Академический Документы
Профессиональный Документы
Культура Документы
• Automated Controls
• Detective & Preventative
Controls • Reports/Documentation
• Attestation (“I confirm that...”)
Governance
Risk
C
Compliance
ompliance
What is the Oracle GRC
Strategy?
Oracle GRC Has Come A Long
Way
July 2006 May 2008
SAP needs to put urgency
“ SAP definitely in my
mind has the lead on “ into fleshing out its GRC
management capabilities to
Oracle in developing a match its vision…Until SAP
very comprehensive does so, enterprise GRC
strategy for GRC.” platform buyers should look
to Oracle and the many best-
of-breed EGRC platform
vendors.”*
Michael Rasmussen, Forrester
July 5, 2006 French Caldwell, Gartner
May 22, 2008
Shift Happens!
* As Quoted in Article by Courtney Bjorlin, News Editor29 May 2008 | SearchSAP.com
Acquired Innovation Timeline:
Scale, technology and vertical specialization
drive growth across all product lines
Multiple Requirements,
Consolidate R1 R2 R3 R1 R2 R3 R1 R2 R3
R1 R2 R3
Fragmented Response
C1a C2a C3a C1b
C1 C2b
C2 C3b
C3 C1c C2c C3c
Risk
Solution:
Challenge: Policy
Process Assessment
Automate
Insufficient Resources, Reporting & Detective
Manual Efforts Diagnostics Control
Preventive
Remediation Control
Issues
Challenge:
Solution: GRC
GRC
Embedas an Afterthought GRC
Or
Holding Up the Business Business
BusinessProcess
Processes
Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Oracle Solutions for GRC
9
GRC Reporting & Analytics Purpose-built business
solutions for key
Access Policy Risk & Control Certification
KPIs KPIs KPIs industries and GRC
initiatives
GRC Process Management
Documentation Management Issues &
& Reporting Assessments
Identity
GRC Infrastructure Controls
Data Systems Records & Digital
9 Pre-integrated with
Oracle applications and
technology, supports
Mgmt Security Mgmt Content Mgmt Rights heterogeneous
environments
Plan, Forecast and Monitor Step 3 – Automate the flow of transactions and Automate
Create, Manage, Controls, Approvals and
approvals as much as possible. Of course this
Update and Report Business flows
requires a link to HR. Simplify the number of
processes and ERP.
Oracle GRC Reporting & Analytics
Run your Business Better and Prove It
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G
• Pre-built
dashboards
aggregate
information from all
sources
• Combine
performance &
GRC information
• Respond to KRI
and issues
• Role based
• Configure to meet
your specific needs
Consolidated view of financial balances and
risk rating
GRC Intelligence for SOD
Oracle GRC Process Management
Simplify GRC and Reduce Costs
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G
Is it time to do an
assessment
again?
Oracle GRC Applications Controls
Protect Brand and Reputation
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G
Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns
ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls
Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns
ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls
Detection Prevention
Define
Access Remediation Preventive Compensating
Access
Analysis (Clean-up) Provisioning Policies
Controls
Define Access
Conflict Analysis Controls
Conflict
Analysis
Remediation
(Clean-up)
Preventive
Provisioning
Compensating
Controls
Conflict
Analysis
Remediation
(Clean-up)
Preventive
Provisioning
Compensating
Controls
Conflict
Analysis
Remediation
(Clean-up)
Preventive
Provisioning
Compensating
Controls
Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns
ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls
Detection Prevention
Define Document or Monitor Enforce Manage
Configuration Compare Configuration Change Data
Controls Configurations Changes Control Integrity
Data Privacy and Data Integrity
Mask sensitive data, disable buttons, validate data input,
etc.
• Granular user interface
restrictions
• Restrict access to data or actions
Employee Update
• Embedded control enforcement
Name John Doe
Conceal SSN number if
UserAddress
is NOT from123HR dept
Main St
Center City, NY 12345
SSN XXX-XX-XXXXX
Salary $ 53,000.00
Detection Prevention
Define Perform Review and Preventive
Transaction Transaction Address Transaction
Controls Analysis Suspects Controls
What should I be looking for?
4 Simple Questions
• Are you interested in being able to identify
unusual transactions in your systems?
• Are you interested in being able to identify users
trying to circumvent authority limits by
undertaking multiple transactions?
• Are you interested in being able to speed your
period close process?
• Are you interested in being able to enforce
controls over transactions?
Oracle GRC Reporting & Analytics
Run your Business Better and Prove It
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G
!
Set Up Determine Validate with Violations
User Profile User Role SOD Policies Found
New Hire,
Change
9
of Role Provision No Remediate:
Application Access Violations •Seek Approval
•Apply Mitigating Control
•Deny Access
Oracle Database Security
Defense-in-Depth for Security and
Compliance
Audit
Vault
Configuration Total
Management Recall
Database Vault
Label
Security
Advanced Data
Security Masking
Secure
Backup
Oracle Database Vault
• Controls on privileged users
• Restrict highly privileged users
from application data Protection Realms
• Provide Separation of Duty Reports
• Security for database and
information consolidation Multi-Factor
Authorization
• Real time access controls
• Control who, when, where and
how data is accessed
• Make decision based on IP Command
address, time, auth… Separation
Rules of Duty
Oracle Information Rights
Management
• Patented “distributed”
rights management
• between
centralized server
and desktop
• Centralized revocation
of rights and up-to-
date audit trail
• Transparent mobile
access to “sealed”
information
• Classification-based
rights management
• Enterprise-scalable
Summary
• GRC is a huge opportunity
• Oracle is unique in the depth and breadth of our offering
• For every EBS and P/Soft customer [new and existing] you
should include:
• GRC Controls
• SOD is the lead
• Extend GRC C with Technology for complete
• Every system we sell is in order to automate and improve
business processes – so why not talk to them about
• GRC Manager and GRC Intelligence to record the processes?
• UPK and/or Tutor to enable staff effectiveness?
• Think beyond your comp plan
• GRC is Never about 1 product
• Our strength is the completeness of offering
• Engage with Partners
Resources for Accelerating Growth
Resources for Accelerating Growth
Partner Communities
Partner Communities
Activities
Next step