GRC Compliance Intro NorCal OAUG1
-
Upload
rahul-kamath -
Category
Documents
-
view
223 -
download
0
Transcript of GRC Compliance Intro NorCal OAUG1
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
1/28
Evolving from Financial Compliance to NextGeneration GRC
Gary PrincePrincipal Solution Specialist - GRC
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
2/28
2
Agenda
Business Challenges
Oracles Leadership in Governance, Risk andCompliance
Solution Overview
Solution Demo
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
3/28
3
Financial Compliance is Only the First StepPressure mounts to fortify financial compliance foundation
3
Real-Time PublicExposure of Misdeeds
Instantaneous mediacommunication increases
risk of reputational damage
2
Vulnerability toInformation Breaches
Growing recognition thatinformation breaches stemfrom inside the organization
1
Regulations Go BeyondFinancial Reporting
Increasing number ofregulations pose challenge
to sustainable GRC
ITGovernance Patriot
Act
E-Discovery
HIPAA
AML
ERM
RecordsRetention
PCI
Basel II
NERC/FERC
OFAC
CFR
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
4/284
ITGovernance
Supply ChainSupply ChainTraceabilityTraceability
Service LevelService LevelComplianceCompliance
FinancialReporting
Compliance
Compliance &Compliance &Ethics ProgramsEthics Programs
AuditAuditManagementManagement
Data Privacy
RecordsRetention
LegalLegalDiscoveryDiscovery
AntiAnti--MoneyMoneyLaunderingLaundering
AppsServer
DataWarehouse Database Mainframes Mobile Devices
EnterpriseApplications
GRC is the New NormalRequirements Increase in Number and Complexity
Mandates
Regions
Technology
People
LegalFinance HRSalesSuppliers CustomersR&D Mfg
SOXSOX JSOXJSOX HIPAAHIPAA Basel IIBasel IIEU
DirectivesEU
Directives GLBAGLBA PCIPCI Patriot
ActPatriot
Act SB1386SB1386
Source: Open Compliance and Ethics Group
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
5/285
New Risks to Your Business:Credit Card / Identity Theft
TJ Maxx8 class-action lawsuits filed as of March 23; a Massachusetts-ledinvestigation by attorneys general from 30 states; a pretaxcharge of $25 million spent to date.
Source: 2006 Annual Report, March 2007
ChipotleFast food chain stored full range of customer data from creditcard accounts. Roughly 2,000 fraudulent charges againstChipotle customers totalled $1.3M, additional fines from Visaand Mastercard amounted to $1.7M, and legal fees racked up
another $1.3M. Source: Computerworld, December 2005
Dollar TreeCustomers of the discount store have reported money stolenfrom their bank accounts due to unauthorized ATM withdrawals.Cyber-thieves have stolen as much as $700,000 from personal
accounts during the last two months. Source: Eweek, August 2006
Life is GoodBoston-based retailer today disclosed a security breach in whichhackers accessed a database containing 9,250 customers'credit card numbers.
Source: Boston.com, Sept. 2006
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
6/286
Security Breaches are increasingly Expensive
Costs are increasing Breaches cost companies an average of $182 per compromised record
This was a 31% increase over 2005
In 2006 31 companies experienced a data breach.
The total costs for each loss ranged from $1 Million to over $22 MillionSource: The Ponemon Institute, October 2006
Penalties are Severe
Companies can be barred from processing credit card transactions, higher
processing fees can be applied; and in the event of a serious security breach,fines of up to $500,000 can be levied for each instance of non-compliance.
Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
7/287
Proactive Security Is Cheaper
The cost of a breach can reach at least $90 per customer,
for companies with at least 100,000 accounts, versus $6 to$16 per account per year to strongly protect that data.
Source Gartner Study:
16 September 2005 Data Protection is less costly than breaches
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
8/28
8
Complementary Compliance Efforts
Sarbanes-Oxley Requires that public companies have effective internal controls on
financial information with independent auditor attestation.
Prudent private companies comply as well.
It comes down to this:
Access control: Who has access to what information?
Auditability: Can you monitor and track access to information?
Gramm-Leach-Bliley Act
Requires that financial institutions safeguard PersonallyIdentifiable information (PII)
Prudent retailers consider GLBA compliance a best practice Personal service depends on secure access to PII.
Data Privacy: Do your best customers trust you?
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
9/28
9
Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve
DEFINE
AUTOMATE,MONITOR &
VERIFY
RATIONALIZE
Number ofControls
Year 1 & 2 Year 3 Year 4+
Cost
EMBEDDED GRC &OPERATIONALEXCELLENCE
REMEDIATION &STANDARDIZATION
MANUAL,REDUNDANT
EFFORTS
New AS5 Guidance:
Top-down risk-basedapproach
Tailor audit to specificcompany profile
External auditors canuse work of others asevidence
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
10/28
10
Agenda
Business Challenges
Oracles Leadership in Governance, Risk andCompliance
Solution Overview
Customer Success
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
11/28
11
Oracles Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise
ControlManagement
Analytics &
PerformanceManagement
Policy and
ProcessManagement
End-to-End Policy & Process Management GovernsRisk and Compliance Activities
Enterprise Control Management Detects and PreventsControl Failures
Integrated Analytics Deliver Actionable Insight
!!
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
12/28
12
Oracle Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise
ControlManagement
Analytics &
PerformanceManagement
Policy and
ProcessManagement
End-to-End Policy & Process Management GovernsRisk and Compliance Activities
Enterprise Control Management Detects and PreventsControl Failures
Integrated Analytics Deliver Actionable Insight
!!
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
13/28
13
A World of Paper and Manual Hand OffsCurrent state of risk and compliance management
BusinessProcessOwners
Executives
Auditors
Testers
A Fragmented Approach?
?
?
?
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
14/28
14
Content Management is the CornerstoneSingle system of record for compliance information
Date EffectiveChain of CustodyAll Content TypesSecure Enterprise Search
Single Source ofInformation
Search
Central Repository
Link policies and procedures to laws, regulations, and standardsas evidence of compliance
Apply and track permission-based access to policy and proceduredocuments
Leverage advanced search function with familiar look and feel
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
15/28
15
Manage Policies and ProceduresAlign policies to best-practice frameworks
EmbeddedFrameworks
(COSO, COBIT, ITIL)
Master Libraries ofPolicies & Controls
Frameworks align corporate policies and associated controls to standards Link shared policies and controls in master libraries for easy maintenance
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
16/28
16
Manage Financial Compliance ProcessAutomate and streamline compliance process
Assess/Audit
Analyze
Inbox Notifyingof Tasks
Document
Respond
Certify
workflow
workflow
workflow
workflow
workflow71% 69%
32%
15%10%
65% of companies say they have beenadversely impacted by redundant or
inconsistent GRC processes. What are the
resulting effects?
Increasedgeneral
operatingexpenses
Increasedcost of
reconcilinginformation
Reducedmargins
Highercost fromsuppliers
Highercost ofcapital
Source: 2007 OCEG Benchmark Series
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
17/28
17
Oracle Financial Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise
ControlManagement
Analytics &
PerformanceManagement
Policy &
ProcessManagement
End-to-End Policy & Process Management GovernsRisk and Compliance Activities
Enterprise Control Management Detects and PreventsControl Failures
Integrated Analytics Deliver Actionable Insight
!!
S f f
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
18/28
18
Segregation of Duties for ApplicationsDetect access violations
EmployeeCheck for
Violations
!!ViolationDetection
Evidence ofDue Diligence
ViolationCleared
AuthorizedAccess
CorrectiveMeasures
Library of SODConstraints
PRE-DELIVEREDCONTENT
PROCESS EVIDENCE
User access deviations detected across instances Continuous monitoring through reporting
R l B d A t A li ti
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
19/28
19
Role-Based Access to ApplicationsPrevent access violations
Assignment
of Roles
Certification of Who
Has Access to WhatEmployee
!!
SOD PolicySet Up of
User Profile
Violation
Prevention
Denied Grant
of Role
Integrated framework for user provisioning Set up of user profiles with library of constraints Segregation of duties prevention and certification across heterogeneous systems
C l P i il d U A
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
20/28
20
SUPER DBADBA TRIES TO ACCESSFINANCIAL TABLES DURINGQUIET PERIOD
ACCESS DENIED
HR Realm
FIN Realm
DBA
ACCESS
Control Privileged User AccessTake away the keys of the kingdom
Protect from insider threats by ensuring powerful users haveaccess to only what they need do their job
Restrict access to sensitive data and ascertain that users arewho they state themselves to be
C t l P i il d U A
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
21/28
21
Control Privileged User AccessTake away the keys of the kingdom
CRITICAL DATA SUPER USER ACCESS CONTROLS
Time of DayNational ID/SSN
Salary$
Customer Records
782782--0303--02750275
HR Realm
FIN Realm
FIN DBA
HR DBA
3pm Monday
DBA IP Address
RealmsHR Realm
FIN Realm
Protect from insider threats by ensuring powerful users haveaccess to only what they need do their job
Restrict access to sensitive data and ascertain that users arewho they state themselves to be
V if S t C fi ti
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
22/28
22
Requisi-tion
Requisi-tion
PurchaseGoods /Services
PurchaseGoods /Services
ReceiveGoods /Services
ReceiveGoods /Services
InvoiceInvoiceIssue
Payments
IssuePayments
SAP
Monitoring ofchanges toexpensing
rules
Monitoring ofchanges to
pricetolerance
percentage
Monitoring ofchanges todocumentnumbering
Monitoring ofdiscounting
rules
Monitors over 500 key configurations settings across instances
Before and after snapshot of changes to settings with ability torevert back
Automatic alerts notify managers as exceptions occur
PROCUREPROCURE--TOTO--PAYPAY
Verify System ConfigurationsAutomate and monitor application controls
Procurement Inventory Accounts Payable
Ensureinternal
requisitionsource
Anticipate Auditor Requirements with
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
23/28
23
p qEvidence of Enforcement
Prevent unauthorizedsystem configurationchanges with diagnostics
Deliver auditor-readyreports for processcertification andremediation analysis
Identify top audit alerts byapplication, system, and audit event
Provide evidence of best-practiceperiodic attestation
Identify trends in control performancewith snapshot comparisons
Review complete audit trail for anychanges to control elements
IT AuditIT Audit Financial AuditFinancial Audit
O l Fi i l C li S l ti
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
24/28
24
Oracle Financial Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise
ControlManagement
Analytics &
PerformanceManagement
Policy and
ProcessManagement
End-to-End Policy & Process Management GovernsRisk and Compliance Activities
Enterprise Control Management Detects and PreventsControl Failures
Integrated Analytics Deliver Actionable Insight
!!
Oracle Financial Compliance Solution
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
25/28
25
Integrated financial
complianceanalytics deliveractionable insight
Integrated financial
complianceanalytics deliveractionable insight
Enterprise controlmanagement detects
and prevents controlfailure
Enterprise controlmanagement detects
and prevents controlfailure
Policy and processmanagement governrisk and complianceactivities
Policy and processmanagement governrisk and complianceactivities
Oracle Financial Compliance SolutionSummary
Control user access & enforce segregation of duties withbusiness-driven rules
Reduce risk of fraud with continuous monitoring of automatedcontrols
Enforce effective preventive and detective controls across allsystems
Leverage a single source of GRC information acrossdepartments, units and locations
Improve risk responsiveness with timely control andperformance analytics
Tailor GRC intelligence to the needs of your specificorganization and function
Reduce cost and complexity by managing multiple globalfinancial mandates with one system
Rely on tamper-proof chain of evidence for all financialcompliance processes
Align policies and processes with best practice risk and control
frameworks
Why Choose Oracle GRC?
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
26/28
26
Why Choose Oracle GRC?
Only Oracle
Governs Risk and Compliance Activities with Policy & Process Mgmt Reduce cost and complexity by managing global financial mandates with one system Rely on tamper-proof chain of evidence for all compliance processes
Align polices and processes with best-practice risk and control frameworks
!!
Detects and Prevents Control Failures with Enterprise Control Mgmt
Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems
Delivers GRC Insight for Better Business Performance Leverage a single source of GRC information across departments and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
27/28
Oracle Governance, Risk, and Compliance
Simplify GRC and Reduce Costs
Safeguard Brand and Reputation
Run Your Business Better and Prove It
-
8/3/2019 GRC Compliance Intro NorCal OAUG1
28/28