Professional Documents
Culture Documents
GRC Compliance Intro NorCal OAUG1
GRC Compliance Intro NorCal OAUG1
Agenda
Business Challenges Oracles Leadership in Governance, Risk and Compliance Solution Overview Solution Demo
AML
IT Governance
Records Retention
Patriot Act
Growing recognition that information breaches stem from inside the organization
Audit Management
Legal Discovery
Data Privacy
People
Finance Suppliers R&D Mfg Sales HR Legal Customers
Technology
Data Enterprise Applications Warehouse Database Mainframes Mobile Devices Apps Server
Regions
Mandates
SOX SOX
JSOX JSOX
EU EU Directives Directives
HIPAA HIPAA
Basel II Basel II
GLBA GLBA
PCI PCI
SB1386 SB1386
Chipotle
Fast food chain stored full range of customer data from credit card accounts. Roughly 2,000 fraudulent charges against Chipotle customers totalled $1.3M, additional fines from Visa and Mastercard amounted to $1.7M, and legal fees racked up another $1.3M.
Source: Computerworld, December 2005
Dollar Tree
Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Cyber-thieves have stolen as much as $700,000 from personal accounts during the last two months.
Source: Eweek, August 2006
Life is Good
Boston-based retailer today disclosed a security breach in which hackers accessed a database containing 9,250 customers' credit card numbers.
Source: Boston.com, Sept. 2006
Penalties are Severe Companies can be barred from processing credit card transactions, higher
processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html
The cost of a breach can reach at least $90 per customer, for companies with at least 100,000 accounts, versus $6 to $16 per account per year to strongly protect that data.
Source Gartner Study: 16 September 2005 Data Protection is less costly than breaches
Cost
New AS5 Guidance: Top-down risk-based approach Tailor audit to specific company profile
DEFINE
Number of Controls
Year 1 & 2
Year 3
Year 4+
Agenda
Business Challenges Oracles Leadership in Governance, Risk and Compliance Solution Overview Customer Success
10
Infrastructure
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight
11
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight
12
A Fragmented Approach
?
Executives
Testers
13
Search
Central Repository
Link policies and procedures to laws, regulations, and standards as evidence of compliance Apply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel
14
Frameworks align corporate policies and associated controls to standards Link shared policies and controls in master libraries for easy maintenance
15
wo rk f low
wo rk f low
Assess/Audit
wo rk f low
65% of companies say they have been adversely impacted by redundant or inconsistent GRC processes. What are the resulting effects?
71%
Analyze
wo rk f low
Respond
69%
wo rk f low
32%
Certify
15%
10%
Reduced margins
16
Infrastructure
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight
17
PRE-DELIVERED CONTENT
PROCESS
EVIDENCE
Authorized Access
Employee
!
Violation Detection Corrective Measures
User access deviations detected across instances Continuous monitoring through reporting
18
Employee
Assignment of Roles
SOD Policy
!
Violation Prevention Denied Grant of Role
Integrated framework for user provisioning Set up of user profiles with library of constraints Segregation of duties prevention and certification across heterogeneous systems
19
SUPER DBA
ACCESS DENIED
DBA
HR Realm
ACCESS
FIN Realm
Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be
20
CRITICAL DATA
SUPER USER
ACCESS CONTROLS
National ID/SSN
782-03-0275
Time of Day
Salary
IP Address
Customer Records
FIN DBA
FIN Realm
Realms
HR Realm
FIN Realm
Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be
21
Procurement
Inventory
Accounts Payable
Requisition
Invoice
Issue Payments
PROCURE-TO-PAY
Monitors over 500 key configurations settings across instances Before and after snapshot of changes to settings with ability to revert back Automatic alerts notify managers as exceptions occur
SAP
22
IT Audit
Prevent unauthorized
system configuration changes with diagnostics
Financial Audit
Deliver auditor-ready
reports for process certification and remediation analysis
23
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight
24
Align policies and processes with best practice risk and control
frameworks
25
Detects and Prevents Control Failures with Enterprise Control Mgmt Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems
Delivers GRC Insight for Better Business Performance Leverage a single source of GRC information across departments and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function
26