04-05-06 - IT Governance for Compliance - Tom Philpott (2.4mb)

IT Governance for ComplianceTom PhilpottNatural Architect

ETS / 18.04.23 / 2 Software AG

Driving Compliance Action Sarbanes-Oxley Act of 2002 –

Response to financial scandals

Requires public companies to certify the effectiveness of internal controls

Section 404 requires documentation and testing of key process and controls

Compliance has often required: Time-consuming, manual processes Hiring additional people Inadequate software Outsourcing to consultants


Compliance Costs Growing

Financial compliance spending alone will grow by more than 19% annually through 2008.

–Gartner Research, August 2005

According to a survey of 217 public companies with average revenues of $5 billion, the average cost of complying with ONLY section 404 of Sarbanes-Oxley will be $4.36 million in 2005.

–Financial Executives International Survey – March, 2005

According to a member survey, nearly half of CEOs of large companies said SOX and other new compliance requirements would cost in excess of $10 million annually.

–Business Roundtable Survey, March, 2005

50% of the companies that generate more than $5B in annual revenue spent in excess of 50,000 hours on SOX compliance in 2004.

–Ernst & Young Research


How Technology Can Help

Technology enablement of key compliance processes

Optimize and integrate key business application-level controls

Automate manual controls related to structured and unstructured

data

Improve integration of information security with business needs

Improve IT asset management and patch management processes

Improve IT governance (e.g., change management processes)


Why IT Cannot Escape the Burden ofCompliance Requirements

HIPAA

BASEL II

Sarbanes-Oxley

Financial Reporting & Internal Controls

Patient Privacy

Intl Banking:Capital Measurement and Standards

Gramm-Leach Bliley

Privacy of Nonpublic personal information (Financial)

Reg

ula

tio

ns

…

Auditing Requires Understanding Transaction/Information

Flows

Since these flows go through applications & support

systems, the need to provide a control framework for IT has

become mandatory

Regulatory compliance impacts most industries


Frameworks Provide the BridgeBetween IT Governance and Compliance

IT Governance is the set of policies, processes, and procedures that direct & control what IT does

Essential Objectives of Internal Control Systems:

Economy and efficiency of operations

• Safeguarding of assets• Achievement of

performance goals Reliability of financial and

management reports Compliance with laws and

regulations

Internal Controls serve to minimize errors and discourage fraud

COBITControl Objectives for Information

and Related Technologies

ITILIT Infrastructure Library

Leading Frameworks include:

IT Governance Institute and the Information Systems Audit and Control Association (ISACA)www.isaca.org/cobit

Office of Government Commerce (OGC) and itSMFwww.itil.co.uk

ISO 17799International Organization for Standardswww.iso.org

Security Standards


IT Governance:COBIT IT Processes and Domains

DS1 define and manage service levelsDS2 manage third-party servicesDS3 manage performance and capacityDS4 ensure continuous servicesDS5 ensure systems securityDS6 identify and allocate costsDS7 educate and train usersDS8 assist and advise customersDS9 manage the configurationDS10 manage problems and incidentsDS11manage dataDS12 manage facilitiesDS13 manage operations

DELIVERY & SUPPORT

AI1 identify automated solutionsAI2 acquire and maintain application softwareAI3 acquire and maintain technology infrastructureAI4 develop and maintain proceduresAI5 install and accredit systemsAI6 manage changes

ACQUISITION & IMPLEMENTATION

PO1 define a strategic IT planPO2 define the information architecturePO3 determine the technological directionPO4 define the IT org. and relationshipsPO5 manage the IT investmentPO6 communicate mgmt. aims and directionPO7 manage human resourcesPO8 ensure compliance with external rqmts.PO9 assess risksPO10 manage projectsPO11 manage quality

PLANNING & ORGANIZATION

M1 monitor the processesM2 assess internal control adequacyM3 obtain independent assuranceM4 provide for independent audit

MONITORING

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

INFORMATION

• People• Application systems• Technology• Facilities• Data

IT RESOURCES


COBIT IT Control Objectives & PCAOB Auditing Standards for Sarbanes-Oxley

1 Acquire and develop application software2 Acquire technology infrastructure3 Develop and maintain policies and

procedures4 Install and test application software and

technology infrastructure5 Manage changes6 Define and manage service levels7 Manage third-party services8 Ensure systems security9 Manage the configuration10 Manage problems and incidents11 Manage data12 Manage operations

COBIT Control Objective

Program Development

PCAOB IT ControlsProgram

Changes

Computer

Operations

Access to

Programs

& Data

Source: “IT Control Objectives for Sarbanes-Oxley”COBIT Guidance by IT Governance Institute


Identifying IT Controls for Sarbanes-Oxley

Source: “IT Control Objectives for Sarbanes-Oxley”COBIT Guidance by IT Governance Institute

Understand financial reporting process

Identify significant systems Determine location

criticality Perform risk assessment


Control Challenges of a Complex IT EnvironmentMultiple Access Points to Systems

Multiple Design Environments

Administration

Adabas,IMS, VSAM

SQL, DB2,Oracle, XML

SecuritySecurity MonitoringMonitoring Auditing & LoggingAuditing & Logging

Financial AppsFinancial Apps

Mainframe, Unix, Linux

Design,Wizards,Tools

Multiple Access Points

PortalsPortals

Request/ResponseAsynch MessagingBatch

WebAppsWebApps

SOA/Web

Services

SOA/Web

Services

Process AppsProcess Apps

Logistic AppsLogistic Apps

Multiple Environments

Multiple Databases

Etc...Etc...

NaturalStudio

NaturalStudio

BusinessUserData

Access

Crystal Reports

MS Office

Multiple Applications


What if you could…

Confidently demonstrate to your executive management/ compliance officers that you have IT Controls in place to: Secure access to your programs and data Manage the application change management process Monitor the access and changes made to your programs & data Ensure information and operational processes are available when you

need it, as soon as you need it, especially in case of audit

And provide succinct reports that show: WHO accessed WHAT data, WHEN and HOW WHO made WHAT changes to your applications and WHEN


Control Objectives supported by Software AG Solutions

Manage Changes Test, validate & authorize changes prior to

move to production

Monitor & Report View of performance, access, errors,

security

Ensure Systems Security Secure to prevent unauthorized use,

disclosure, modification, loss

Access to Programs & Data Ensure Continuous Services and

information availability

IT Controls AccessChangeMgt

Monitoring

Security


Create Confidence with Applicable IT Controls forAdabas and Natural Systems

Change Management Predict Application Control (PAC)

Monitoring & Reporting Adabas REVIEW Natural Productivity Pack

Security Natural SAF Security Natural Security Adabas Security Adabas SAF Security

Access to Programs & DataHigh Availability Parallel Services Cluster Services

(IBM Parallel Sysplex Support)Disaster Recovery Event Replicator for AdabasArchiving Adabas Vista

Create Confidence with IT GovernanceIT Controls AccessChange

Mgt

Monitoring

Security


Enforce Change Management Procedures withPredict Application Control

Control the System Development Lifecycle (SDLC)

One Change Management Systemto control Programs, DatabaseMaintenance, and Metadata

Controlled migration of Natural, COBOL, JCL, and Assembler Objects

Other Key Features Unique test plan Segregation of duties Synchronization

of changes Easy to use GUI Mixed environment controls Expedited path for

emergencies Migration Security Archiving Auditing Reporting


Client Plug-ins Predict Application Control


















Compliance with COBIT: Manage Changes

COBIT Control Guidance IT Governance Pack Features

Request for changes are standardized, documented and subject to formal change management procedures

Only authorized/approved changes are moved into production

Control migration of changes through SDLC

Requests & Process is documented

Emergency change requests are documented and subject to formal change mgt procedures

Expedited path for Non-scheduled Maintenance

Emergency change requests are executed immediately

Full audit trail Subject to formal change mgt

procedures post implementation

Controls in place to restrict migration to production

Duties segregated between staff responsible for moving program into production and development staff

Setup and Implementation of system software do not jeopardize security of data and programs

Test changes in development before applied to production

Backout procedures exist

Ensures Integrity of Financial Reporting Systems


Report Changes & Track Dependencies withNatural Productivity Pack Maintenance Tools

MetricsCoding Standards

Structure Analyzer

Search Tools

Re-documentation & Code Beautifying

Variable Usage

Automatic code changes

Diagramming


Monitor Access to Programs and Data withAdabas Review

Report WHO accessed WHAT data, WHEN and HOW Custom reporting for Executive Management Multiple databases captured in single report Select and choose the most relevant information for proper reporting Excellent source for compliance dashboards like Stellent Sarbanes-Oxley Solution

Monitors both Read/Write Access to Adabas from ANY Source on-line, batch Natural, COBOL Java, .NET, SQL, Xquery, etc.

Provides a Single View of all Adabas Instances “Regular” Adabas, Cluster Services & Parallel Services

Detailed Monitoring with Minimal Performance Overhead Leverages Command Logs (CLOG) over Protection Logs (PLOGs)

• CLOGs show ALL read/write access• PLOGs show only write access

Efficient asynchronous handling of CLOGs


Compliance with COBIT Control Domain: Monitoring

Monitoring with Accountability

Monitor all database activity

IT Governance Pack Features Centralized Information

Gathering Scaleable to Performance

Needs Maintain Audit History

Reports Integrates to dashboards

like Stellent Sarbanes-Oxely Solution

Real-time and historical tracking


Secure Access to Your Programs and Data

Secure Systems to Prevent Unauthorized Use

Protect from fraudulent access under a stolen identity Authenticate against common user databases like RACF, ACF2 or

TopSecret via the SAF (Security Access Facility) API Block password phishing with secure communication channels, like

the Supervisor Call (SVC)

Protect from unauthorized access to data store "Access-/update-level" protection on a file-by-file basis "Value-level" protection for specific values or for value ranges “Dataset encryption” with pass phrase protection

Single Sign On in a heterogeneous environment SAML-based (Security Assertion Markup Language) Web service SAF-based authentication Field-level protection of database records


Compliance with COBIT: Ensure Systems Security

COBIT Control Guidance IT Governance Pack Features

Authenticate all users to the system to support validity of transactions

Authenticate against common user databases like RACF, ACF2 or TopSecret via the SAF (Security Access Facility) API

Maintain effectiveness of authentication and access mechanisms

Authentication controls (passwords, IDs, two-factor) are subject to confidentiality requirements

Authentication at multiple levels

Administration monitors and logs security activity, violations are reported

Reporting capabilities

Controls for segregate duties over requesting and granting access

Checks and balances Separation of duties

Provides Assurance Systems Are Secured to Prevent Unauthorized Use, Disclosure, Modification, Damage or Loss of Data


Ensure Readily Available Processes &Historical Information

Protection from DB and OS Failure (High Availability) Access when you need it - 24x7x52

• Adabas Parallel Services

• Adabas Cluster Services (IBM Parallel Sysplex Support)

Protection from Facility/Site Failure (Disaster Recovery) Prepare for Disperse Geographical Backups

• Event Replicator for Adabas

Archive Data Instantly Available when Needed Separating relevant/current data from historical

• Adabas Vista

Compliance with PAOCB: Access to Programs and Data

Ensure information and operational processes are available when you need it, as soon as you need it


Reduces risk for non-compliance Secure access to your programs and data Manage the application change management process Monitor the access and changes made to your programs & data Ensure information and operational processes are available when you

need it, as soon as you need it, especially in case of audit Keeps documentation in synch with procedures

Reduces costs Automates controls & reporting Reduces time and expense

Prepares you for the future Good IT Governance Practices prepares

Your IT Department for complying withSOX, HIPPAA and other Regulations

Benefits of Leveraging Software AG Solutionsfor IT Governance


Now You are Ready to Link intoCompany-wide Compliance Initiatives

Stellent Sarbanes-Oxley Solution


Sarbanes-Oxley Section 404Internal Control over Financial Reporting

“Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment.”

– IT Governance Institute, IT Control Objectives for Sarbanes-Oxley



High Availability withAdabas Cluster Services

Key Features Increased throughput Better response times for all

users (batch and online) No need to buy a new machine

to improve performance Maximum scalability No changes to applications Administration very similar to

‘regular’ Adabas 24 x 7 availability - no single-

point-of-failure z/OS ONLY Maximum 20 KM

DataDataAssoAsso

OS/390

WorkWork

Update

PLOGPLOG CLOGCLOG

CLOGCLOG

OS/390

WorkWork

Update

CLOGCLOG PLOGPLOG

Read / Write Read / Write

CouplingFacility

PLOGPLOG

Timer

Asynchronous merge

DataDataAssoAsso

OS/390

WorkWork

Update

PLOGPLOG CLOGCLOG

CLOGCLOG

OS/390

WorkWork

Update

CLOGCLOG PLOGPLOG

Read / Write Read / Write

CouplingFacility

PLOGPLOG

Timer

Asynchronous merge

Adabas Cluster Services

Distribute and balance users across multiple processors and operating system images


DisasterRecovery

Event Replicator Disaster Recovery Solution

Hot, standby system(s) in a remote facility with ongoing changes transferred in real-time

Ensuring business continuity in event of failure Software Hardware Power Natural disaster

Advantage Avoid time-consuming database recovery

procedures Upon failure hot, standby immediately becomes

primary production DB and continues replication other hot, standby systems

Disaster Recovery withEvent Replicator for Adabas

ProductionAdabas

Hot Standby

Hot Standby

Location 1

Location 3

Location 2


Information Archiving and High Availabilitywith Adabas Vista

Adabas Vista

Access relevant information with exceptional performance

Avoid degradation of service and expense of maintaining unnecessary data High availability in a partitioned environment logical ‘ordering’ of data reduces file sizes to improve performance improves performance against files by using multiple CPUs limits the usage of data by ‘hiding’ partitions

Quickly & easily manage large volumes of data Better backup & restore time windows Better load balancing on your environment No change to applications Online and batch The physical files can be on separate Adabas nuclei


RMPOSHA

Home Land SecurityLocal Rules

HDDA 45

State Requirements

General LiabilityNASD

FERC

Storm Water

Drinking Water

SECWEEE

FAA

21 CRF Part 11

Regulatory Compliance – A Perfect Storm

Sarbanes-Oxley

Patriot Act

EPA

SECRoHS

Manufacturing Insurance Life Sciences Energy Engineering

The Challenge: Manage the wide range of associated risk while maintaining business efficiency, agility, and creating shareholder value

ELV

hipaa GLBA

FTC

NRC

Basel II TSCA


ASSESS

DOCUMENT

MANAGE

REPORT

Other Software AG Solutions

Integrated Compliance Platform

Content Management

Enterprise Process Manager

Single View of Compliance

Enterprise Service

Integrator

GLB BaselII

BASEL II

SOX GLB

Mainframe

ERP

Content Server

AS/400

Enterprise Information Integrator

Stellent Section

404

Documents

04-05-06 - IT Governance for Compliance - Tom Philpott (2.4mb)