You are on page 1of 28

<Insert Picture Here>

Best Practices for World-Class I/T Governance
Monte Mayer 612-812-7850

Business Drivers of ITG

Confidential-Oracle Highly Restricted

Confidential-Oracle Highly Restricted 3 .

Confidential-Oracle Highly Restricted 4 .

Source: KPMG 404 Institute.000 executives polled said that information technology (IT) is the most challenging area in achieving S-O 404 compliance.Information Risk Continues Unabated Information security becomes part of overarching GRC strategy 50% of 1. 2006 Confidential-Oracle Highly Restricted 5 .

A data breach is considered by many auditors a failure of internal controls that must be reported. Section 302 requires reporting any act of fraud.Does Loss of Customer Data pose a SOX Compliance issue? Actually Yes! Experts say. If a potential fraud would be large enough to have a material effect on the financial statements. 2. 3. Confidential-Oracle Highly Restricted 6 . a data breach would require that it be included in a company’s annual and quarterly reports. breaches of customer data can cause companies to trip over the finer points of SOX compliance in at least three ways: 1. that would need to be reported as well.

” Regulatory Mandates FINANCIAL SOX JSOX Loi de Sécurité Financière (LSF) ƒ Combined Code ƒ German Corporate Governance Code ƒ Bill 198 ƒ ƒ ƒ ƒ ƒ ƒ PRIVACY GLBA PIPEDA EU Data Directive ƒ HIPAA ƒ California SB 1386 ƒ ƒ ƒ ƒ ƒ ƒ INDUSTRY OSHA NRC Title 10 CFR Part II Basel II NASD OMB A-123 Solvency II ƒ ƒ ƒ ƒ IT CONTROLS NIST FISMA FFIEC PCI (VISA/MC CISP) ƒ ISO 17799 ƒ ƒ ƒ ƒ AML Bank Secrecy Act PATRIOT Act OFAC Guidelines Money Laundering Control Act 12 CFR 21. IDC 7 .“We wish we were only subject to 40 regulatory mandates.21 ƒ ƒ ƒ ƒ ƒ ƒ HR/LEGAL AntiDiscrimination FLSA COBRA Harassment Medicare/Medi caid Stock Options Policies ƒ Confidential-Oracle Highly Restricted *Source: WorldWatch.Regulatory Proliferation’s Impact on ITG • The average $500M corporation is subject to 35-40 major regulatory disclosure mandates* • Large corporation? Heavily regulated vertical? .

2006 Confidential-Oracle Highly Restricted 8 . but none in 2005 Price of control deficiency for $1 billion company $10 million in higher cost of equity capital †6% Source: University of Wisconsin. 2006 Source: Lord & Benoit.Good GRC is Good Business Execs seek returns from GRC investment Share-price performance of companies complying with SOX rules …28% …26% Reported control weakness 2004-05 No control weaknesses in 2004 -05 Control weakness in 2004. 2006 Savings on legal liability avoidance from GRC investment Spending on Compliance Savings on Lower Legal Liability $1 $5 Source: General Counsel Roundtable.

and •Risks in IT control processes are mitigated by the achievement of IT control objectives. 2007 Confidential-Oracle Highly Restricted 9 . not individual controls. databases. * per Compliance Week. Two of those principles are: •IT risks that need to be identified exist in processes at various IT layers: application program code.IIA Unveils GAIT Guidance For IT Controls* The GAIT** guidance is based on a set of four IT principles that the IIA says are consistent with the top-down. risk-based approach advocated by PCAOB. and networks. operating systems. **The “Guide to the Assessment of IT General Controls Scope Based on Risk”—known as GAIT—is intended to help users identify those key IT general controls where a failure might indirectly result in a material error in a financial statement. Feb 20.

and IT resources are secured.related services and functionality are delivered at the maximum economical value or in the most efficient manner. 10 . Confidential-Oracle Highly Restricted IT. Service Delivery Efficacy Integrated Segregation of Duties Detection and Enforcement.IT Governance Defined It is the Board and Senior Management’s responsibility in relation to IT to ensure: IT Risk Management Change Control Management All risks related to IT are known and managed. Application/Access Control Management IT is complying with all internal Change Control Management policies and procedures. Enforce Enterprise-wide Application Access Controls.

• User functions which also include access to the underlying technology/data which should also be segregated. Confidential-Oracle Highly Restricted 11 . • Companies must institute an enterprise provisioning process that will prevent incompatible functions from being assigned upon hiring or upon an internal job transfer • Library of potential vulnerabilities.Application Access Controls Enterprise Segregation of Duties Detection and Enforcement The Problem: • Must verify that employees do not have the ability to execute functions or access applications that should be logically separated.

Confidential-Oracle Highly Restricted 12 . how did it change and who changed it. or if it has.Application Configuration Controls • Application Controls are automated processes embedded within IT systems and tend to be preventive in nature. There are two types of application controls: • Inherent to the application – base functionality defined by the software vendor • Configured within the application – company determines the parameters • Even if a key control is an automated control you still need a monitoring engine that verifies that the control has not changed.

• Prone to error • Vulnerable to unauthorized changes. • Experience staff leave…. • Niche Solution • No central repository of rules across applications • Enterprise integration & upgradeability • Analyzing SoD violations at a point in time: • Doesn’t proactively prevent the assignment of duties that are incompatible. Knowledge and integrity leaves Confidential-Oracle Highly Restricted 13 . • No continuous monitoring • Companies depend on staff knowledge and integrity to ensure compliance.What are your alternatives? • Excel Spreadsheets: • Manual Reviews are extremely time intensive.

What are the Key Framework Pieces? Risk Management •Perform Risk Assessments •Plotting IT risks according to impact and likelihood to facilitate remediation •Use Industry Best Practices in Processes and Controls •Put IT Risks in a business context Change Control Mgmt Compliance Risk Management Change Control Management •Definition and management of change control policies •Ensure that change controls policies are being adhered to. •Project Portfolio Management Service/ Resource IT Service/Resource Management •Map and report on applications/infrastructure and supported service and business processes Application Access & Configuration Control Monitoring •Access Provisioning •SoD Detection & Enforcement •Detective and Preventive Enforcement of Application Changes Enterprise Access & Configuration Controls Management Confidential-Oracle Highly Restricted 14 .

GRC Solution/Framework Corporate Performance Management Financial Consolidation Hub Balanced Scorecard Portal. Daily BI 3rd Party Rpting Tools Risk and Control Management Oracle GRC Manager iSurveys Reveleus Policy Management iLearning Stellent UCM GRC Intelligence Hyperion Audit Vault Business Process Management BPEL BAM Project Portfolio Management Tutor Content Management Stellent URM Stellent UCM Identity Management Identity & Role Administration Identity Manager / UMX Identity Audit & Compliance Access Manager Identity Federation GRC Intelligence Data Protection Directory Security Data Vault Database Security Sealed Media Confidential-Oracle Highly Restricted 15 .

Enforce Data Security at the Source – Data Vault and Advanced Security Protect sensitive data with database encryption • Encrypt sensitive data at rest or across network • Restrict access to sensitive data. even from privileged users Data Decrypted Data Encrypted • Classification-based access so users see only data authorized to view Encrypted Data on Backup Media Confidential-Oracle Highly Restricted 16 .

Control User Access and Authorization Enforce segregation of duties with Oracle Identity Mgmt External Internal SOA Apps Customers Partners IT Staff Employees SOA Apps Auditing and Reporting Access Management Directory Services Identity Administration Identity Provisioning Systems & Repositories Monitoring and Mgmt Applications ERP CRM OS (Unix) HR Mainframe NOS/Directories • Restrict access to applications based on business policy • Enforce segregation of duties across heterogeneous systems • Certify who has access to what via automated attestation Confidential-Oracle Highly Restricted 17 .

Complete Access & Identity Management Compliance Lockdown Systems/ Processes Control Access Points Manage Exceptions Deploy Safety Mechanisms Validate Controls • Provisioning policy • Denial policy • Approval workflow • Provisioning wrkflow • Request process • Identity mapping • Role management • SoD enforcement • Policy driven attestation • Centralized control • Delegated admin • Access policy • Single-sign-on • Password mgmt • Session logging • Auth’N provider • Auth’Z provider • Federation • Multi-factor auth’N • Rogue account discovery • Exception based process automation • Alerts • Event management • SoD monitoring • Exception reporting • Exception attestation • Attestation of entitlements • Attestation of access logs • Redundant controls • Matrix attestation • Trending analysis • Baselining & benchmarking • Scheduled reports • Compliance dashboard • Attestation of roles • Attestation of policies • Attestation of rules • Attestation of workflow • Attestation gap analysis • Access-entitlement comparison analysis • SoD policy synchronization Oracle Identity Manager Oracle Access Manager Confidential-Oracle Highly Restricted 18 .

and alerts key personnel to changes made within the application or directly to the underlying data tables • Review at the application.Application Configuration Control Management • Monitors. user. logs. and instance level Confidential-Oracle Highly Restricted 19 .

report.Consolidate & Manage Audit Data Provide proof of enforcement with Oracle Audit Vault • Lock down audit data in an audit warehouse • Monitor. and alert on all audit activity • Detect suspicious activity and autoescalate increased auditing Confidential-Oracle Highly Restricted 20 .

Change Control Management Framework for IT Service Mgmt • Reduce/Eliminate Access • Document New Change Policies • Notify all Stakeholders • Create Change Windows Stabilize Environment Effective change control management involves a disciplined BS 15000 ITIL process implementation focusing on 4 Key Areas: • Incident Mgmt Resolution Mgmt Change Mgmt Release Mgmt Project Portfolio Mgmt Repeatable Build Libraries • Infrastructure • Applications Lockdown Changes • Detect & Report all changes • Create Change Team • Match changes with change tracking system • • • • Inventory all Services & Assets • Build a configuration management database (CMDB) • Build a Service Catalogue • Locate and isolate all “fragile assets” Confidential-Oracle Highly Restricted 21 .

Enforce Proper Change Management .Enterprise Manager 10G R3 Apply key IT control with Oracle Configuration Management Gather Model • Centrally collect configuration information and track changes Reconcile Enforce • Evaluate configurations against “best practice” policies Audit Recipient Policy Recipient Policy Recipient Policy • Deploy certified configurations. and images across all systems Confidential-Oracle Highly Restricted 22 . patches.

Oracle Solutions Confidential-Oracle Highly Restricted 23 .

Flexible ITG Data Model Business Entity IT Service Process Sub-Process ITIL Category Control Objective Risk Applications People Infrastructure Key Risk Indicator Control Test Plan Test Results Incidents AAC ACC KRI Values Confidential-Oracle Highly Restricted 24 .

Application Configuration Control Dashboards Confidential-Oracle Highly Restricted 25 .

Confidential-Oracle Highly Restricted 26 .

Confidential-Oracle Highly Restricted 27 .

<Insert Picture Here> Questions .