Thông tin tài liệu
www.it-ebooks.info
Governance, Risk, and
Compliance Handbook
for Oracle Applications
Written by industry experts with more than 30 years
combined experience, this handbook covers all the
major aspects of Governance, Risk, and Compliance
management in your organization
Nigel King
Adil R Khan
P U B L I S H I N G
professional expertise distilled
BIRMINGHAM - MUMBAI
www.it-ebooks.info
Governance, Risk, and Compliance Handbook
for Oracle Applications
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the authors, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.
First published: August 2012
Production Reference: 1170812
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84968-170-4
www.packtpub.com
Cover Image by Artie Ng (artherng@yahoo.com.au)
www.it-ebooks.info
Credits
Authors
Nigel King
Adil R Khan
Reviewers
Sam Bicheno
Sam Monarch
Acquisition Editor
Dhwani Devater
Lead Technical Editor
Susmita Panda
Technical Editors
Mehreen Shaikh
Veronica Fernandes
Joyslita D'Souza
Copy Editor
Laxmi Subramanian
Project Coordinator
Vishal Bodwani
Proofreaders
Mario Cecere
Aaron Nash
Indexer
Hemangini Bari
Graphics
Valentina D'silva
Manu Joseph
Production Coordinators
Alwin Roy
Prachali Bhiwandkar
Kruthika Bangera
Cover Work
Alwin Roy
Prachali Bhiwandkar
www.it-ebooks.info
www.it-ebooks.info
Foreword
Governance is nothing less than running a company well, and Oracle has proved
itself a well-run company for over 30 years. It has found the need to provide the
management team and directors many tools and facilities to plot course and help
guide this huge enterprise. Though we steer through many storms, the risks are
known, the course is plotted, the equipment is lashed to the decks, or properly
stowed. The crew is prepared to sheet or drop sail.
These are the same tools that we make available to our customers, and while I
have jokingly drawn the parallels to a sport with some connections to Oracle, the
governance of an enterprise is a very broad and serious topic. What Nigel and Adil
have shown in this book is just how broad it is and how many facets of Governance,
Risk, and Compliance are handled through those tools. We have great tools that
specialize in GRC and we have many other tools that intersect with it.
Just like the winds and the seas, the commercial, legal, and technological
environment and the tools that we provide to help you manage them are varied
and changing. This book gives you a great map on which you can chart your GRC
journey, both present and near future. It is a journey that we are honored to share
with you, as one of the many customers that has entrusted Oracle to provide the
vessel and seamanship.
Chris Leone
Senior Vice President, HCM and GRC Products,
Oracle Corporation
www.it-ebooks.info
About the Authors
Nigel King is the Vice President for Functional Architecture at Fusion
Applications. As such he leads a band of architects whose job is to steward the
designs and underpinnings for those things that span product families. He has
been working with Oracle for the past 17 years. In that time he has worked mostly
in Applications Development. He has worked in many areas of Applications,
starting off in Distribution Management and then leading Oracle Applications'
rst venture into Business Intelligence, and Product Lifecycle Management
Applications. A restless observer and inventor, his real passion has always been
to see a problem dened, and in being dened well; resolved. By rst profession
he is a Chartered Management Accountant. He is also a Certied Internal Auditor
(CIA), Certied Information Systems Auditor (CISA), Certied Information
Security Manager (CISM), and Certied Information Security Professional (CISSP).
He swears that as soon as he gets the book nished, he will catch up with his
continuing professional education credits (CPE). His patents include, Methods and
systems for portfolio planning, Audit management workbench, Internal audit operations
for Sarbanes Oxley compliance, and Audit planning. He was fortunate to be hanging
around at Oracle when the whole Enron issue happened. A decade later, GRC
Apps was born, was new, then grew old, and is now suffused into many of the
applications that surround it.
He is also Chairman of the Open Applications Group. The Open Applications
Group is a 501(c)(6) not-for-prot standards development organization (SDO).
This community is focused on building process-based business standards for
e-commerce, Cloud Computing, Service Oriented Architecture (SOA), Web
Services, and Enterprise Integration.
The OAGI Specication includes ICXML, an XML specication for the exchange,
or risk and control libraries.
www.it-ebooks.info
Before joining Oracle, he worked in what he now considers the "real world", rst
as an Accountant and then selling and implementing business systems. He gained
insights in the high technology sector working for Philips, the consumer packaged
goods sector working for Homepride Foods and Jeyes Group, and was introduced
to the software world through Business Technology Consultants.
He is also a licensed boxer, keen soccer player and coach, and a qualied Boston
marathon runner.
He lives with his beautiful wife Anita and their soccer fanatic son Ansel in San
Mateo, California.
He also co-authored the E-Business Suite, Manufacturing and Supply Chain, Oracle
Press handbook. You can also trace his thinking on GRC at ISACA's international
conferences over the years: An Overview of Emerging Tools and Technologies for
Auditors in 2005, Compliant Access Provisioning in 2006, and Security Provisioning
for Outsourced Services in 2008.
Prior to getting interested in the GRC space, you can trace his articles on subjects as
diverse as The Convergence of Financial and Supply Chain Planning in Control, the journal
of the British Production and Inventory Control Society and Knowledge Management,
The Application of Manufacturing Theory in Knowledge Based industries in Management
Accounting, the journal of the Chartered Institute of Management Accountants.
www.it-ebooks.info
Acknowledgement
Firstly I would like to thank Steve Miranda, the head of Oracle's Fusion applications
development for granting us the permission to write this book. He also made the
grave mistake of recruiting me onto his team and paying attention to me when I was
bleating that this Enron issue was going to mean that audit was going to have to be
automated. Steve really is a great leader and it has been a great learning experience
to watch him guide the ship of impossible dreams that is Fusion, and quell the
storms, not only of outrageous fortune, but the tempestuous spirits that are the
management team at Oracle.
I need to thank my great friend and co-conspirator Adil, without whom the
mountain would have been twice as high and the load twice as heavy.
There have been many people at Oracle who have given assistance: Georginna
Manning and the Demo Solution Services team—their support for my constant
requests for demo environments was invaluable; Swanarli Bag and the GRC team
for making screenshots from the edge of possibility.
I would like to thank Bastin Gerald, Mumu Pande, Saye Arumugam, and the team
that helped take Internal Controls Manager to market. Their minds are onto other
great ventures now, but it was great to ride those rapids in the early days with them.
We really did shape an industry.
I need to thank Mr. Kurt Robson, who brought me into Oracle and taught me the
science and discipline of design. It is not possible to work at Oracle among so many
shining intellects without having that brilliance reect off the surface of your own
mind, however dully.
I need to thank my friends and trainers Pat Regan and Mike Marshall, who through
all this kept me t and asked me to keep my hands up and my head moving.
There is no thanks that is enough for my beautiful wife Anita without whose support
my life would be pretty unmanageable. My thanks as well to my son Ansel, who has to
tolerate weekends spent in libraries and coffee shops watching me write and research.
www.it-ebooks.info
About the Authors
Adil R Khan is the Managing Director at FulcrumWay, a rm that has delivered
governance, risk, and compliance solutions to more than 200 Fortune-500 and
middle-market Oracle customers in America, EMEA, and Asia Pacic since 2003.
He also serves on the board of the Oracle Applications Users Group (OAUG) and
GRC Special Interest Group. He has given over 50 presentations on GRC trends,
best practices, and case studies at many industry conferences including Gartner
GRC Summit, IIA, ISACA, Collaborate, and Oracle OpenWorld.
Prior to joining FulcrumWay, he served as the Chief Executive Ofcer and board
member at Alternate Marketing Networks, Inc., a NASDAQ listed company where
he was responsible for growth strategy, nancial restructuring, and corporate
governance. He also co-founded Hencie, Inc. in 1996, which was ranked 157th on
Inc-500 list of the fastest growing companies and he was nominated as the
Entrepreneur of the Year in 2001 by Ernst and Young Company.
He has also worked for Oracle Corporation, a Big-4 audit rm, and several startups
to gain 20 years of combined experience in enterprise software and audit services.
He graduated from Virginia Tech University in 1987 and attended an executive
MBA program at the University of Texas in Dallas in 1993-1994.
www.it-ebooks.info
[...]... Financials Oracle' s products and California Breach Law Transparent data encryption 325 325 328 329 330 330 Healthcare Information Portability and Protection Act (HIPPA) Oracle' s products and HIPPA Scrambling and data masking Data vault 332 333 333 336 Payment Card Industry (PCI) Oracle' s products and PCI 340 341 Federal Sentencing Guidelines Standards for an effective compliance and ethics program Oracle' s... consulting and is a subject matter expert in Oracle Governance, Risk, and Compliance (GRC) having helped numerous clients understand, evaluate, and implement improved control frameworks and business processes as well as implementing the core Oracle GRC products Sam Monarch is a Sr Principal Oracle GRC Consultant He has more than eight years of Oracle Database and Oracle GRC Implementation experience He... Vault, Oracle Data Masking Packs, Oracle E-records Management, Agile's Product Governance and Compliance, Oracle Reveleus, and Oracle Mantas We have baselined the book at the 11GR2 Database, 11GR2 Middleware, and release 12.1 of E-Business Suite What you need for this book You will need to download the following software for this book: • Oracle GRC Manager 7.8 • Oracle Fusion GRC Intelligence 2.01 • Oracle. .. These applications are used to provide evidence store for unstructured information They also provide a store for standard working papers and completed working papers that have been part of the testing activity Identity and Authorization Management Applications These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information... attributes (UDA) for regional compliance Setting up Regional Compliance Framework using perspectives 419 422 Assessing Regional Compliance using Oracle GRC Manager 433 InFission Organization Structure perspective InFission Regulatory Compliance perspective InFission Standard and Framework perspective Loading data Setting up user profile for regional roles Monitoring Regional Compliance in Oracle GRC Intelligence... of good governance, failure to plan for a foreseeable catastrophe, or failure to comply with an important law or regulation, brings the GRC themes into public view and scrutiny and this makes management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws Perhaps only Oracle and SAP... Management System Requirements and on to COBIT that defines control objectives for Information Technology We look at the California Breach Law, Health Information Portability, and Payment Card Industry regulations These have the common theme of privacy and we showed Oracle capabilities for hiding, encrypting, and masking values We also looked at federal sentencing guidelines and showed how a learning management... Manager, and Oracle Service In the risk management chapters we take you through Oracle GRC Manager, Oracle Fusion GRC Intelligence, Oracle Enterprise GRC Manager, Application Access Controls Governor, Transaction Controls Governor, Oracle Preventive Control Governor, and Oracle Configuration Controls Governor In the compliance chapters we take you through Enterprise Manager, Oracle Payments, Oracle Database... organized Definitions Governance Risk Compliance Oracle' s Governance Risk and Compliance Footprint Balanced Scorecard Business Intelligence Financial Planning and Analysis Consolidations and Financial Reporting Learning Risk Management Applications Sub Certification Process Management Applications Content Management Applications Identity and Authorization Management Applications Our case study Roles involved... www.it-ebooks.info Introduction Oracle' s Governance Risk and Compliance Footprint The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem: GRC Learning Balanced Scorecard Strategy Development Policy Communication Financial Planning and Analysis Execution Tracking Financial Forecasting Business . www.it-ebooks.info
Governance, Risk, and
Compliance Handbook
for Oracle Applications
Written by industry experts with more than 30 years
combined experience, this handbook. distilled
BIRMINGHAM - MUMBAI
www.it-ebooks.info
Governance, Risk, and Compliance Handbook
for Oracle Applications
Copyright © 2012 Packt Publishing
All
Ngày đăng: 23/03/2014, 02:20
Xem thêm: Governance, Risk, and Compliance Handbook for Oracle Applications pdf