Get documents about "IT Governance for Compliance
Document Sample
IT Governance for Compliance
Tom Philpott
Natural Architect
Driving Compliance Action
Sarbanes-Oxley Act of 2002 –
Response to financial scandals
Requires public companies to certify the
effectiveness of internal controls
Section 404 requires documentation and testing of
key process and controls
Compliance has often required:
Time-consuming, manual processes
Hiring additional people
Inadequate software
Outsourcing to consultants
ETS / 06.02.2012 / 2 Software AG
Compliance Costs Growing
Financial compliance spending alone will grow by more than 19% annually
through 2008.
– Gartner Research, August 2005
According to a survey of 217 public companies with average revenues of $5 billion, the
average cost of complying with ONLY section 404 of Sarbanes-Oxley
will be $4.36 million in 2005.
– Financial Executives International Survey – March, 2005
According to a member survey, nearly half of CEOs of large companies said SOX and
other new compliance requirements would cost in excess of $10 million
annually.
– Business Roundtable Survey, March, 2005
50% of the companies that generate more than $5B in annual revenue spent in
excess of 50,000 hours on SOX compliance in 2004.
– Ernst & Young Research
ETS / 06.02.2012 / 3 Software AG
How Technology Can Help
Technology enablement of key compliance processes
Optimize and integrate key business application-level controls
Automate manual controls related to structured and unstructured data
Improve integration of information security with business needs
Improve IT asset management and patch management processes
Improve IT governance (e.g., change management processes)
ETS / 06.02.2012 / 4 Software AG
Why IT Cannot Escape the Burden of
Compliance Requirements
Regulatory compliance impacts Since these flows go through
most industries applications & support
Sarbanes-Oxley systems, the need to provide
a control framework for IT has
Financial Reporting & become mandatory
Internal Controls
HIPAA
Regulations
Patient Privacy
BASEL II
Intl Banking:Capital
Measurement and
Standards Auditing Requires Understanding
Gramm-Leach Bliley Transaction/Information
Flows
Privacy of Nonpublic
personal information
(Financial)
…
ETS / 06.02.2012 / 5 Software AG
Frameworks Provide the Bridge
Between IT Governance and Compliance
IT Governance is the set of policies, Leading Frameworks include:
processes, and procedures that
COBIT
direct & control what IT does Control Objectives for Information
and Related Technologies
IT Governance
Essential Objectives of Internal Institute and the
Information Systems
Control Systems: Audit and Control
Economy and efficiency of Association (ISACA)
operations www.isaca.org/cobit
• Safeguarding of assets
• Achievement of ITIL
IT Infrastructure Library
performance goals
Office of
Reliability of financial and Government
management reports Commerce (OGC)
Compliance with laws and and itSMF
regulations www.itil.co.uk
International
Internal Controls serve to minimize ISO 17799 Organization for
errors and discourage fraud Standards
Security Standards
www.iso.org
ETS / 06.02.2012 / 6 Software AG
IT Governance:
COBIT IT Processes and Domains
INFORMATION
• Effectiveness
• Efficiency
• Confidentiality
• Integrity PLANNING & ORGANIZATION
MONITORING • Availability
• Compliance PO1 define a strategic IT plan
M1 monitor the processes
• Reliability PO2 define the information architecture
M2 assess internal control adequacy
PO3 determine the technological direction
M3 obtain independent assurance
PO4 define the IT org. and relationships
M4 provide for independent audit
PO5 manage the IT investment
IT RESOURCES PO6 communicate mgmt. aims and direction
PO7 manage human resources
• People
PO8 ensure compliance with external rqmts.
• Application systems
PO9 assess risks
• Technology
PO10 manage projects
• Facilities
DELIVERY & SUPPORT • Data
PO11 manage quality
DS1 define and manage service levels
DS2 manage third-party services
DS3 manage performance and capacity
DS4 ensure continuous services
DS5 ensure systems security
DS6 identify and allocate costs ACQUISITION & IMPLEMENTATION
DS7 educate and train users AI1 identify automated solutions
DS8 assist and advise customers AI2 acquire and maintain application software
DS9 manage the configuration AI3 acquire and maintain technology infrastructure
DS10 manage problems and incidents AI4 develop and maintain procedures
DS11 manage data AI5 install and accredit systems
DS12 manage facilities AI6 manage changes
DS13 manage operations
ETS / 06.02.2012 / 7 Software AG
COBIT IT Control Objectives & PCAOB Auditing
Standards for Sarbanes-Oxley
PCAOB IT Controls
Access to
Program Program Computer
Programs
Development
COBIT Control Objective Changes Operations & Data
1 Acquire and develop application software
2 Acquire technology infrastructure
3 Develop and maintain policies and
procedures
4 Install and test application software and
technology infrastructure
5 Manage changes
6 Define and manage service levels
7 Manage third-party services
8 Ensure systems security
9 Manage the configuration
10 Manage problems and incidents
11 Manage data
12 Manage operations
Source: “IT Control Objectives for Sarbanes-Oxley”
COBIT Guidance by IT Governance Institute
ETS / 06.02.2012 / 8 Software AG
Identifying IT Controls for Sarbanes-Oxley
Understand financial
reporting process
Identify significant systems
Determine location
criticality
Perform risk assessment
Source: “IT Control Objectives for Sarbanes-Oxley”
COBIT Guidance by IT Governance Institute ETS / 06.02.2012 / 9 Software AG
Control Challenges of a Complex IT Environment
Multiple Access Points to Systems
Multiple Design Environments
Design,
Natural Wizards,
Studio Tools
Multiple Access Points
Multiple Applications Multiple Databases Business
Portals
User
Financial Apps Data
Adabas,
Web
Request/Response Access
Asynch Messaging IMS, VSAM
Apps Batch Process Apps
Crystal
SOA/ Reports
SQL, DB2,
Web Logistic Apps Oracle, XML
Services MS
Office
Etc...
Mainframe, Unix, Linux
Multiple Environments
Administration
Security Monitoring Auditing & Logging
ETS / 06.02.2012 / 10 Software AG
What if you could…
Confidently demonstrate to your executive management/ compliance
officers that you have IT Controls in place to:
Secure access to your programs and data
Manage the application change management process
Monitor the access and changes made to your programs & data
Ensure information and operational processes are available when you
need it, as soon as you need it, especially in case of audit
And provide succinct reports that show:
WHO accessed WHAT data, WHEN and HOW
WHO made WHAT changes to your applications and WHEN
ETS / 06.02.2012 / 11 Software AG
Control Objectives supported by
Software AG Solutions
Manage Changes
Test, validate & authorize changes prior to
move to production
Monitoring
Monitor & Report
View of performance, access, errors,
security
Change IT Controls Access
Mgt
Ensure Systems Security
Secure to prevent unauthorized use,
disclosure, modification, loss
Security
Access to Programs & Data
Ensure Continuous Services and
information availability
ETS / 06.02.2012 / 12 Software AG
Create Confidence with Applicable IT Controls for
Adabas and Natural Systems
Change Management
Predict Application Control (PAC)
Monitoring & Reporting
Adabas REVIEW
Monitoring
Natural Productivity Pack
Security
Natural SAF Security
Natural Security Change
Create Confidence with IT Governance
IT Controls Access
Adabas Security Mgt
Adabas SAF Security
Access to Programs & Data
High Availability Security
Parallel Services
Cluster Services
(IBM Parallel Sysplex Support)
Disaster Recovery
Event Replicator for Adabas
Archiving
Adabas Vista
ETS / 06.02.2012 / 13 Software AG
Enforce Change Management Procedures with
Predict Application Control
Control the System Development Lifecycle (SDLC)
One Change Management System
to control Programs, Database
Maintenance, and Metadata
Controlled migration of Natural,
COBOL, JCL, and Assembler Objects
Other Key Features
Unique test plan
Segregation of duties
Synchronization
of changes
Easy to use GUI
Mixed environment controls
Expedited path for
emergencies
Migration
Security
Archiving
Auditing
Reporting ETS / 06.02.2012 / 14 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 15 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 16 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 17 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 18 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 19 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 20 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 21 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 22 Software AG
Client Plug-ins
Predict Application Control
ETS / 06.02.2012 / 23 Software AG
Compliance with COBIT: Manage Changes
Ensures Integrity of Financial Reporting Systems
COBIT Control Guidance IT Governance Pack Features
Request for changes are standardized, Only authorized/approved changes
documented and subject to formal are moved into production
change management procedures Control migration of changes
through SDLC
Requests & Process is documented
Emergency change requests are Expedited path for Non-scheduled
documented and subject to formal Maintenance
Emergency change requests are
change mgt procedures executed immediately
Full audit trail
Subject to formal change mgt
procedures post implementation
Controls in place to restrict migration Duties segregated between staff
to production responsible for moving program into
production and development staff
Setup and Implementation of system Test changes in development before
software do not jeopardize security of applied to production
data and programs Backout procedures exist
ETS / 06.02.2012 / 24 Software AG
Report Changes & Track Dependencies with
Natural Productivity Pack Maintenance Tools
Coding Standards Metrics
Search Tools
Re-documentation & Code Beautifying
Automatic code changes
Variable Usage
Diagramming Structure Analyzer
ETS / 06.02.2012 / 25 Software AG
Monitor Access to Programs and Data with
Adabas Review
Report WHO accessed WHAT data, WHEN and HOW
Custom reporting for Executive Management
Multiple databases captured in single report
Select and choose the most relevant information for proper reporting
Excellent source for compliance dashboards like Stellent Sarbanes-Oxley Solution
Monitors both Read/Write Access to Adabas from ANY Source
on-line, batch
Natural, COBOL
Java, .NET, SQL, Xquery, etc.
Provides a Single View of all Adabas Instances
“Regular” Adabas, Cluster Services & Parallel Services
Detailed Monitoring with Minimal Performance Overhead
Leverages Command Logs (CLOG) over Protection Logs (PLOGs)
• CLOGs show ALL read/write access
• PLOGs show only write access
Efficient asynchronous handling of CLOGs
ETS / 06.02.2012 / 26 Software AG
Compliance with COBIT Control Domain: Monitoring
Monitoring with Accountability
Monitor all database activity
IT Governance Pack Features
Centralized Information
Gathering
Scaleable to Performance
Needs
Maintain Audit History
Reports
Integrates to dashboards
like Stellent Sarbanes-
Oxely Solution
Real-time and historical
tracking
ETS / 06.02.2012 / 27 Software AG
Secure Access to Your Programs and Data
Secure Systems to Prevent Unauthorized Use
Protect from fraudulent access under a stolen identity
Authenticate against common user databases like RACF, ACF2 or
TopSecret via the SAF (Security Access Facility) API
Block password phishing with secure communication channels, like
the Supervisor Call (SVC)
Protect from unauthorized access to data store
"Access-/update-level" protection on a file-by-file basis
"Value-level" protection for specific values or for value ranges
“Dataset encryption” with pass phrase protection
Single Sign On in a heterogeneous environment
SAML-based (Security Assertion Markup Language) Web service
SAF-based authentication
Field-level protection of database records
ETS / 06.02.2012 / 28 Software AG
Compliance with COBIT: Ensure Systems Security
Provides Assurance Systems Are Secured to Prevent Unauthorized
Use, Disclosure, Modification, Damage or Loss of Data
COBIT Control Guidance IT Governance Pack Features
Authenticate all users to the system to Authenticate against common user
support validity of transactions databases like RACF, ACF2 or
TopSecret via the SAF (Security
Access Facility) API
Maintain effectiveness of Authentication controls (passwords,
authentication and access IDs, two-factor) are subject to
confidentiality requirements
mechanisms Authentication at multiple levels
Administration monitors and logs Reporting capabilities
security activity, violations are reported
Controls for segregate duties over Checks and balances
requesting and granting access Separation of duties
ETS / 06.02.2012 / 29 Software AG
Ensure Readily Available Processes &
Historical Information
Protection from DB and OS Failure (High Availability)
Access when you need it - 24x7x52
• Adabas Parallel Services
• Adabas Cluster Services (IBM Parallel Sysplex Support)
Protection from Facility/Site Failure (Disaster Recovery)
Prepare for Disperse Geographical Backups
• Event Replicator for Adabas
Archive Data Instantly Available when Needed
Separating relevant/current data from historical
• Adabas Vista
Compliance with PAOCB: Access to Programs and Data
Ensure information and operational processes are available
when you need it, as soon as you need it
ETS / 06.02.2012 / 30 Software AG
Benefits of Leveraging Software AG Solutions
for IT Governance
Reduces risk for non-compliance
Secure access to your programs and data
Manage the application change management process
Monitor the access and changes made to your programs & data
Ensure information and operational processes are available when you
need it, as soon as you need it, especially in case of audit
Keeps documentation in synch with procedures
Reduces costs
Automates controls & reporting
Reduces time and expense
Prepares you for the future
Good IT Governance Practices prepares
Your IT Department for complying with
SOX, HIPPAA and other Regulations
ETS / 06.02.2012 / 31 Software AG
Now You are Ready to Link into
Company-wide Compliance Initiatives
Stellent
Sarbanes-Oxley Solution
ETS / 06.02.2012 / 32 Software AG
Sarbanes-Oxley Section 404
Internal Control over Financial Reporting
“Most would agree that the reliability of financial
reporting is heavily dependent on a well-controlled
IT environment.”
– IT Governance Institute, IT Control
Objectives for Sarbanes-Oxley
ETS / 06.02.2012 / 33 Software AG
ETS / 06.02.2012 / 34 Software AG
High Availability with
Adabas Cluster Services
Adabas Cluster Services
Distribute and balance users across multiple processors and operating
system images
Key Features
Increased throughput
Better response times for all
users (batch and online)
No need to buy a new machine
to improve performance
Maximum scalability
No changes to applications
Administration very similar to
‘regular’ Adabas
24 x 7 availability - no single-
point-of-failure
z/OS ONLY
Maximum 20 KM
ETS / 06.02.2012 / 35 Software AG
Disaster Recovery with
Event Replicator for Adabas
Event Replicator Disaster Recovery Solution
Hot, standby system(s) in a remote facility with
ongoing changes transferred in real-time
Disaster
Recovery
Ensuring business continuity in event of failure
Software
Hardware
Power
Production Hot
Natural disaster Adabas Standby
Advantage Location Hot
Location
1 Standby 3
Avoid time-consuming database recovery
procedures Location
Upon failure hot, standby immediately becomes 2
primary production DB and continues replication
other hot, standby systems
ETS / 06.02.2012 / 36 Software AG
Information Archiving and High Availability
with Adabas Vista
Adabas Vista
Access relevant information with exceptional performance
Avoid degradation of service and expense of maintaining unnecessary data
High availability in a partitioned environment
logical ‘ordering’ of data
reduces file sizes to improve performance
improves performance against files by using multiple CPUs
limits the usage of data by ‘hiding’ partitions
Quickly & easily manage large volumes of data
Better backup & restore time windows
Better load balancing on your environment
No change to applications
Online and batch
The physical files can be on separate Adabas nuclei
ETS / 06.02.2012 / 37 Software AG
Regulatory Compliance – A Perfect Storm
The Challenge: Manage the wide range of associated risk while
maintaining business efficiency, agility, and creating shareholder value
Sarbanes-Oxley Drinking Water
hipaa HDDA 45
NASD GLBA General Liability
ELV Local Rules 21 CRF Part 11
Basel II Home Land Security
RoHS FTC TSCA
State Requirements FERC SEC
Patriot Act NRC
WEEE SEC
RMP
OSHA EPA
FAA Storm Water
Manufacturing Insurance Life Sciences Energy Engineering
ETS / 06.02.2012 / 38 Software AG
Other Software AG Solutions
Integrated Compliance Platform
REPORT ASSESS
SOX BASEL GLB
II
Single View of
Compliance
Main DOCUMENT
frame
Enterprise Enterprise Enterprise
ERP Information Content Stellent
Service Process
Management Section
Integrator Integrator Manager 404
Content
Server
GLB Basel
II
AS/400
MANAGE
ETS / 06.02.2012 / 39 Software AG
