Your SlideShare is downloading. ×
  • Like
Using Oracle and Related Tools to Comply with Sarbanes Oxley
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Using Oracle and Related Tools to Comply with Sarbanes Oxley

  • 1,821 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,821
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
73
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Scalability Millions of users 1000’s of simultaneous clients High availability Multimaster & Fan-out replication Hot backup/recovery, RAC, etc. Manageability Grid Control multi-node monitoring Security Flexible authentication mechanisms Role & policy based access control Auditability Extensibility & Virtualization Plug-in Framework Attribute and namespace virtualization External authentication Custom password policies Certifications Open Group VSLDAP Certified Common Criteria EAL4 Compliant
  • Scalability Millions of users 1000’s of simultaneous clients High availability Multimaster & Fan-out replication Hot backup/recovery, RAC, etc. Manageability Grid Control multi-node monitoring Security Flexible authentication mechanisms Role & policy based access control Auditability Extensibility & Virtualization Plug-in Framework Attribute and namespace virtualization External authentication Custom password policies Certifications Open Group VSLDAP Certified Common Criteria EAL4 Compliant
  • Scalability Millions of users 1000’s of simultaneous clients High availability Multimaster & Fan-out replication Hot backup/recovery, RAC, etc. Manageability Grid Control multi-node monitoring Security Flexible authentication mechanisms Role & policy based access control Auditability Extensibility & Virtualization Plug-in Framework Attribute and namespace virtualization External authentication Custom password policies Certifications Open Group VSLDAP Certified Common Criteria EAL4 Compliant

Transcript

  • 1. NCOAUG – AUGUST 15,2008 Utilizing Oracle Standard Functionality and other Oracle tools to comply with Sarbanes- Oxley By Olga Johnson City of Detroit
  • 2. Information on Speaker Olga Johnson
    • Title is Business System Support Specialist
    • Maintains and teaches the General Ledger and Fixed Assets
    • for the City of Detroit
    • Performs setups, writes FSG, test changes, performs upgrades,
    • researches items, and works with other modules that interact
    • with GL and Fixed Assets.
  • 3. Agenda
    • Key Points of Sarbanes Oxley (SOX)
    • How to setup responsibilities and limit segments to comply with SOX
    • Identity Management, Audit Vault, Database Vault and SOX Compliance
    • Release 12 and SOX Compliance
  • 4. Key points of SOX
    • Sec. 302 Corporate Responsibility for financial reports
      • Signing officers are responsible for
        • Establishing and maintaining internal controls
        • Ensure material information is prepared periodically
        • Evaluate the effectiveness of internal controls within 90 days of report
  • 5. Key points of SOX
    • Sec. 302 Corporate Responsibility for financial reports
      • Signing officers are responsible for
        • Presenting conclusions on effectiveness of internal controls
        • Disclose deficiencies in design or operation of internal controls
        • Disclose fraud whether or not material
        • Indicate significant changes to internal controls
  • 6. Key points of SOX
    • Sec. 401 Disclosure in periodic reports
        • Each Financial report should reflect all material correcting adjustments
    • Sec. 404 Management assessment of internal controls
        • Responsibility for management and establishing and maintaining adequate internal control structure.
        • Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
  • 7. Key points of SOX
    • Criminal Fraud accountability penalties
      • Destruction, alteration, or falsification of records in federal investigation and bankruptcy…FINE and up to 10 years in prison
      • Failure to certify financial reports… fined up to 1,000,000 and imprisoned up to 10 years
      • Not comport with all requirements set forth… fined not more than 5,000,000 and imprisoned up to 20 years
  • 8. Example of Internal Controls
    • Segregation of Duties
      • Responsibilities
      • Limited access to segments
  • 9. Segregation of Duties- Responsibilities-Matrix
  • 10. Setup Unique Responsibilities
  • 11. Setup Unique Responsibilities
  • 12. Setup Unique Responsibilities
  • 13. Setup Unique Posting Responsibility
  • 14. Setup Unique Posting Responsibility
  • 15. Assigning Responsibility to an User
  • 16. Assigning a Responsibility to an User
  • 17. Assigning a Responsibility to an User
  • 18. Assigning a Responsibility to an User
  • 19. Assigning a Responsibility to an User
  • 20. Assigning a Responsibility to an User
  • 21. Assigning a Responsibility to an User
  • 22. Assigning a Responsibility to an User
  • 23. Separation by department
  • 24. Separation by Department
  • 25. Separation by Department
  • 26. Separation by Department
  • 27. Separation by Department
  • 28. Separation by Department
  • 29. Identity Management
    • Financial Compliance
      • SOX (Sarbanes-Oxley or SarbOx)
      • Michigan Senate Bill- 309
      • Wisconsin Senate Bill 164
      • Gramm-Leach-Bliley
      • HIPAA
      • Basel II Internal Risk Management
      • CFR Part 11
      • Japan Privacy Law
      • Other current and future regulations
  • 30. Sox and Identity Management Components
    • Oracle Web Access Manager
      • Manages user( individuals, groups or organizations) lifecycles, securely storing and administering user profile data and controlling application access based on these profiles
      • Provides a higher level of security for select information such as HR data
      • Logs events for audit purposes
        • Locked out users, Password changes, group history, users created/deactivated/reactivated/deleted
      • Self service allows users to change some attributes like phone numbers can use workflow to require approval.
      • Allows users to reset passwords
  • 31. Sox and Identity Management Components
    • Oracle Web Service Manager(WSM)
      • A common security infrastructure for all web service applications, allowing best practice security policies and monitoring deployed across existing and new services
        • Decrypt info, write a log, send error or success messages.
        • Policy management across all web and SOA environments
        • Captures audit info for SOX, HIPAA and other regulations
        • Supports encryption of messages to endpoint
  • 32. Sox and Identity Management Components
    • Oracle Enterprise Single Sign-on
      • Uses any LDAP, Active Directory or SQL database server as its user profile and credential repository
      • Password management
      • Distribute single log-in credentials to Oracle Enterprise single sign on based on provisioning instructions from Oracle Identity Manager
  • 33. Sox and Identity Management Components
    • Oracle Identity Federation
      • Enables identities and their relevant entitlements to be propagated across security domains in and between organizations
      • Integrates with standards-compliant federation solutions, directories, databases and access management products.
      • Supports single log in and log out profiles
  • 34. Sox and Identity Management Components
    • Oracle Identity Manager
      • --The provision manager maintains who and what of provisions here you define the rules, access polices, user profiles and workflow processes… your exit policy can automate the process of deleting access.
      • --The provisioning server allows you to rollback and recover when a transaction fails or is stopped.
      • --Password Management, self service, attributes of password, password synchronization
      • --Identity reconciliation detect any accounts or changes to user access privileges affected outside of OIM control and take corrective actions or notify an administrator
      • --Captures audit data of Who, What, When and How, profiles, policy to provide audit data for SOX, HIPPA, etc…
  • 35. Sox and Identity Management Components
    • Oracle Internet Directory
      • Holds information about users, applications,network services, and other objects from meta-data to policies and entitlements
      • Accessible to multiple applications
      • Scalable, highly available can be used with RAC
      • Can require a password or authentication before dispensing information.
  • 36. Sox and Identity Management Components
    • Oracle Virtual Directory
      • Provides access to external data sources without copying or moving data between sources
      • Allowing single sign on to Microsoft, Novell, IBM, Sun servers
      • Reduces the need for replication
      • Improves scalability a company purchasing new companies can use OVD to integrate faster.
  • 37. Sox and Identity Management Components
    • Oracle Adaptive Access Manager
      • Can access users patterns and determine if they are have proper access.
      • Chase example.
  • 38. Enterprise Identity Management NOS/Directories OS (Unix) Systems & Repositories Applications ERP CRM HR Mainframe Auditing and Reporting Policy and Workflow Employees IT Staff SOA Applications Partners External Delegated Admin Customers Internal Identity Management Service
    • Access Management
    • Authentication & SSO
    • Authorization & RBAC
    • Identity Federation
    Identity Administration
    • Directory Services
    • LDAP Directory
    • Meta-Directory
    • Virtual Directory
    • Identity Provisioning
    • Agent-based
    • Agentless
    • Password Synchronization
    Monitoring and Management
    • Authentication & SSO
    • Authorization & RBAC
    • Identity Federation
  • 39. Oracle Identity Federation
      • Features
        • Identity and trust sharing across business partners, both as Service Provider (Hub) or Identity Provider (Spoke)
        • Lightweight, multi-protocol gateway – SAML, Liberty, WS-Federation
        • Integrates with leading Identity Management platforms
  • 40. Oracle Identity Federation
    • Benefits
      • Reduced cost of interaction between business partners
      • Reduce administration cost
      • Deliver improved end user experience
  • 41. Oracle Identity Federation
      • Differentiators
        • Self-contained, easy to deploy solution
        • Flexible deployment configurations
        • Rich, 100% web-based configuration interfaces for improved administrator and end user experience
        • Proven scalability - large production deployments
  • 42. Oracle Internet Directory
        • Features
          • Full feature LDAP server with a RDBMS data-store
          • Industry leading scalability and HA capabilities
          • Strong Oracle Platform integration
          • VSLDAP certified and EAL4 compliant
  • 43. Oracle Internet Directory
    • Benefits
      • Reduced operational cost with Oracle Grid support
      • Seamless integration with Oracle Applications and Products
  • 44. Oracle Internet Directory
        • Differentiators
          • RDBMS backend provides proven scalability & performance
          • Rich, built in auditing of all events and operations
          • Flexible data replication and redundancy features
          • Ships with built-in directory integration functionality
  • 45. Oracle Virtual Directory
    • Features
      • Virtualization, Proxy, Join & Routing capabilities
      • Modern Java & Web Services technology
      • Superior extensibility
      • Scalable multi-site administration
      • Direct data access
  • 46. Oracle Virtual Directory
    • Benefits
      • Perform Real-time directory integration
      • Accelerate application deployment
      • Lower development costs
  • 47. Oracle Virtual Directory
    • Differentiators
      • Lightweight & flexible architecture
      • Supports true virtualization without local cache, enabling stringent policy or privacy requirements
      • Modular architecture supports the addition of connectors to a wide array of identity stores
  • 48. Oracle Access Manager
        • Features
          • Multi-level, multi-factor authentication
          • Web and App server level authorization
          • Workflow driven Self-service & Delegated administration
          • Services-based architecture eases integration with existing IT infrastructure
  • 49. Oracle Access Manager
    • Benefits
      • Policy-based access management
      • Centralized and consistent security across heterogeneous environments
      • Increased IT governance and compliance readiness
          • Reduced administration cost
  • 50. Oracle Access Manager
    • Differentiators
      • Administrative scalability via workflow and delegation
      • Access control leverages up to date identity information
      • Comprehensive auditing to a common database
  • 51. Database Vault, Audit Vault and SOX Provides Security measures Provide a place to retrieve Audit information Provide collect of Key information Provide reports on data important to your organiziation
  • 52. Audit Vault Protect data with AV Security by the Administrator Store data with AV Archiver and AV Audit Collection Report on data with Alerts and Reports
  • 53. Audit Vault Alert Report Sample from Oracle
  • 54. Audit Vault Dashboard Sample from Oracle
  • 55. Database Vault
    • Prevent DBA from seeing Medical information, Social Security numbers and other regulated data.
    • Enforce data access through the application?
    • Prevent un-authorized modifications to the application and database?
  • 56. Oracle Database Vault Realms Realms can be easily applied to existing applications with minimal performance impact Medical Information Financial Information Insider access to data can be controlled Security risk from server consolidation can be controlled with realms. DBA Medical records DBA
    • Database DBA attempts to views Medical data
    select * from HR.emp FIN DBA
    • Medical Records DBA attempts to views Fin. data
  • 57. Database Vault administration view supplied by Oracle
  • 58. Database Vault Feature Admin
    • Database Realms allows classifying data into schemas and roles into functional groups
    • Command Rules Controls the processing of Data Definition Language like create, drop
    • Factors used with rules to control database access
    • Rule sets engine that sets security policies
    • Label security integration restricts access to label data based on database vault factors
  • 59. Database Vault view supplied by Oracle
  • 60. Database Vault view supplied by Oracle
  • 61. Database Vault view supplied by Oracle
  • 62. Database Vault view supplied by Oracle
  • 63. Oracle Database Vault Rules & Multi-factor Authorization HR DBA Factors and Command Rules provide flexible and adaptable security controls Oracle Supplied Slide DBA HR
    • Database DBA attempts remote to make changes
    alter system…….
      • Rule based on IP Address blocks action
    create …
    • HR DBA performs unauthorized actions during production
    3pm Monday
      • Rule based on Date and Time blocks action
    HR Realm HR
  • 64. Database Vault view supplied by Oracle
  • 65. Built-In Factors * Additional factors can be defined -Authentication Method -Domain -Session User -Database Name -Database Instance -Time -Enterprise Identity -Date -Machine Name -Machine -Enterprise Identity -Database IP -Database Hostname -Language -Network Protocol -Database Instance -Date
  • 66. Oracle Label Security Integration Highly Sensitive Sensitive Public Oracle Label Security Restricts Access To Labeled Data Based On Database Vault Factors Corporate Intranet Access Factor=External Oracle Supplied Slide Sensitive Non-Sensitive Suppliers
  • 67. SOX and R12 General Ledger
    • Profile Option
      • SLA: Enable Sub ledger Transaction Security in GL This enforces the transaction security of the application owning the transaction
      • When data is sent to GL from payables you have three options Draft…Final…Final Post
      • Gl security can be use,modify or view
  • 68. Conclusion
    • Internal Controls-Segregation of Duties
    • Internal Controls-Identity Management
    • Reporting on and managing Internal controls Audit Vault and Database Vault
    • Release 12 and SOX
  • 69.
    • THANK YOU!
    A SPECIAL THANKS TO: Norman White Audrey Jackson Solution Beacon Oracle www.solutionbeacon.com
  • 70. SOX and Oracle
    • Questions and Answers
    • Email address: [email_address]
    • Telephone Number
    • 313-224-3303
  • 71.