. Executive Summary The implementation of new initiatives in governance, risk, and compliance (GRC) may be an overwhelming prospect for many organizations. With multiple views and aspects of GRC, it can be difficult to know where to begin. IT Governance continues to be a main focus for many security officers and IT administrators in tacking the constantly evolving regulatory requirements coupled with increased business complexity. Organizations today are being asked, not only to understand the regulations, but also to create the appropriate strategies in addressing their Governance, Risk and Compliance (GRC) needs. Adding to this is the reality that GRC initiatives are often broad and spread across different infrastructure silos managed by different business or IT organizations. Among all the regulatory compliance mandates, Sarbanes-Oxley Act (SOX), Gramm- Leach-Bliley Act (GLB) and Health Insurance Portability & Accountability (HIPAA) are the ones we hear the most. Many of the key requirements revolve around elements of Identity Management where user access to systems, applications and data is being controlled. As a result, any IT GRC initiatives and considerations must put Identity and Access Governance on the top of the list. This paper proposes that the solution is to break GRC initiatives into a number of constituent components that can be addressed one at a time, beginning with those that are easiest to plan for and implement. Choosing the first area on which to focus may mean drilling down from the big picture of enterprise GRC to the IT framework that enables it, and then to some manageable aspect of that framework. An example of this is IT framework applications associated with instituting access, security, and other controls to support business policies. Because access and security are inextricably linked with identity, controls that can be automated through identity management are a good place to start. This paper provides: Specific examples of identity-related access and security controls that can be instituted as part of an IT framework for GRC Guidance for selecting an identity-based solution for access and security controls within the IT framework Information about Oracle s portfolio of identity management products that may be useful in the initial effort to address GRC 2. Building a GRC Framework with Identity-Related Controls The following are specific examples of identity-related access and security controls that can be instituted as part of an IT framework for GRC, whether across the enterprise or for a particular business area within the organization. 4

Authentication Verifying that users who request access to enterprise resources are who they say they are and have permission to view or use what they are asking to view or use is fundamental to reducing risk and improving compliance in the enterprise. This requires access controls with a strong authentication component. Identity-based access-control technology that includes a wide range of authentication capabilities can be implemented to provide the appropriate levels of authentication to support enterprise policy. At the minimum, an identity-based solution should include: Strong password management capabilities that dictate policies such as how often passwords are required to be changed Enterprise single sign-on (ESSO) capabilities that enforce password policy while improving the user experience by enabling users to use one password for access to different enterprise resources The option of even stronger controls such as multifactor authentication to strengthen the security of password-based access at the initial network-login level Segregation of Duties Enforcement Segregation of duties (SOD) enforcement prevents users from intentionally or inadvertently breaching security policy as a result of the roles they occupy and the duties they are assigned to perform. A classic example is not allowing someone who issues purchase orders to approve them as well. SOD enforcement directly impacts an organization s ability to comply with explicit requirements of the Sarbanes-Oxley Act and other regulations aimed at ensuring the integrity of enterprise financial operations. Enforcing SOD policy in a GRC control environment requires identity provisioning and auditing capabilities that: Are fine-grained enough to identify imminent violations when users are provisioned, especially after job changes that may affect their duties Automatically prevent violations and report to management on when incidents occur Maintain an ongoing record of activities with the potential impact to SOD, such as job changes and password resets Record and notify management of all attempts to access confidential, restricted, or other sensitive enterprise resources Once the policies are defined, they must be enforced during the day-to-day functions of the identity management system as appropriate controls. Preventive Controls are the most common controls. As the name suggests, preventive controls are intended to prevent undesirable behavior from ever occurring. These controls can be put in place in several areas. An access control policy can limit who can log into a web application based on a relevant set of criteria such as time of day or 5

location of the user accessing the application. Preventive controls can also be put in place where access is granted. A role may be granted to a user or a new entitlement may be mapped to a role, effective modifying the access for all the users belonging to the role. A preventive control such as a Segregation of Duties control can be put in place to evaluate such actions that may result in policy violations and prevent them from occurring. Notifications or approval workflows can be coupled if human intervention is required. While policies, processes and preventive controls can prevent undesirable activities from occurring, no system of controls is perfect. Inevitably situations arise where an inappropriate action has been taken. Detective Controls are used to identify situations where violations have already occurred where a user's actual access is not aligned with the policies defined. This may be the result of a fraudulent attempt. Or it may be a case of access accumulation in legacy systems that have traditionally been lacking preventive controls. When exceptions or violations are detected by the detective controls, corresponding Corrective Controls must be put in place to handle the violations. For example, email alerts can be routed to the appropriate reviewers where remedial action may be taken on the violation. Depending on the severity of the exception the inappropriate access may need be removed or modified programmatically or manually depending on the type of corrective controls implemented. The controls may be integrated with a notification framework or a ticketing system for manual remediation or with a provisioning system for automated remediation. Role-Based Access Control Enterprise rules and policies that dictate who has access to what resources in the enterprise can be applied based on the role of the user. Role-based access control simplifies administration by making it possible to apply policy against roles rather than individual user accounts. As in the preceding SOD-enforcement scenario, an identity-driven solution may be ideal. The key is to find a product that can: Identify conflicting access privileges and automatically prevent users from being granted rights when a conflict is identified Offer combined capabilities to manage roles, grant access, and report comprehensively on access throughout the process of auditing and certifying access privileges and activities Automate access controls to simplify the access certification process for managers Roles can also be used to automate access certification controls, which greatly simplify the access certification process for managers. When based on role management, the tasks of auditing and certifying access to resources enable the enterprise to establish a practical framework for interjecting tight controls. Management can efficiently secure the 6

enterprise and comply with internal security policy or external regulatory requirements. Additionally, role-based access auditing and certification greatly reduce the operational inefficiencies associated with managing user access in an ad hoc manner. Audit and Compliance Automation The importance of automation to implementing controls for GRC initiatives cannot be overstressed. Implementing automation for audit and compliance makes it easy and costeffective to enforce access policies, monitor access, and conduct ongoing audit and compliance reporting. The processes and procedures that are associated with auditing and compliance cannot be sustained manually because they are labor-intensive, costly, and time-consuming not to mention subject to human error. For example, without automation, an organization may spend weeks at the end of a quarter detecting access violations and remedying them manually. And even then, there s no assurance that every violation will be caught and properly addressed. By contrast, an identity-driven, automated solution can instantly and accurately detect violations, such as a user who changed roles in the organization and inappropriately retained access privileges to resources associated with the previous role. Ideally, an identity-based solution for automating audit and compliance processes should bring together diverse capabilities to automate multiple related processes, with: A combination of automated capabilities for provisioning, access management, and reporting to enable the delivery of sustainable comprehensive audit and compliance support Directory capabilities for automatically consolidating identity and access information from throughout the enterprise, providing a first line of authentication services to applications, and offering strong security mechanisms such as encryption of directory data Support for automatic logging and encryption of transactions to provide a complete, tamper-proof forensics trail for the audit team to review as needed Access certification is typically performed by a line of business manager or an application owner to periodically review user access. The support for access certification includes the automation of the process itself (scheduling, email notifications, approval routing, status reporting etc.) as well as the documentation or auditing of these activities. The certification may be performed at different levels depending on the nature of the certification task itself. An application owner may be interested at a high-level certification of user access based on application accounts created to access the application. A business owner may be interested at the user entitlements, which determine the types of business functions exposed to the end users. Similarly, where roles are used for granting access, role memberships will be of interest as they ultimately determine user access. An effective access certification solution must provide the right level of information since the target audience is often business users rather than IT administrators. Business-friendly description of the resources, entitlements and roles must be presented. 7

Analytics With the wealth of information collected, the data can be analyzed to look for trends and behaviour, which may be signs of potential risks. For example, What is the percentage of accounts that has been attested in this quarter? Does any approver have an abnormally large amount of approval requests during a given period of time? Is there any trend with respect to rogue accounts being detected? While it is not entirely possible to prevent risk, the goal of an Identity and Access Governance solution is to mitigate risk. The analysis can be triggered manually but can also be scheduled periodically along with proper notification to alert business owners or application owners where appropriate. A key aspect of Identity and Access Governance is the ability to monitor the health of the systems as well as user behaviour. With all the controls in place, along the audit support in the products, a useful amount of identity information can be collected - information such as user creation, account requests, access requests, approvals, violations, exception remediation, role grants, user login, etc. A comprehensive reporting framework allows the viewing of this information by different types of users. In addition to static reports, dashboards provide additional insight into the information through graphical representation of the data collected. 3. Criteria for Selecting an Identity-Based Solution for Controls Automation is at the top of the list for any organization that is considering using an identity-driven approach to the controls environment in the IT infrastructure for GRC. But beyond automation, having an identity-based solution for controls that provides the flexibility to bring together multiple processes identity provisioning and auditing, access management, and role management is also important. Identity provisioning and identity auditing capabilities that are available in a single streamlined offering are useful for efficiently fulfilling access requests while simultaneously detecting risks associated with access Access management that includes fine-grained authentication vital to establishing a line of defense against violations of policy or regulatory directives Role management capabilities are useful for enterprises with a large, diverse base of users because they can speed the process of managing access to resources 8

Finally, any identity-based solution for building a controls environment for GRC must have a strong reporting component. The solution should report on who has access to what (by both user and information owner); who actually accessed what, including applications, operating systems, and other resources (especially resources associated with confidential or other sensitive information); and who approved or authorized the access. Additionally, reporting capabilities should include a centralized log of all access activities from all resources, so that organizations can quickly and accurately gather the information needed for an audit. 4. Using Oracle Identity Management to Institute Controls Oracle s complete portfolio of identity management offerings provides all the capabilities that an organization needs to begin implementing access and security controls as part of an IT framework for GRC. Oracle Identity Manager Converged identity provisioning and auditing capabilities make Identity Manager an ideal choice for the fine-grained functions that are needed to apply and enforce security policy and compliance requirements in the control environment. Key features include: Integrated provisioning and auditing for preventative and detective compliance Identity controls consistently applied across provisioning and auditing Policy violation tracking and expiration capabilities to handle exceptions Oracle Access Manager 9

Oracle s federated identity products provide the single sign-on, authentication, and authorization capabilities that are essential to access control in the IT framework for rolling out GRC initiatives. Key features include: Centralized control over application security Policy agents to enforce rule- and role-based authorizations Pre-integration with ESSO capabilities Extension of core authentication and authorization services to partners Oracle Identity Analytics By applying enterprise access policies based on user roles rather than individual access privileges, Oracle Identity Analytics dramatically simplifies access control within the IT framework for GRC. Key features include: Role engineering and ongoing role maintenance Ongoing role certification by business unit managers or role owners Enterprise-level monitoring of access for policy conflicts Dashboard view of certification status and policy exceptions Oracle Directory Offerings OID, OVD and Directory Server Enterprise Edition provide a complete directory service for consolidating access information from throughout the enterprise. Key features include: Robust security with data and communication encryption and password protection Multi-level access control instructions (ACIs) to secure data and minimize risk Sustained search performance and near-relational database write performance Highly flexible replication environment to help ensure data availability 5. Conclusion For enterprises that are eager to roll out enterprise GRC initiatives, the greatest challenge may be in not knowing where to begin. Focusing on one aspect of GRC at a time will bring about optimal results, particularly if an organization starts with something that is easy to plan for and implement, such as identity-related infrastructure controls. Oracle's identity management portfolio includes a number of products that can be used to establish controls in the areas of authentication, Segregation of Duties Analysis, Identity Analytics, role-based access management, and automation of audit and compliance processes. To learn more about Oracle's identity management and identity-related controls, visit Oracle.com/identity. 10

Governance, Risk & Compliance January 2010 Author: Neil Gandhi Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2009, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. 0109

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback