www.it-ebooks.info Governance, Risk, and Compliance Handbook for Oracle Applications Written by industry experts with more than 30 years combined experience, this handbook covers all the major aspects of Governance, Risk, and Compliance management in your organization Nigel King Adil R Khan P U B L I S H I N G professional expertise distilled BIRMINGHAM - MUMBAI www.it-ebooks.info Governance, Risk, and Compliance Handbook for Oracle Applications Copyright © 2012 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: August 2012 Production Reference: 1170812 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84968-170-4 www.packtpub.com Cover Image by Artie Ng (artherng@yahoo.com.au) www.it-ebooks.info Credits Authors Nigel King Adil R Khan Reviewers Sam Bicheno Sam Monarch Acquisition Editor Dhwani Devater Lead Technical Editor Susmita Panda Technical Editors Mehreen Shaikh Veronica Fernandes Joyslita D'Souza Copy Editor Laxmi Subramanian Project Coordinator Vishal Bodwani Proofreaders Mario Cecere Aaron Nash Indexer Hemangini Bari Graphics Valentina D'silva Manu Joseph Production Coordinators Alwin Roy Prachali Bhiwandkar Kruthika Bangera Cover Work Alwin Roy Prachali Bhiwandkar www.it-ebooks.info www.it-ebooks.info Foreword Governance is nothing less than running a company well, and Oracle has proved itself a well-run company for over 30 years. It has found the need to provide the management team and directors many tools and facilities to plot course and help guide this huge enterprise. Though we steer through many storms, the risks are known, the course is plotted, the equipment is lashed to the decks, or properly stowed. The crew is prepared to sheet or drop sail. These are the same tools that we make available to our customers, and while I have jokingly drawn the parallels to a sport with some connections to Oracle, the governance of an enterprise is a very broad and serious topic. What Nigel and Adil have shown in this book is just how broad it is and how many facets of Governance, Risk, and Compliance are handled through those tools. We have great tools that specialize in GRC and we have many other tools that intersect with it. Just like the winds and the seas, the commercial, legal, and technological environment and the tools that we provide to help you manage them are varied and changing. This book gives you a great map on which you can chart your GRC journey, both present and near future. It is a journey that we are honored to share with you, as one of the many customers that has entrusted Oracle to provide the vessel and seamanship. Chris Leone Senior Vice President, HCM and GRC Products, Oracle Corporation www.it-ebooks.info About the Authors Nigel King is the Vice President for Functional Architecture at Fusion Applications. As such he leads a band of architects whose job is to steward the designs and underpinnings for those things that span product families. He has been working with Oracle for the past 17 years. In that time he has worked mostly in Applications Development. He has worked in many areas of Applications, starting off in Distribution Management and then leading Oracle Applications' rst venture into Business Intelligence, and Product Lifecycle Management Applications. A restless observer and inventor, his real passion has always been to see a problem dened, and in being dened well; resolved. By rst profession he is a Chartered Management Accountant. He is also a Certied Internal Auditor (CIA), Certied Information Systems Auditor (CISA), Certied Information Security Manager (CISM), and Certied Information Security Professional (CISSP). He swears that as soon as he gets the book nished, he will catch up with his continuing professional education credits (CPE). His patents include, Methods and systems for portfolio planning, Audit management workbench, Internal audit operations for Sarbanes Oxley compliance, and Audit planning. He was fortunate to be hanging around at Oracle when the whole Enron issue happened. A decade later, GRC Apps was born, was new, then grew old, and is now suffused into many of the applications that surround it. He is also Chairman of the Open Applications Group. The Open Applications Group is a 501(c)(6) not-for-prot standards development organization (SDO). This community is focused on building process-based business standards for e-commerce, Cloud Computing, Service Oriented Architecture (SOA), Web Services, and Enterprise Integration. The OAGI Specication includes ICXML, an XML specication for the exchange, or risk and control libraries. www.it-ebooks.info Before joining Oracle, he worked in what he now considers the "real world", rst as an Accountant and then selling and implementing business systems. He gained insights in the high technology sector working for Philips, the consumer packaged goods sector working for Homepride Foods and Jeyes Group, and was introduced to the software world through Business Technology Consultants. He is also a licensed boxer, keen soccer player and coach, and a qualied Boston marathon runner. He lives with his beautiful wife Anita and their soccer fanatic son Ansel in San Mateo, California. He also co-authored the E-Business Suite, Manufacturing and Supply Chain, Oracle Press handbook. You can also trace his thinking on GRC at ISACA's international conferences over the years: An Overview of Emerging Tools and Technologies for Auditors in 2005, Compliant Access Provisioning in 2006, and Security Provisioning for Outsourced Services in 2008. Prior to getting interested in the GRC space, you can trace his articles on subjects as diverse as The Convergence of Financial and Supply Chain Planning in Control, the journal of the British Production and Inventory Control Society and Knowledge Management, The Application of Manufacturing Theory in Knowledge Based industries in Management Accounting, the journal of the Chartered Institute of Management Accountants. www.it-ebooks.info Acknowledgement Firstly I would like to thank Steve Miranda, the head of Oracle's Fusion applications development for granting us the permission to write this book. He also made the grave mistake of recruiting me onto his team and paying attention to me when I was bleating that this Enron issue was going to mean that audit was going to have to be automated. Steve really is a great leader and it has been a great learning experience to watch him guide the ship of impossible dreams that is Fusion, and quell the storms, not only of outrageous fortune, but the tempestuous spirits that are the management team at Oracle. I need to thank my great friend and co-conspirator Adil, without whom the mountain would have been twice as high and the load twice as heavy. There have been many people at Oracle who have given assistance: Georginna Manning and the Demo Solution Services team—their support for my constant requests for demo environments was invaluable; Swanarli Bag and the GRC team for making screenshots from the edge of possibility. I would like to thank Bastin Gerald, Mumu Pande, Saye Arumugam, and the team that helped take Internal Controls Manager to market. Their minds are onto other great ventures now, but it was great to ride those rapids in the early days with them. We really did shape an industry. I need to thank Mr. Kurt Robson, who brought me into Oracle and taught me the science and discipline of design. It is not possible to work at Oracle among so many shining intellects without having that brilliance reect off the surface of your own mind, however dully. I need to thank my friends and trainers Pat Regan and Mike Marshall, who through all this kept me t and asked me to keep my hands up and my head moving. There is no thanks that is enough for my beautiful wife Anita without whose support my life would be pretty unmanageable. My thanks as well to my son Ansel, who has to tolerate weekends spent in libraries and coffee shops watching me write and research. www.it-ebooks.info About the Authors Adil R Khan is the Managing Director at FulcrumWay, a rm that has delivered governance, risk, and compliance solutions to more than 200 Fortune-500 and middle-market Oracle customers in America, EMEA, and Asia Pacic since 2003. He also serves on the board of the Oracle Applications Users Group (OAUG) and GRC Special Interest Group. He has given over 50 presentations on GRC trends, best practices, and case studies at many industry conferences including Gartner GRC Summit, IIA, ISACA, Collaborate, and Oracle OpenWorld. Prior to joining FulcrumWay, he served as the Chief Executive Ofcer and board member at Alternate Marketing Networks, Inc., a NASDAQ listed company where he was responsible for growth strategy, nancial restructuring, and corporate governance. He also co-founded Hencie, Inc. in 1996, which was ranked 157th on Inc-500 list of the fastest growing companies and he was nominated as the Entrepreneur of the Year in 2001 by Ernst and Young Company. He has also worked for Oracle Corporation, a Big-4 audit rm, and several startups to gain 20 years of combined experience in enterprise software and audit services. He graduated from Virginia Tech University in 1987 and attended an executive MBA program at the University of Texas in Dallas in 1993-1994. www.it-ebooks.info [...]... Financials Oracle' s products and California Breach Law Transparent data encryption 325 325 328 329 330 330 Healthcare Information Portability and Protection Act (HIPPA) Oracle' s products and HIPPA Scrambling and data masking Data vault 332 333 333 336 Payment Card Industry (PCI) Oracle' s products and PCI 340 341 Federal Sentencing Guidelines Standards for an effective compliance and ethics program Oracle' s... consulting and is a subject matter expert in Oracle Governance, Risk, and Compliance (GRC) having helped numerous clients understand, evaluate, and implement improved control frameworks and business processes as well as implementing the core Oracle GRC products Sam Monarch is a Sr Principal Oracle GRC Consultant He has more than eight years of Oracle Database and Oracle GRC Implementation experience He... Vault, Oracle Data Masking Packs, Oracle E-records Management, Agile's Product Governance and Compliance, Oracle Reveleus, and Oracle Mantas We have baselined the book at the 11GR2 Database, 11GR2 Middleware, and release 12.1 of E-Business Suite What you need for this book You will need to download the following software for this book: • Oracle GRC Manager 7.8 • Oracle Fusion GRC Intelligence 2.01 • Oracle. .. These applications are used to provide evidence store for unstructured information They also provide a store for standard working papers and completed working papers that have been part of the testing activity Identity and Authorization Management Applications These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information... attributes (UDA) for regional compliance Setting up Regional Compliance Framework using perspectives 419 422 Assessing Regional Compliance using Oracle GRC Manager 433 InFission Organization Structure perspective InFission Regulatory Compliance perspective InFission Standard and Framework perspective Loading data Setting up user profile for regional roles Monitoring Regional Compliance in Oracle GRC Intelligence... of good governance, failure to plan for a foreseeable catastrophe, or failure to comply with an important law or regulation, brings the GRC themes into public view and scrutiny and this makes management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws Perhaps only Oracle and SAP... Management System Requirements and on to COBIT that defines control objectives for Information Technology We look at the California Breach Law, Health Information Portability, and Payment Card Industry regulations These have the common theme of privacy and we showed Oracle capabilities for hiding, encrypting, and masking values We also looked at federal sentencing guidelines and showed how a learning management... Manager, and Oracle Service In the risk management chapters we take you through Oracle GRC Manager, Oracle Fusion GRC Intelligence, Oracle Enterprise GRC Manager, Application Access Controls Governor, Transaction Controls Governor, Oracle Preventive Control Governor, and Oracle Configuration Controls Governor In the compliance chapters we take you through Enterprise Manager, Oracle Payments, Oracle Database... organized Definitions Governance Risk Compliance Oracle' s Governance Risk and Compliance Footprint Balanced Scorecard Business Intelligence Financial Planning and Analysis Consolidations and Financial Reporting Learning Risk Management Applications Sub Certification Process Management Applications Content Management Applications Identity and Authorization Management Applications Our case study Roles involved... www.it-ebooks.info Introduction Oracle' s Governance Risk and Compliance Footprint The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem: GRC Learning Balanced Scorecard Strategy Development Policy Communication Financial Planning and Analysis Execution Tracking Financial Forecasting Business . www.it-ebooks.info Governance, Risk, and Compliance Handbook for Oracle Applications Written by industry experts with more than 30 years combined experience, this handbook. distilled BIRMINGHAM - MUMBAI www.it-ebooks.info Governance, Risk, and Compliance Handbook for Oracle Applications Copyright © 2012 Packt Publishing All