<Insert Picture Here>

Best Practices for World-Class I/T Governance

Monte Mayer
monte.mayer@oracle.com
612-812-7850

Business Drivers of ITG

Confidential-Oracle Highly Restricted

2

Confidential-Oracle Highly Restricted

3

Confidential-Oracle Highly Restricted

4

Information Risk Continues Unabated

Information security becomes part of overarching GRC strategy

50% of 1,000 executives polled

said that information technology
(IT) is the most challenging area in
achieving S-O 404 compliance.
Source: KPMG 404 Institute, 2006

Confidential-Oracle Highly Restricted

5

Does Loss of Customer Data pose a SOX

Compliance issue?
Actually Yes!
Experts say, breaches of customer data can cause companies to trip over
the finer points of SOX compliance in at least three ways:
1.

A data breach is considered by many auditors a failure of internal controls

that must be reported;

2.

Section 302 requires reporting any act of fraud; a data breach would
require that it be included in a companys annual and quarterly reports;

3.

If a potential fraud would be large enough to have a material effect on the

financial statements, that would need to be reported as well.

Confidential-Oracle Highly Restricted

6

Regulatory Proliferations Impact on ITG

The average $500M corporation is subject to 35-40 major regulatory
disclosure mandates*
Large corporation? Heavily regulated vertical? - We wish we were only
subject to 40 regulatory mandates.
Regulatory Mandates

FINANCIAL
SOX
JSOX
Loi de Scurit
Financire
(LSF)
Combined
Code
German
Corporate
Governance
Code
Bill 198

PRIVACY
GLBA
PIPEDA
EU Data
Directive
HIPAA
California SB
1386

INDUSTRY

OSHA
NRC Title 10
CFR Part II
Basel II
NASD
OMB A-123
Solvency II

IT CONTROLS
NIST
FISMA
FFIEC
PCI
(VISA/MC
CISP)
ISO 17799

AML

Bank Secrecy
Act
PATRIOT Act
OFAC
Guidelines
Money
Laundering
Control Act
12 CFR 21.21

HR/LEGAL

AntiDiscrimination
FLSA
COBRA
Harassment
Medicare/Medi
caid
Stock Options
Policies

Confidential-Oracle Highly Restricted

*Source: WorldWatch, IDC

Good GRC is Good Business

Execs seek returns from GRC investment
Share-price performance of companies
complying with SOX rules

Price of control deficiency

for $1 billion company

28%
26%
Reported control
weakness 2004-05
No control
weaknesses
in 2004 -05

Control weakness
in 2004, but none
in 2005

$10 million in
higher cost of
equity capital

6%

Source: Lord & Benoit, 2006

Source: University of Wisconsin, 2006

Savings on legal liability avoidance from

GRC investment
Spending on
Compliance
Savings on Lower
Legal Liability

$1

$5
Source: General Counsel Roundtable, 2006

Confidential-Oracle Highly Restricted

8

IIA Unveils GAIT Guidance For IT Controls*

The GAIT** guidance is based on a set of four IT principles that the IIA says are consistent
with the top-down, risk-based approach advocated by PCAOB. Two of those principles are:
IT risks that need to be identified exist in processes at various IT layers:
application program code, databases, operating systems, and networks; and
Risks in IT control processes are mitigated by the achievement of IT control
objectives, not individual controls.

**The Guide to the Assessment of IT General Controls Scope Based

on Riskknown as GAITis intended to help users identify those key

IT general controls where a failure might indirectly result in a material
error in a financial statement.

* per Compliance Week, Feb 20, 2007

Confidential-Oracle Highly Restricted

9

IT Governance Defined
It is the Board and Senior Managements responsibility in relation to IT to
ensure:
IT Risk Management

Change Control Management

All risks related to IT are known

and managed, and IT resources
are secured.

IT is complying with all internal Change

Control Management policies and
procedures.

Application/Access Control
Management

Service Delivery Efficacy

Integrated Segregation of Duties

Detection and Enforcement.

IT- related services and functionality are

delivered at the maximum economical
value or in the most efficient manner.

Enforce Enterprise-wide
Application Access Controls.
Confidential-Oracle Highly Restricted
10

Application Access Controls

Enterprise Segregation of Duties Detection and Enforcement

The Problem:
Must verify that employees do not have the ability to execute functions or
access applications that should be logically separated.
User functions which also include access to the underlying
technology/data which should also be segregated.
Companies must institute an enterprise provisioning process that will
prevent incompatible functions from being assigned upon hiring or upon
an internal job transfer
Library of potential vulnerabilities.
Confidential-Oracle Highly Restricted
11

Application Configuration Controls

Application Controls are automated processes embedded within IT
systems and tend to be preventive in nature. There are two types of
application controls:
Inherent to the application base functionality defined by the software vendor
Configured within the application company determines the parameters

Even if a key control is an automated control you still need a monitoring

engine that verifies that the control has not changed, or if it has, how did
it change and who changed it.

Confidential-Oracle Highly Restricted

12

What are your alternatives?

Excel Spreadsheets:
Manual Reviews are extremely time intensive.
Prone to error
Vulnerable to unauthorized changes.

Niche Solution
No central repository of rules across applications
Enterprise integration & upgradeability

Analyzing SoD violations at a point in time:

Doesnt proactively prevent the assignment of duties that are incompatible.
No continuous monitoring

Companies depend on staff knowledge and integrity to ensure compliance.

Experience staff leave. Knowledge and integrity leaves

Confidential-Oracle Highly Restricted

13

What are the Key Framework Pieces?

Risk Management
Perform Risk Assessments
Plotting IT risks according to
impact and likelihood to
facilitate remediation
Use Industry Best Practices
in Processes and Controls
Put IT Risks in a business
context

Change Control Mgmt

Compliance
Risk
Management

Service/
Resource

Application Access &

Configuration Control
Monitoring
Access Provisioning
SoD Detection & Enforcement
Detective and Preventive
Enforcement of Application
Changes

Enterprise Access &

Configuration
Controls

Management

Change Control
Management
Definition and management
of change control policies
Ensure that change controls
policies are being adhered to.
Project Portfolio Management

IT Service/Resource
Management
Map and report on
applications/infrastructure and
supported service and
business processes

Confidential-Oracle Highly Restricted

14

GRC Solution/Framework
Corporate Performance Management
Financial
Consolidation Hub

Balanced
Scorecard

Portal,
Daily BI

Policy Management

Risk and Control Management

Oracle GRC
Manager

iLearning
Stellent UCM

Reveleus

iSurveys

Business Process Management

BPEL

BAM

Project Portfolio
Management

Content Management
Tutor

Stellent
URM

Identity
Manager / UMX

Identity Audit &

Compliance

Access
Manager

GRC
Intelligence
Hyperion

Stellent
UCM

Identity Management
Identity & Role
Administration

3rd Party Rpting

Tools

Identity
Federation

Audit
Vault

GRC
Intelligence

Data Protection
Directory
Security

Data
Vault

Database
Security

Sealed
Media

Confidential-Oracle Highly Restricted

15

Enforce Data Security at the Source Data Vault and Advanced

Security
Protect sensitive data with database encryption

Encrypt sensitive data at

rest or across network
Restrict access to
sensitive data, even
from privileged users
Data
Decrypted

Data
Encrypted

Classification-based
access so users see
only data authorized to
view

Encrypted
Data on
Backup Media

Confidential-Oracle Highly Restricted

16

Control User Access and Authorization

Enforce segregation of duties with Oracle Identity Mgmt

External

SOA
Apps

Internal

Customers Partners

Auditing
and
Reporting

IT Staff Employees

Access
Management

Identity
Administration

Directory
Services

Identity
Provisioning

Applications

SOA
Apps

Monitoring
and
Mgmt

Systems & Repositories

ERP

CRM

OS (Unix) HR

Mainframe NOS/Directories

Restrict access to applications based on business policy

Enforce segregation of duties across heterogeneous systems
Certify who has access to what via automated attestation
Confidential-Oracle Highly Restricted
17

Complete Access & Identity Management Compliance

Lockdown
Systems/
Processes

Provisioning policy
Denial policy
Approval workflow
Provisioning wrkflow
Request process
Identity mapping
Role management
SoD enforcement
Policy driven
attestation
Centralized control
Delegated admin

Control
Access
Points

Access policy
Single-sign-on
Password mgmt
Session logging
AuthN provider
AuthZ provider
Federation
Multi-factor authN

Manage
Exceptions

Rogue account
discovery
Exception based
process automation
Alerts
Event management
SoD monitoring
Exception reporting
Exception attestation

Oracle Identity Manager

Deploy
Safety
Mechanisms

Attestation of
entitlements
Attestation of access
logs
Redundant controls
Matrix attestation
Trending analysis
Baselining &
benchmarking
Scheduled reports
Compliance
dashboard

Validate
Controls

Attestation of roles
Attestation of policies
Attestation of rules
Attestation of
workflow
Attestation gap
analysis
Access-entitlement
comparison analysis
SoD policy
synchronization

Oracle Access Manager

Confidential-Oracle Highly Restricted

18

Application Configuration Control Management

Monitors, logs, and alerts key personnel to changes made within the
application or directly to the underlying data tables
Review at the application, user, and instance level

Confidential-Oracle Highly Restricted

19

Consolidate & Manage Audit Data

Provide proof of enforcement with Oracle Audit Vault

Lock down audit

data in an audit
warehouse
Monitor, report,
and alert on all
audit activity
Detect suspicious
activity and autoescalate increased
auditing

Confidential-Oracle Highly Restricted

20

Change Control Management Framework for IT Service Mgmt

Effective change control

management involves a
disciplined BS 15000 ITIL
process implementation
focusing on 4 Key Areas:

Reduce/Eliminate Access
Document New Change Policies
Notify all Stakeholders
Create Change Windows
Stabilize
Environment

Repeatable
Build
Libraries

Infrastructure
Applications

Lockdown
Changes

Inventory all
Services &
Assets

Detect & Report all

changes
Create Change Team
Match changes with
change tracking
system

Incident Mgmt

Resolution Mgmt

Change Mgmt

Release Mgmt

Project Portfolio
Mgmt

Build a configuration management

database (CMDB)
Build a Service Catalogue
Locate and isolate all fragile assets

Confidential-Oracle Highly Restricted

21

Enforce Proper Change Management - Enterprise Manager 10G R3

Apply key IT control with Oracle Configuration Management

Gather

Centrally collect
configuration
information and track
changes

Model

Reconcile

Evaluate configurations
against best practice
policies

Enforce

Audit
Recipient Policy

Recipient Policy

Recipient Policy

Deploy certified
configurations, patches,
and images across all
systems

Confidential-Oracle Highly Restricted

22

Oracle Solutions

Confidential-Oracle Highly Restricted

23

Flexible ITG Data Model

Business Entity

Process

IT Service

ITIL Category

Sub-Process

Control Objective
Risk
Applications People

Key Risk Indicator

Infrastructure

Control

KRI Values
Test Plan
Test Results

AAC

Incidents

ACC

Confidential-Oracle Highly Restricted

24

Application Configuration Control Dashboards

Confidential-Oracle Highly Restricted

25

Confidential-Oracle Highly Restricted

26

Confidential-Oracle Highly Restricted

27

<Insert Picture Here>

Questions