Embed Size (px)
Citation preview
Why GRC is important to you and your customers/prospects
What do we mean by GRC?How does it relate to Oracle?
Brian Gregory, ACA, EMEA GRC
Safe Harbor Statements
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
CautionThe following presentation will challenge your current views. The presenter has noresponsibility for any distress you may suffer from having your views changed and/or your sales horizons expanded. In the event of a panic attack take deep breaths and if necessary hold the hand of the person next to you!
Safe Harbor Statement
2 Compelling Reasons
33
XX
One Product alone could be worth£82min UK
One sale this yearthis year was just short of
$1 Million
CompetitionCompetition
3rd ReasonConfidence and Trust
But what is Governance, Risk and Compliance?
What does GRC Mean?• Governance
• Set and evaluate performance against objectives• Authorize business strategy & model to achieve objectives
• Risk• Identify, assess, and address potential obstacles to achieving
objectives• Identify / address violation of mandated and voluntary boundaries
• Compliance• Encourage / require compliance with established policies and
boundaries• Detect non-compliance and respond accordingly
Or put another way• Governance
• Managing the “business” efficiently and effectively• Ensuring “No Surprises”
• Risk• Identifying and seeking to mitigating risks that could lead to
surprises• For example, compliance fails [SOX, Basel II] but also operational
risks• Data Security [HMRC]• Ethics [Primark]
• Compliance• The obvious one – legal and regulatory failures
It is about trying to prevent “Surprises” from happening
GRC Terminology
Processes
Controls
Risks
Best Practices• Financial Governance (COSO)• Operational Risk Management
(ISO, 6Sigma)• IT Governance (COBIT, ITIL)
• Automated Controls• Detective & Preventative• Reports/Documentation• Attestation (“I confirm that...”)
Risk Assurance Partners• Specialists• Audit Firms
GGovernance
RRisk
CCompliance
GGovernance
RRiskCCompliance
What is the Oracle GRC Strategy?
Oracle GRC Has Come A Long Way
July 2006 May 2008
““ SAP definitely in my mind has the lead on Oracle in developing a very comprehensive strategy for GRC.”
Michael Rasmussen, Forrester July 5, 2006
SAP needs to put urgency into fleshing out its GRC management capabilities to match its vision…Until SAP does so, enterprise GRC platform buyers should look to Oracle and the many best-of-breed EGRC platform vendors.”*
““
French Caldwell, Gartner May 22, 2008
Shift Happens!*As Quoted in Article by Courtney Bjorlin, News Editor29 May 2008 | SearchSAP.com
Oracle FY2005 Oracle Fiscal Year 2006 Oracle Fiscal Year 2007 Oracle FY 2008 YTD
Acquired Innovation Timeline: Scale, technology and vertical specialization
drive growth across all product lines
4 Acquisitions 15 Acquisitions* 12 Acquisitions** 16 Acquisitions
* Excludes acquisitions of Covansys and Hexaware operations.** Acquisition of Mantas through majority-owned i-flex solutions company.
Magic Quadrant for Enterprise Governance,Risk and Compliance Platforms
• Committing adequate investment to an aggressive development road map with plans for many vertical-specific versions of GRC Manager
• A suite of controls products, such as Oracle Application Access Controls Governor and Oracle Transaction Controls Governor, that is integrated into the GRC Manager platform
Shift Has Happened• New Products• Applications
• GRC Controls [aka LogicalApps]• Automated Detection and Enforcement of key,
foundational controls
• Any ERP customer• Technology
• Identity Management and Database Vault now certified for EBS
How Oracle GRC Solutions helpRegulation
AStandard
CRisk
B
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
R1 R2 R3 R1 R2 R3 R1 R2 R3
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Challenge:Multiple Requirements, Fragmented Response
Challenge:Insufficient Resources, Manual Efforts
Challenge:GRC as an Afterthought
OrHolding Up the Business Business Processes
GRC
Solution:Consolidate
Regulation A
Standard C
Risk B
R1 R2 R3
C1 C2 C3
C5 C6 C7
C9 C10 C11
Solution:Automate
Process
PolicyRisk
Assessment
Detective Control
PreventiveControl
Issues
Remediation
Reporting &Diagnostics
Solution:Embed
Business Process
GRC
Oracle Solutions for GRC
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
Purpose-built business solutions for key industries and GRC initiatives
Best-in-class GRC core solutions to support all mandates and regulations
Custom or Legacy Applications
GRC Infrastructure Controls
SystemsMgmt
Digital Rights
Data Security
Identity Mgmt
Records & Content Mgmt
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
GRC Process Management
Risk & ControlKPIs
CertificationKPIs
Access PolicyKPIs
GRC Reporting & Analytics
Management Assessments
Issues & Remediation
Documentation& Reporting
Oracle GRC Product SetGRC Reporting and Analytics• Fusion GRC Intelligence
GRC Process Management• GRC Manager
GRC Application Controls• Application Access Controls
Governor• Configuration Controls Governor• Transaction Controls Governor• Preventive Controls Governor
GRC Infrastructure Controls• Identity Manager• Access Manager• Role Manager• Database Vault• Audit Vault• Advanced Security• Secure Backup• Enterprise Manager• Universal Content Management• Universal Records Management• Information Rights Management
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Audit Management Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
SystemsMgmt
Digital Rights
Data Security
Identity Mgmt
Records & Content Mgmt
Issue & Remediation
Event & Loss Mgmt
Policies and ProceduresDocument, Evaluate, Verify and
Conclude
Step 1 Step 1 -- Understand what your policies and Understand what your policies and procedures are and whether they are adequate. procedures are and whether they are adequate. Where are the weaknesses and are there any Where are the weaknesses and are there any mitigating controlsmitigating controls
PeopleAlign required skills and competencies with staff
Step 2 Step 2 -- Ensure that your Ensure that your staff have the necessary staff have the necessary skills and experience to skills and experience to undertake their duties. Of undertake their duties. Of course this is an oncourse this is an on--going going processprocess
AutomateControls, Approvals and
Business flows
Step 3 Step 3 –– Automate the flow of transactions and Automate the flow of transactions and approvals as much as possible. Of course this approvals as much as possible. Of course this requires a link to HR. Simplify the number of requires a link to HR. Simplify the number of processes and ERP.processes and ERP.
Plan, Forecast and MonitorCreate, Manage,
Update and Report
Step 4 Step 4 –– Plan your business and have Business Plan your business and have Business Intelligence systems that monitor performance Intelligence systems that monitor performance and alert to possible deviations. Of course you and alert to possible deviations. Of course you should understand the processes for creating the should understand the processes for creating the budgets and forecasts.budgets and forecasts.
Secure IT InfrastructureUser Access and Provisioning,
Data Security, Availability
Step 5 Step 5 –– Secure the IT Infrastructure. User Secure the IT Infrastructure. User Indemnity Management across all systems, Indemnity Management across all systems, security of data, availability of systems etc are all security of data, availability of systems etc are all important. Of course you also need to be able to important. Of course you also need to be able to show that the IT policies and procedures are show that the IT policies and procedures are adequate and functioningadequate and functioning
Oracle GRC Reporting & AnalyticsRun your Business Better and Prove It
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
CertificationPolicy &
ProceduresIssues &
Remediation
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
&Safety
Global Trade M
gmt
Financial S
ervice
s
Public Secto
r
Life Scie
nces
Retail
High Tech
Pre-built dashboards aggregateinformation from all sourcesCombine performance & GRCinformationRespond to KRI and issuesProduce attestations anddisclosuresConfigure to meet your specificneeds
Oracle GRC IntelligenceBetter decisions, more timely access to information,
balanced performance
• Pre-built dashboards aggregate information from all sources
• Combine performance & GRC information
• Respond to KRI and issues
• Role based• Configure to meet
your specific needs
Consolidated view of financial balances and risk rating
GRC Intelligence for SOD
Oracle GRC Process ManagementSimplify GRC and Reduce Costs
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
Reporting & Analytics
GRC Process Management
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
&Safety
Global Trade M
gmt
Financial S
ervice
s
Public Secto
r
Life Scie
nces
Retail
High Tech
GRC system of recordEnd-to-end GRC processmanagementPlatform independentIntegrated control managementClosed-loop issue remediation
Audit Management Assessment
Issue & Remediation
Event & Loss Mgmt
GRC Manager
Example of a process: basics
Example of a process: Risks
Example of a process: Controls
Is it time to do an assessment
again?
Manage Compliance ProcessesAutomate Labor Intensive, Manual Processes
Oracle GRC Applications ControlsProtect Brand and Reputation
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
Reporting & Analytics
GRC Process Management
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
&Safety
Global Trade M
gmt
Financial S
ervice
s
Public Secto
r
Life Scie
nces
Retail
High Tech
Preventive and detective controlsWhat-if risk simulationAutomated controls testing
Audit Management Assessment
Issue & Remediation
Event & Loss Mgmt
What usershave done
What’s changed in theenvironment
What are the execution patterns
Detective Controls
What userscan do
Howthe environment
is setup
How users execute
processesPreventive Controls
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Oracle GRC Controls
What usershave done
What’s changed in theenvironment
What are the execution patterns
Detective Controls
What userscan do
Howthe environment
is setup
How users execute
processesPreventive Controls
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Oracle GRC Controls
Segregation of DutiesYou mean I can’t approve my own
expenses?
Integrity of Accounting• Segregation of Duties [SOD]
• Fraud• Accuracy• Foundation to ANY accounting system
• Strong control is essential to ALL accounting operations – X-Industry - Private, Public, Public Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC LEGISLATION
Oracle Application Access Controls GovernorEnforce proper segregation of duties in applications
Simplify segregation of duties enforcement with simulation and remediation
Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
Accelerate deployment and time to value with pre-delivered controls library
Detection
Access Analysis
CompensatingPolicies
Define Access
Controls
Remediation(Clean-up)
PreventiveProvisioning
Prevention
• Policy Library • Conflict Paths• Policy Library • Conflict Paths
Conflict Analysis
View detailed conflict reports by various dimensions (e.g. by Application)
ConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Compensating Controls
Implement compensating SOD control by removing the
payment tab to enforce policy
ConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Compensating Controls
Payment tab is removed
ConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
What should I be looking for?4 Simple Questions
• Are you interested in understanding who has access to your systems?
• Are you interested to know what access they have?
• Are you interested in finding potential conflicts in access rights?
• Are you interested in enforcing access controls and preventing inappropriate access?
What usershave done
What’s changed in theenvironment
What are the execution patterns
Detective Controls
What userscan do
Howthe environment
is setup
How users execute
processesPreventive Controls
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Oracle GRC Controls
As you can see there have been somesome changes to the
computer systems
Configuration Management
Integrity of Accounting• Integrity of Financial System
• Changes• Monitor• Prevent• Track• Assess
• Strong control is essential to ALL accounting operations – X-Industry - Private, Public, Public Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC LEGISLATION
Detection
Oracle Configuration Controls GovernorEnsure integrity of critical application setups
Document orCompare
Configurations
Manage Data
Integrity
Define Configuration
Controls
Monitor Configuration
Changes
EnforceChange Control
Prevention
Achieve consistent application setup and operating standards across multiple instances
Track complete audit trails for changes to key configurations
Tightly control change management to accelerate development and test time
Data Privacy and Data Integrity Mask sensitive data, disable buttons, validate data input,
etc.• Granular user interface
restrictions• Restrict access to data or actions• Embedded control enforcement
John Doe
123 Main StCenter City, NY 12345
$ 53,000.00
CancelOK
Name
Address
Salary
Employee Update
XXX-XX-XXXXXSSN
Supervisor Mary Smith
John JonesPhil JohnsonSue ThompsonSally StruthersBill Seibel
Conceal SSN number if User is NOT from HR dept
Employees can only view the Salary field (can’t update) Disable Invoice action button
for Invoices created by same user
What should I be looking for?4 Simple Questions
• Are you interested in understanding what changes have been made to your configuration?
• Are changes have been made to key data in your systems?
• Are you interested in being able to report on differences between configurations – both over time and between different instances?
• Are you interested in enforcing controls over changes?
So isn’t it strange that this user is raising a number of POs just under their approval level?
Transaction Management
Integrity of Accounting• Detection and Prevention of “Unusual”
transactions• Continuous monitoring of
• Transaction • Master data
• Strong control is essential to ALL accounting operations – X-Industry - Private, Public, Public Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC LEGISLATION
Detection
Oracle Transaction Controls GovernorIdentify inaccurate or fraudulent transactions
Perform Transaction
Analysis
Define Transaction
Controls
Review and Address Suspects
Preventive Transaction
Controls
Prevention
Continuously monitor accuracy of transactions and mitigate exposure to fraud
•Test against thresholds
•Search for anomalies
•Perform transaction sampling
Pre-delivered Transaction Controls
Suspect Transactions
Pre-delivered Transaction Controls
Suspect Transactions
What should I be looking for?4 Simple Questions
• Are you interested in being able to identify unusual transactions in your systems?
• Are you interested in being able to identify users trying to circumvent authority limits by undertaking multiple transactions?
• Are you interested in being able to speed your period close process?
• Are you interested in being able to enforce controls over transactions?
Oracle GRC Reporting & AnalyticsRun your Business Better and Prove It
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
CertificationPolicy &
ProceduresIssues &
Remediation
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
&Safety
Global Trade M
gmt
Financial S
ervice
s
Public Secto
r
Life Scie
nces
Retail
High Tech
Secure the IT InfrastructureExtend user access and SOD to cover ALL systemsSecure data inside and outside IT environmentProtect sensitive data from
unauthorized accessManage flow of data between systems
Oracle Identity & Access ManagementInfo. Sec, AuditorEnd Users Administrator
Reporting & AnalyticsAttestationSegregation of DutiesFraud Detection
Strong AuthenticationRisk Based AuthorizationFederationSelf-Service
Identity AdminAccount AdminOrganization AdminRole ManagementDelegated Admin
Business Apps, HR
ProvisioningReconciliationPassword Mgmt.WS Security
Directories, DB
LDAP StorageLDAP SynchronizationLDAP VirtualizationDB User Security
App Server, OS
Java Platform SecurityAuthentication For Operating Systems
Oracle Identity Management & Security Platform
New Hire,Change of Role
Set Up User Profile
ProvisionApplication Access
Determine User Role
IDENTITY MANAGEMENT
Compliant Access Provisioning Segregation of Duties in User
Provisioning
Validate withSOD Policies
ViolationsFound
!!
GRC CONTROLS
Remediate: •Seek Approval•Apply Mitigating Control•Deny Access
No Violations
Oracle Database Security Defense-in-Depth for Security and
Compliance
Data Masking
Database Vault
Configuration Management
Audit Vault
Label Security
Advanced Security
TotalRecall
SecureBackup
Oracle Database Vault
• Controls on privileged users• Restrict highly privileged users
from application data• Provide Separation of Duty• Security for database and
information consolidation
• Real time access controls• Control who, when, where and
how data is accessed• Make decision based on IP
address, time, auth…
Reports
Protection Realms
Multi-FactorAuthorization
Separationof Duty
CommandRules
Oracle Information Rights Management
• Patented “distributed” rights management
• between centralized server and desktop
• Centralized revocation of rights and up-to-date audit trail
• Transparent mobile access to “sealed” information
• Classification-based rights management
• Enterprise-scalable
Summary• GRC is a huge opportunity• Oracle is unique in the depth and breadth of our offering• For every EBS and P/Soft customer [new and existing] you
should include:• GRC Controls
• SOD is the lead• Extend GRC C with Technology for complete
• Every system we sell is in order to automate and improve business processes – so why not talk to them about• GRC Manager and GRC Intelligence to record the processes?• UPK and/or Tutor to enable staff effectiveness?
• Think beyond your comp plan• GRC is Never about 1 product• Our strength is the completeness of offering
• Engage with Partners
Resources for Accelerating Growth
Resources for Accelerating Growth
Partner CommunitiesPartner Communities
• “Live” Partner Communities for BI, ECM, IDM, Persuasive, SOA
Material available from Partner Communities• Technology: white papers, documentations, downloads• Sales: sales kits, cheat sheets, references, ROI calculator• Marketing: brochures, presentations, industry papers• Education: Online Training & Assessments & Certification
Activities
• Regular updates available in OPN • Monthly newsletters• Monthly webcasts • Quarterly Partner Community Forums• Online Discussion Forums
Next step
•Sign up for the communities: http://www.oracle.com/partners/home/personalized/emea/english/technology/home.html
