Achieving Sarbanes-Oxley Compliance with Oracle Identity Management. An Oracle White Paper September 2005



Similar documents
Integrating Tutor and UPK Content: A Complete User Documentation Solution. An Oracle White Paper April 2008

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

One View Report Samples Financials

Oracle Role Manager. An Oracle White Paper Updated June 2009

An Oracle White Paper January Access Certification: Addressing & Building on a Critical Security Control

Monitoring and Diagnosing Production Applications Using Oracle Application Diagnostics for Java. An Oracle White Paper December 2007

One View Report Samples Warehouse Management

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Mobile-First Strategy. CIO Executive Interview

Highmark Unifies Identity Data With Oracle Virtual Directory. An Oracle White Paper January 2009

An Oracle Communications White Paper December Serialized Asset Lifecycle Management and Property Accountability

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

An Oracle White Paper June Security and the Oracle Database Cloud Service

One View Report Samples Health and Safety Incident Management

INFORMATION SIMPLIFIED

Simplifying Contact Center Technology

Express Implementation for Electric Utilities

Managed Storage Services

MANAGING A SMOOTH MARKETING AUTOMATION SOFTWARE IMPLEMENTATION

An Oracle White Paper December Tutor Top Ten List: Implement a Sustainable Document Management Environment

Attestation of Identity Information. An Oracle White Paper May 2006

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

The Yin and Yang of Enterprise Project Portfolio Management and Agile Software Development: Combining Creativity and Governance

Next Generation Siebel Monitoring: A Real World Customer Experience. An Oracle White Paper June 2010

March Oracle Business Intelligence Discoverer Statement of Direction

An Oracle White Paper March Managing Metadata with Oracle Data Integrator

The Case for a Stand-alone Rating Engine for Insurance. An Oracle Brief April 2009

Mobile Technology for Wealth Management Advisors

An Oracle White Paper February Real-time Data Warehousing with ODI-EE Changed Data Capture

An Oracle White Paper February Integration with Oracle Fusion Financials Cloud Service

INFORMATION CONNECTED

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

The Next Generation of Local Government: Transforming Non-Emergency and 311 Call Center Solutions to a Complete Constituent Experience

Oracle Primavera Gateway

Oracle FLEXCUBE Direct Banking Release Retail Credit Card User Manual. Part No. E

An Oracle White Paper March Integrating Microsoft SharePoint Server With Oracle Virtual Directory

Business Intelligence and Service Oriented Architectures. An Oracle White Paper May 2007

Product Lifecycle Management in the Food and Beverage Industry. An Oracle White Paper Updated February 2008

Technical Upgrade Considerations for JD Edwards World Customers. An Oracle White Paper February 2013

PEOPLESOFT ENTERPRISE TALENT ACQUISITION MANAGER

The Bayesian Approach to Forecasting. An Oracle White Paper Updated September 2006

Power Reply and Oracle Utilities

Oracle Business Intelligence Applications Overview. An Oracle White Paper March 2007

An Oracle White Paper September Oracle Database and the Oracle Database Cloud

An Oracle White Paper October An Integrated Approach to Fighting Financial Crime: Leveraging Investments in AML and Fraud Solutions

An Oracle White Paper March Oracle s Single Server Solution for VDI

SaaS Data Architecture. An Oracle White Paper Oct 2008

An Oracle White Paper January Using Oracle's StorageTek Search Accelerator

An Oracle White Paper May 2011 BETTER INSIGHTS AND ALIGNMENT WITH BUSINESS INTELLIGENCE AND SCORECARDS

10 Questions to Ask Your On-Demand Contact Center Provider. An Oracle White Paper September 2006

Rapid Bottleneck Identification A Better Way to do Load Testing. An Oracle White Paper June 2009

Oracle Business Intelligence Enterprise Edition Plus and Microsoft Office SharePoint Server. An Oracle White Paper October 2008

Oracle SQL Developer Migration. An Oracle White Paper September 2008

INFORMATION CONNECTED

An Oracle White Paper June Integration Technologies for Primavera Solutions

Oracle Easy Connect Naming. An Oracle White Paper October 2007

Business Driven Process Optimization

ORACLE QUALITY ORACLE DATA SHEET KEY FEATURES

Oracle s BigMachines Solutions. Cloud-Based Configuration, Pricing, and Quoting Solutions for Enterprises and Fast-Growing Midsize Companies

Leveraging Mashups to Address Financial Services Challenges

An Oracle Best Practice Guide April Best Practices for Designing Contact Center Experiences with Oracle RightNow CX Cloud Service

October A New Standard for Excellence. Transforming Education and Research with Oracle Innovation

ORACLE DRIVER MANAGEMENT INTEGRATION PACK FOR ORACLE TRANSPORTATION MANAGEMENT AND ORACLE E-BUSINESS SUITE

Ensuring Web Service Quality for Service-Oriented Architectures. An Oracle White Paper June 2008

CRM On Demand now hosted locally in Europe. An Oracle White Paper 2011

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

ORACLE ASSET TRACKING

Five Things to Consider in an Enterprise CRM Evaluation. An Oracle White Paper July 2010

An Oracle White Paper November Oracle Business Intelligence Standard Edition One 11g

A Comprehensive Solution for API Management

Oracle Documents Cloud Service. Secure Collaboration for the Digital Workplace

ORACLE SELF INSURANCE

Oracle Data Integrator and Oracle Warehouse Builder Statement of Direction

Moving from the Mission Statement to Reality: Achieving a Customer Centric Bank

Improve your Customer Experience with High Quality Information

An Oracle White Paper February Rapid Bottleneck Identification - A Better Way to do Load Testing

Oracle Business Rules Business Whitepaper. An Oracle White Paper September 2005

ORACLE PROJECT MANAGEMENT

Lean Procurement: The Future of Supply Chain Management in a Demand-Driven World

Business Intelligence and Enterprise Performance Management: Trends for Midsize Companies. An Oracle White Paper Updated July 2008

An Oracle White Paper April, Effective Account Origination with Siebel Financial Services Customer Order Management for Banking

PEOPLESOFT SUCCESSION PLANNING

An Oracle White Paper February Oracle Data Integrator 12c Architecture Overview

Oracle Database 10g: Building GIS Applications Using the Oracle Spatial Network Data Model. An Oracle Technical White Paper May 2005

Oracle Net Services for Oracle10g. An Oracle White Paper May 2005

INFORMATION CONNECTED

An Oracle White Paper June Introduction to Determinations Engines

Oracle Whitepaper April Security and the Oracle Database Cloud Service

For Midsize Organizations. Oracle Product Brief Oracle Business Intelligence Standard Edition One

PRIMAVERA TRANSFORMING THE OIL AND GAS INDUSTRIES

Oracle Insurance General Agent Hardware and Software Requirements. Version 8.0

CUSTOMER MASTER DATA MANAGEMENT PROCESS INTEGRATION PACK

An Oracle White Paper July Oracle Desktop Virtualization Simplified Client Access for Oracle Applications

Oracle BI Publisher Enterprise Cluster Deployment. An Oracle White Paper August 2007

What you need from an Enterprise Grade CRM System. An Oracle White Paper November 2008

An Oracle White Paper September Integrated Technology Solutions: Driving the AEC Revolution

An Oracle White Paper August Higher Security, Greater Access with Oracle Desktop Virtualization

Oracle FLEXCUBE Direct Banking Release Corporate Foreign Exchange User Manual. Part No. E

An Oracle Strategy Brief November Rules for Rules: Bringing Order and Efficiency to the Modern Insurance Enterprise

Transcription:

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management An Oracle White Paper September 2005

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management INTRODUCTION The Sarbanes-Oxley Act of 2002 requires corporate executives to provide and ensure an increased level of financial and operational discipline. To comply with this law, most large corporations are now implementing a variety of new measures that cross financial reporting and processes, as well as internal business operations. This short paper describes how Oracle Identity Management can help ensure compliance with Sarbanes-Oxley (as well as other regulations) while increasing ability to monitor and audit compliance on an ongoing basis. INTERNAL OPERATIONAL CONTROLS Section 404 of Sarbanes-Oxley requires companies to define and enforce effective internal controls over business operations. While the Act does not define these controls in any detail, significant effort has been made to guide organizations as they create and deploy these controls. Operational controls span the entire business, beyond the purely financial transactions. While information technology is not a cure-all, IT can certainly help enforce and audit many internal controls. At the core of many controls is the notion of rights; what are the rights a particular manager has, and are those rights in line with new internal controls? One common internal control relates to separation of duties. For example, a corporate manager who has rights to create a new purchasing order might be required not to have rights to create a new approved vendor. By separating these two duties, the desired effect is to prevent any manager from diverting business to a friend s company. However, while many of these controls are straightforward to define in abstract, enforcing and auditing these becomes difficult in practice. Most corporations struggle to govern interactions between people and applications effectively, to enforce internal controls and to audit rights and responsibilities. Achieving Sarbanes-Oxley Compliance with Oracle Identity Management Page 2

INTERNAL CONTROLS AND PEOPLE Controls Affecting Employees Of course, the most common view of Sarbanes-Oxley compliance relates to people: Who can access which systems and data, what can they do with those systems, what happens when I grant Person X this right, and what happens when Person Z is transferred? To further match internal controls with actual business operations, many companies deploy an identity management system. By defining roles and groups, then assigning or revoking rights to those roles and groups, companies can show and enforce internal controls and separation of duties in practice. For example, a firm might create a dynamic group called Purchasers, with the rights to access the Purchase Order Management system. The firm might also create a group called Vendor Managers, with the rights to access the database and system that controls corporate approved vendors. Most importantly, by next defining an access policy in the identity management system that prevents any member of the Purchasers group from being in the Vendor Managers group, and vice versa, the firm can execute its separation of duties control. The benefit of using the identity management system for this purpose is that as any one employee is promoted or reassigned, the identity management system will automatically manage that employee s membership in the above two groups. Any attempt by an employee in the Purchasers group to access the Vendor Management system will be not only blocked by the identity management system, but also logged and flagged for later audit purposes. Additional tools for enforcing employee-facing controls come from user provisioning technologies. These can enforce rules relating to employee rights, to ensure that new user accounts are created with correct rights. Achieving Sarbanes-Oxley Compliance with Oracle Identity Management Page 3

Controls Affecting Business Partners So far, we have looked at internal controls as they relate to internal people, i.e. employees. However, operational controls might also be applied to external people, such as employees of a supplier, a distributor, or corporate customer. These external parties are tied into a corporation more tightly than ever before, and this integration may create compliance issues. In many cases, a corporation might store and manage information about its partners employees as well as its own. This information is used to grant partners access to internal applications. Often, responsibility for managing this information is delegated to the partners themselves, even though the data and access rights live within the corporation. This creates an additional set of holes, not only concerning rights and separation of duties regarding partner employees, but also audited controls when one of those employees leaves the partner organization. If the partner neglects to update the corporation s systems, a rogue ex-employee will still have rights to access internal systems at the corporation. New forms of identity management systems, typically known as federated access systems, can provide automatic enforcement of controls against partner employees accessing corporate systems, thereby increasing compliance in additional areas. INTERNAL CONTROLS AND APPLICATIONS While applying internal financial and operational controls to people is most common, many corporations are starting to worry about applying these controls to the interactions between two back-end corporate systems. That is, as technologies such as web services proliferate, it is much easier for systems to connect and access each other s data directly, without people involved. This increases business agility and efficiency, but open up a new set of compliance holes. What corporation wants to spend significant time and money to implement regulatory controls on its people, only to find that automated interactions between back office systems are completely avoiding these controls? Because of this scenario, many firms are looking to apply IT solutions to automated systems operations in a similar manner to operations involving people. This makes sense, as many concepts, such as rights control, separation of duties (in the form of business logic) and auditing/reporting apply equally well to business systems and applications as people. Firms that are examining Service Oriented Architectures as a way of increasing business agility should prepare to apply operational controls to these architectures and applications. Products such as web services management solutions are available to automate enforcement of internal controls within back office and inter-company data processing. Achieving Sarbanes-Oxley Compliance with Oracle Identity Management Page 4

COMPLIANCE AUDITING AND REPORTING Effective design and deployment of internal controls is only half of the burden imposed by Sarbanes-Oxley. Firms must also be able to demonstrate the workings of these controls. As a result, comprehensive auditing and reporting of controls are as important as the controls themselves. Otherwise, the firm cannot show compliance, thereby wasting the effort. Earlier, we discussed one of the main benefits of identity management and web services management solutions for compliance these technologies automate the enforcement of internal controls. However, there is a second important benefit. As these products enforce controls, they also gather the data necessary to audit transactions and demonstrate proper operations of these controls. Firms that are considering IT solutions to enforce internal controls across corporate applications should examine these solutions ability to track and report on enforcement and potential violations. ORACLE IDENTITY MANAGEMENT AND SARBANES-OXLEY As a leading provider of technology for managing interactions between people and corporate applications, Oracle provides a full suite of identity and web services management solutions. For example, Oracle COREid Access and Identity ensure enforcement of rights for both internal employee and business partner access. Oracle Web Services Manager applies these same controls to back-office system-tosystem interactions, for example between an accounting and order processing application. Sarbanes-Related Features Oracle has found that customers typically use several key features as they complete their compliance initiatives. These include: strong policy enforcement, automatic group management, and centralized reporting. Strong Policy Enforcement. Many compliance controls require specific and often complex policies related to access and application rights. Oracle COREid Access and Identity provide extremely flexible policy definition, so that customers can build IT controls that match real-world business requirements. Automatic Group Management. Enforcing separation of duties requires effective and up-to-date group membership. Without automatic group management, the firm cannot ensure that a particular employee is locked out of a particular system. Oracle COREid Access and Identity provides automatic group management and membership, based on employee attributes, so that policies are enforced correctly. Centralized Reporting. Defining and enforcing controls is only half the battle; reporting on these controls is equally important. Oracle COREid Access and Identity provides a centralized reporting facility that gathers information from many decentralized systems, collates the data, and generates compliance reports on the fly. As a result, Oracle customers can ensure not only enforcement, but also demonstration of all necessary IT controls. Achieving Sarbanes-Oxley Compliance with Oracle Identity Management Page 5

CONCLUSION The result of the Oracle Identity Management solutions is more effective internal controls, tighter auditing and improved reporting, and greatly improved compliance with a host of regulations, including Sarbanes-Oxley. Achieving Sarbanes-Oxley Compliance with Oracle Identity Management Page 6

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management September 2005 Author: Rick Caccia Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2005, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information