Attestation of Identity Information. An Oracle White Paper May 2006



Similar documents
Oracle Role Manager. An Oracle White Paper Updated June 2009

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management. An Oracle White Paper September 2005

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

Integrating Tutor and UPK Content: A Complete User Documentation Solution. An Oracle White Paper April 2008

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

An Oracle White Paper January Access Certification: Addressing & Building on a Critical Security Control

How To Manage It Asset Management On Peoplesoft.Com

10 Questions to Ask Your On-Demand Contact Center Provider. An Oracle White Paper September 2006

The Case for a Stand-alone Rating Engine for Insurance. An Oracle Brief April 2009

Monitoring and Diagnosing Production Applications Using Oracle Application Diagnostics for Java. An Oracle White Paper December 2007

Managed Storage Services

March Oracle Business Intelligence Discoverer Statement of Direction

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

PEOPLESOFT IT ASSET MANAGEMENT

Business Intelligence and Service Oriented Architectures. An Oracle White Paper May 2007

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

ORACLE QUALITY ORACLE DATA SHEET KEY FEATURES

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

An Oracle White Paper January Oracle Database Firewall

Simplifying Contact Center Technology

ORACLE IT SERVICE MANAGEMENT SUITE

An Oracle White Paper January Oracle Database Firewall

An Oracle Communications White Paper December Serialized Asset Lifecycle Management and Property Accountability

An Oracle White Paper April, Effective Account Origination with Siebel Financial Services Customer Order Management for Banking

ORACLE HYPERION PUBLIC SECTOR PLANNING AND BUDGETING

APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS

An Oracle White Paper June Integration Technologies for Primavera Solutions

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

Next Generation Siebel Monitoring: A Real World Customer Experience. An Oracle White Paper June 2010

Oracle Fusion Human Capital Management Overview and Frequently Asked Questions

ORACLE ENTERPRISE MANAGER 10 g CONFIGURATION MANAGEMENT PACK FOR ORACLE DATABASE

APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS

Oracle s BigMachines Solutions. Cloud-Based Configuration, Pricing, and Quoting Solutions for Enterprises and Fast-Growing Midsize Companies

The Next Generation of Local Government: Transforming Non-Emergency and 311 Call Center Solutions to a Complete Constituent Experience

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

ORACLE DRIVER MANAGEMENT INTEGRATION PACK FOR ORACLE TRANSPORTATION MANAGEMENT AND ORACLE E-BUSINESS SUITE

Oracle Insurance Policy Administration System Quality Assurance Testing Methodology. An Oracle White Paper August 2008

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

Evolution from the Traditional Data Center to Exalogic: An Operational Perspective

An Oracle White Paper March Managing Metadata with Oracle Data Integrator

INFORMATION SIMPLIFIED

An Oracle White Paper November Upgrade Best Practices - Using the Oracle Upgrade Factory for Siebel Customer Relationship Management

Oracle Sales Cloud Configuration, Customization and Integrations

PEOPLESOFT ENTERPRISE PAYABLES

Highmark Unifies Identity Data With Oracle Virtual Directory. An Oracle White Paper January 2009

MANAGING A SMOOTH MARKETING AUTOMATION SOFTWARE IMPLEMENTATION

An Oracle Strategy Brief November Rules for Rules: Bringing Order and Efficiency to the Modern Insurance Enterprise

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

ORACLE PROCESS MANUFACTURING QUALITY MANAGEMENT

One View Report Samples Warehouse Management

Oracle Business Intelligence Applications Overview. An Oracle White Paper March 2007

The Oracle Mobile Security Suite: Secure Adoption of BYOD

One View Report Samples Financials

PEOPLESOFT HELPDESK FOR HUMAN RESOURCES

Express Implementation for Electric Utilities

Oracle Data Integrator and Oracle Warehouse Builder Statement of Direction

How To Manage Content Management With A Single System

Implementing a Custom Search Interface with SES - a case study with search.oracle.com. An Oracle White Paper June 2006

ORACLE isupplier PORTAL

Self-Service SOX Auditing With S3 Control

The Abu Dhabi Judicial Department Integrated Justice System

Oracle Database 10g: Building GIS Applications Using the Oracle Spatial Network Data Model. An Oracle Technical White Paper May 2005

Oracle Identity Manager. An Oracle White Paper June 2006

An Oracle White Paper October BI Publisher 11g Scheduling & Apache ActiveMQ as JMS Provider

An Oracle White Paper February Real-time Data Warehousing with ODI-EE Changed Data Capture

Oracle Primavera Gateway

Oracle On Demand Infrastructure: Virtualization with Oracle VM. An Oracle White Paper November 2007

An Oracle White Paper November Oracle Business Intelligence Standard Edition One 11g

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

ORACLE FINANCIAL ANALYTICS

ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT

An Oracle White Paper June Security and the Oracle Database Cloud Service

IBM Tivoli Netcool Configuration Manager

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT

Business Intelligence and Enterprise Performance Management: Trends for Midsize Companies. An Oracle White Paper Updated July 2008

Technical Upgrade Considerations for JD Edwards World Customers. An Oracle White Paper February 2013

An Oracle Strategy Brief May No Limits: Enabling Rating without Constraints

Oracle Hyperion Financial Close Management

An Oracle White Paper May The Role of Project and Portfolio Management Systems in Driving Business and IT Strategy Execution

Mobile-First Strategy. CIO Executive Interview

The Bayesian Approach to Forecasting. An Oracle White Paper Updated September 2006

An Oracle White Paper August JD Edwards EnterpriseOne Workflow Processes

Oracle Banking Platform. Enabling Transformation of Retail Banking

ORACLE FINANCIALS ACCOUNTING HUB

Power Reply and Oracle Utilities

Transcription:

Attestation of Identity Information An Oracle White Paper May 2006

Attestation of Identity Information INTRODUCTION... 3 CHALLENGES AND THE NEED FOR AUTOMATED ATTESTATION... 3 KEY FACTORS, BENEFITS AND TYPICAL USE CASES... 5 INDUSTRY TRENDS... 6 ORACLE S ATTESTATION SOLUTION... 7 ORACLE S ATTESTATION ROADMAP SUMMARY... 10 CONCLUSION... 11 REFERENCES... 11 Attestation of Identity Information Page 2

Attestation of Identity Information INTRODUCTION Major emphasis is now placed on stringent enforcement of internal controls and regulatory compliance within corporations of all sizes, resulting from a number of recent government and industry initiatives such as the Sarbanes-Oxley (SOX) Act of 2002 (sections 302, 404, other), the Gramm-Leach-Bliley (GLB) Act, the Health Insurance Portability and Accountability (HIPAA) Act, European Anti-Fraud (EU-AF), Basel II and others for full disclosures of corporate accounting practices, prevention of corporate fraud, and individual privacy protection. The Information Technology Governance Institute (ITGI) and the Information Systems Audit and Control Association (ISACA), the leading association of professionals in information systems audit, control, security and governance, offer an open standard Control Objectives for Information and related Technology (COBIT) that enables organizations to focus their IT activities in support of overall business objectives. In March 2004, the US Public Company Accounting Oversight Board (PCAOB) adopted a standard titled An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements. This standard outlines specific requirements for auditors to monitor transaction flows how they are initiated, authorized, recorded, processed and reported on. This involves the use of IT systems and applications for automating internal processes. The IT systems and applications all need to be considered in the design and evaluation of internal controls including program development, program changes, computer operations, and access to programs and data. CHALLENGES AND THE NEED FOR AUTOMATED ATTESTATION Outlined below are the generic IT control objectives that have been identified by the COBIT standard, in the publication on IT Control Objectives for Sarbanes-Oxley, published by the IT Governance Institute: Acquire or develop application software Acquire technology infrastructure Develop and maintain policies and procedures Attestation of Identity Information Page 3

Install and test application software and technology infrastructure Manage changes Define and manage service levels Manage third-party services Ensure systems security Manage the configuration Manage problems and incidents Manage data Manage operations The process of authorizing established internal controls, processes, policies, programs, and data, is commonly referred to as Attestation. Each organization is expected to implement a tailored IT control approach that fits its size and complexity, cognizant of the constraint that internal controls can only provide reasonable assurance of achieving an organization s IT control objectives. The Sarbanes-Oxley Act of 2002 is the result of firm resolve by the US Congress to improve corporate responsibility. It has fundamentally changed the business and regulatory environment. The Act aims to enhance corporate governance through measures that will strengthen internal checks and balances, and ultimately strengthen corporate accountability. The directives of SOX section 404 require that management provide an annual report on its assessment of internal controls over financial reporting. Section 404 of SOX requires a company s independent auditor to attest to management s assessment of its internal controls over financial reporting. Organizations must ensure that appropriate IT controls are in effect. They must also provide their independent auditors with documentation, evidence of functioning controls, and the documented results of testing procedures. An attestation process includes the reviewers, the data to be attested to, and the schedule for attestation activities. These drivers require all organizations with tradeable securities in US markets to authorize and validate user identity information for all internal and external users, including their entitlements, as well as the access policies and workflow processes defined and in use within various divisions in the organization. The process of authorizing established internal controls, processes, policies, programs, and data, is commonly referred to as Attestation. An attestation process includes the reviewers, the data to be attested to, and the schedule for attestation activities. In most corporate entities that comply with SOX 404, attestation is typically handled by use of manual processes and spreadsheets, which can be very time consuming and costly. Such manual processes are prone to human errors and involve repetitive efforts at every audit. By automating these routine tasks, organizations can realize significant time and cost savings in executing the processes required to demonstrate full compliance with industry regulations. Attestation of Identity Information Page 4

KEY FACTORS, BENEFITS AND TYPICAL USE CASES Internal controls are required over an organization s IT environment, computer operations, access to programs and data, program development and program changes. Access controls over programs and data become increasingly important as companies operate globally. Automated attestation capabilities allow organizations to quickly and periodically attest to who had access to what, when, how and why, across the organization s business and IT environment. Thousands of internal and external users may try to access IT systems and applications from around the world. Effective access controls can provide a reasonable level of assurance against inappropriate access and unauthorized use of IT systems and applications. As a result, organizations need to enforce adequate access control policies, via multiple enablers, such as secure passwords, firewalls, data encryption and cryptographic keys all of which can be effective methods of preventing unauthorized access. User accounts, roles, and related access privilege controls restrict the IT systems and applications only to authorized users, thus enabling appropriate separation of duties. There needs to be frequent and timely reviews of user profiles that permit or restrict access to various systems and applications within the enterprise. Immediate deprovisioning and revocation of user accounts and passwords for terminated employees must be enforced. An organization can protect its programs and data by preventing unauthorized use of and access to its IT systems and applications. Automated attestation capabilities allow organizations to quickly and periodically attest to who had access to what, when, how and why, across the organization s business and IT environment. This becomes particularly critical due to frequently changing dynamics of the user population in terms of the number of users accessing corporate systems, the changing statuses and roles of employees and contractors, and the specific resources accessed by different users at different times. Automated attestation complements existing internal control mechanisms and provides a means to verify the data, practices and policies put in place for ensuring compliance. Attestation by itself does not enforce or monitor business processes. The frequency of attestation audits can range from once a year to once every quarter. The use of automated attestation features enables organizations to create and follow standard practices and policies across various departments within an organization, while ensuring that the organization is meeting diverse regulatory Attestation of Identity Information Page 5

compliance requirements. This can be achieved without costly, time-consuming and error-prone manual processes. INDUSTRY TRENDS Many of the leading identity management vendors today provide technology that enables secure management of user identities across heterogeneous systems and applications. But very few vendors currently offer any attestation (also referred to within the industry as periodic access reviews or re-certification) capabilities as part of their identity management offering. Following up on extensive market research and specific customer demands, Oracle has taken the lead in offering automated attestation capabilities within its comprehensive identity management suite offering. In order to ensure effective and sustainable compliance, organizations must perform periodic reviews and attest to the fitness for purpose of user entitlements and access policies. It is not just user identity information that needs to be or can be attested to. The associated user entitlements, roles, access policies, workflow processes, and user transactions, all need to be attested to and reported on. Organizations need to authorize and validate all processes, actions and data associated with internal and external users of IT systems and applications. Following up on extensive market research and specific customer demands, Oracle has taken the lead in offering automated attestation capabilities within its comprehensive identity management suite. As customer adoption of this capability grows over the next few years, fueled by the significant value that it provides, it is expected that other identity management vendors will follow this lead in offering automated attestation capabilities for identity and access data. Other existing standalone attestation products in the industry today lack the scalability and performance required for enterprise deployments. They do not provide the links to trigger corrective actions, and cannot easily be upgraded to handle attestation of data other than user entitlements, such as workflows and policies. Major effort is required to integrate such stand-alone attestation products with provisioning and compliance solutions. Attestation of Identity Information Page 6

ORACLE S ATTESTATION SOLUTION Oracle s automated attestation capabilities involve presenting user identity and finegrained entitlement data to authorized reviewers for sign-off on the data s accuracy, and providing reviewers with the means to document and correct any inaccuracies. As part of its comprehensive identity management suite, Oracle has enhanced its identity audit and compliance automation component that includes automated auditing, reporting and attestation features. An attestation process, as defined in Oracle Identity Manager (OIM), includes the reviewers, the data to be attested to, and the schedule for attestation tasks to be run. Process Automation Attestation Attestation Process Reviewer + Data to Attest + Schedule Process configuration Process admin Process owner Specific user or manager Auto manager lookup Delegation Entitlements across groups, orgs, resources Periodic On-demand Oracle s automated attestation capabilities involve presenting user identity and fine-grained entitlement data to authorized reviewers for sign-off on the accuracy of the data, and providing reviewers with the means to document and correct any inaccuracies. Attestation processes can be run on demand or can be scheduled for periodic execution at regular intervals, whether it is once a year, once every six months, or once every quarter. Specific actions that can be undertaken by a reviewer for specific attestation requests include the ability to certify, reject, delegate or decline each entry in the attestation request. The data to be attested to can range from basic user profile data to access privileges or entitlements assigned to users and roles. Specific actions that can be undertaken by a reviewer for attestation include the ability to certify, reject, decline or uniquely, delegate each entry in the attestation request. Reviewers can enter specific comments for each entry in the request to justify the action taken, and can also enter generic comments that apply to all entries in the request. Each attestation request may contain a number of entries for instance, to include each entitlement assigned to each user and the reviewer has the ability to take one of four actions certify, reject, decline or delegate for each of these entries. The reviewer can select responses for some of the entries in the request, save the selections, then review the request again at a later time to complete the actions for other entries, and finally submit the whole attestation request for processing. Email notifications are sent to the reviewer and the users affected, so they are aware of the actions taken on the data. Each of these attestation requests is archived for subsequent auditing and reporting. Attestation of Identity Information Page 7

Resources can be tagged as financially significant and the user entitlements for such resources are automatically selected to participate in attestation processes. Optionally, specific resources that are not tagged as financially significant can also be selected for attestation on-demand. All data and actions taken on attestation requests are also archived for subsequent auditing and reporting purposes. Attestation Process Framework Scheduled or on-demand request generation Build data snapshot at request time Notify reviewer of attestation request Reviewer reviews data and takes actions Query operational data Archive data to be attested to Archive attestation actions Archive delegation path Reviewer actions Certify Reject Decline Delegate Configurable workflows based on reviewer action Exception handling workflows Notify process owner Notify delegated reviewer The diagram above illustrates Oracle s attestation process flow and framework. First, a scheduled or an on-demand attestation request is generated. A snapshot of the data required for the attestation task is compiled. The reviewer is then notified of the attestation request. The reviewer then logs into the system and views the attestation request displayed in his/her attestation inbox. The attestation request is typically composed of a number of entries, one for each item of user profile data or user entitlement data to be attested to for each user. The reviewer can make one of four selections for each entry: Certify reviewer attests to the data as accurate Reject reviewer marks the data as inaccurate Decline reviewer refuses to perform any attestation on this entry Delegate reviewer delegates the attestation task for this entry to an alternate reviewer Attestation of Identity Information Page 8

The reviewer has the option of making the selections only for a subset of the entries in the request, saving the actions taken, and then returning at a later time to complete the attestation request. The reviewer can also enter individual comments for each entry, or a generic comment for all entries in the request. Once the reviewer has completed taking an action for each entry, he/she can submit the entire attestation request for further processing. At this point, email notifications are sent to the reviewers, users, and the process owners associated with this attestation request. Key features of Oracle s current attestation offering include: Step-by-step definition of attestation processes On-demand or periodic scheduling of attestation tasks and processes Attestation of users fine-grained entitlements across multiple resources Ability to tag resources as financially significant for participation in the attestation process Ability to certify, reject, decline or delegate each item in an attestation request Fine-grained attestation actions for each entitlement for each user for each resource Notifications to reviewers, users and process owners regarding attestation actions Reports on attestation requests processed summary, by reviewer, by user, and by resource Archiving of attestation data for periodic auditing and reporting Archiving of attestation actions taken for periodic auditing and reporting Included below are sample quotes from customers who have deployed Oracle Identity Manager (previously known as Xellerate). In support of our 2004 SOX 404 audit, we saved at least 12 man-weeks on who has what auditing across our over 50 SOX-critical applications via TAC (powered by Xellerate, now part of OIM), versus manual data capture ~ Tom King, CISO, Lehman Brothers. While working through the steps to comply with Sarbanes-Oxley, we discovered that we needed to pay more attention to how employees were given access to sensitive data and programs. Although we had created written accesscontrol policies, they were enforced haphazardly, if at all. We installed Xellerate (now part of OIM) to automate the management of our 90,000 user identities. Attestation of Identity Information Page 9

When someone asks for an audit trail of access privileges, the relevant documentation is contained in the Xellerate (OIM) system" ~ Michael Bryan, Director of IT Governance, Nextel Communications, as appeared in InformationWeek, Mar 21, 2005. ORACLE S ATTESTATION ROADMAP SUMMARY Apart from attestation of users fine-grained entitlements, currently offered by the Oracle identity audit and compliance component, the ability to attest to additional entities including access policies, provisioning policies, workflow processes, approval chains, roles information, and financial transactions is planned for future releases. Additional features planned for the future include fine-grained target population definition to allow for arbitrarily complex selection of sets of users to whom specific attestation processes apply, ability to insert custom queries for target population definition, support for sequential and parallel multiple reviewers, complex delegation mechanisms, attestation request escalation mechanisms, ability to customize attestation processes, drill-down from reports to specific data attested to, operational and historical reports on attestation requests, and attestation gap analysis. As part of the Oracle Fusion Middleware project, the attestation features of Oracle Identity Manager (OIM) are to be leveraged by other Oracle products including Oracle E-Business Suite, PeopleSoft Enterprise, JD Edwards Enterprise One, and Siebel CRM to centralize and enhance applicationspecific compliance features. In addition, advanced integration with business role management systems, separation of duties framework, comprehensive data and audit vaults, and standard business intelligence and business monitoring systems and tools, are all planned for upcoming releases. Attestation of Identity Information Page 10

CONCLUSION Attestation is one of the key elements of identity audit and compliance. Organizations can realize major benefits in terms of time and cost savings by automating the process of attesting to all data related to identity management, by deploying an automated attestation solution in their heterogeneous business application and corporate IT environment. This can be an effective tool to quickly and periodically complete audit reviews, and to effectively meet regulatory compliance requirements in a timely manner. REFERENCES IT Control Objectives for Sarbanes-Oxley The Importance of IT in the Design, Implementation and Sustainability of Internal Control Over Disclosure and Financial Reporting, IT Governance Institute, April 2004 COBIT, IT Governance Institute, July 2000 Attestation of Identity Information Page 11

Attestation of Identity Information Authors: Pradeep Bhoj, Ed King Contributors: Nishant Kaushik, Naga Nagarajan, Hormazd Romer, John Aisien Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2005, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information