IT Governance for Compliance

1
IT Governance for Compliance

• Tom Philpott
• Natural Architect

2
Driving Compliance Action Sarbanes-Oxley Act of
2002

• Response to financial scandals
• Requires public companies to certify the
  effectiveness of internal controls
• Section 404 requires documentation and testing of
  key process and controls
• Compliance has often required
• Time-consuming, manual processes
• Hiring additional people
• Inadequate software
• Outsourcing to consultants

3
Compliance Costs Growing

• Financial compliance spending alone will grow by
  more than 19 annually through 2008.
• Gartner Research, August 2005
• According to a survey of 217 public companies
  with average revenues of 5 billion, the average
  cost of complying with ONLY section 404 of
  Sarbanes-Oxley will be 4.36 million in 2005.
• Financial Executives International Survey
  March, 2005
• According to a member survey, nearly half of CEOs
  of large companies said SOX and other new
  compliance requirements would cost in excess of
  10 million annually.
• Business Roundtable Survey, March, 2005
• 50 of the companies that generate more than 5B
  in annual revenue spent in excess of 50,000 hours
  on SOX compliance in 2004.
• Ernst Young Research

4
How Technology Can Help

• Technology enablement of key compliance processes
• Optimize and integrate key business
  application-level controls
• Automate manual controls related to structured
  and unstructured data
• Improve integration of information security with
  business needs
• Improve IT asset management and patch management
  processes
• Improve IT governance (e.g., change management
  processes)

5
Why IT Cannot Escape the Burden ofCompliance
Requirements
Regulatory compliance impacts most industries
Since these flows go through applications
support systems, the need to provide a control
framework for IT has become mandatory
Financial Reporting Internal Controls
Patient Privacy
Regulations
Intl BankingCapital Measurement and Standards
Auditing Requires Understanding
Transaction/Information Flows
Privacy of Nonpublic personal information
(Financial)

6
Frameworks Provide the BridgeBetween IT
Governance and Compliance

• IT Governance is the set of policies, processes,
  and procedures that direct control what IT does
• Essential Objectives of Internal Control Systems
• Economy and efficiency of operations
• Safeguarding of assets
• Achievement of performance goals
• Reliability of financial and management reports
• Compliance with laws and regulations
• Internal Controls serve to minimize errors and
  discourage fraud

• Leading Frameworks include

COBIT Control Objectives for Information and
Related Technologies
IT Governance Institute and the Information
Systems Audit and Control Association
(ISACA) www.isaca.org/cobit
ITIL IT Infrastructure Library
Office of Government Commerce (OGC) and
itSMF www.itil.co.uk
International Organization for Standards www.iso.o
rg
ISO 17799
Security Standards
7
IT GovernanceCOBIT IT Processes and Domains
INFORMATION

• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability

PLANNING ORGANIZATION
MONITORING
PO1 define a strategic IT plan PO2 define the
information architecture PO3 determine the
technological direction PO4 define the IT org.
and relationships PO5 manage the IT
investment PO6 communicate mgmt. aims and
direction PO7 manage human resources PO8 ensure
compliance with external rqmts. PO9 assess
risks PO10 manage projects PO11 manage quality
M1 monitor the processes M2 assess internal
control adequacy M3 obtain independent
assurance M4 provide for independent audit
IT RESOURCES

• People
• Application systems
• Technology
• Facilities
• Data

DELIVERY SUPPORT
DS1 define and manage service levels DS2 manage
third-party services DS3 manage performance and
capacity DS4 ensure continuous services DS5 ensure
systems security DS6 identify and allocate
costs DS7 educate and train users DS8 assist and
advise customers DS9 manage the
configuration DS10 manage problems and
incidents DS11 manage data DS12 manage
facilities DS13 manage operations
ACQUISITION IMPLEMENTATION
AI1 identify automated solutions AI2 acquire and
maintain application software AI3 acquire and
maintain technology infrastructure AI4 develop
and maintain procedures AI5 install and accredit
systems AI6 manage changes
8
COBIT IT Control Objectives PCAOB Auditing
Standards for Sarbanes-Oxley
PCAOB IT Controls
Access to Programs Data
Program Development
Program Changes
Computer Operations
COBIT Control Objective

• Acquire and develop application software
• Acquire technology infrastructure
• Develop and maintain policies and procedures
• Install and test application software and
  technology infrastructure
• Manage changes
• Define and manage service levels
• Manage third-party services
• Ensure systems security
• Manage the configuration
• Manage problems and incidents
• Manage data
• Manage operations

Source IT Control Objectives for
Sarbanes-Oxley COBIT Guidance by IT Governance
Institute
9
Identifying IT Controls for Sarbanes-Oxley

• Understand financial reporting process
• Identify significant systems
• Determine location criticality
• Perform risk assessment

Source IT Control Objectives for
Sarbanes-Oxley COBIT Guidance by IT Governance
Institute
10
Control Challenges of a Complex IT
EnvironmentMultiple Access Points to Systems
Multiple Design Environments
Natural Studio
Design, Wizards, Tools
Multiple Access Points
Multiple Databases
BusinessUser Data Access
Portals
Multiple Applications
Adabas, IMS, VSAM
Financial Apps
Web Apps
Request/Response Asynch Messaging Batch
Process Apps
Crystal Reports
SQL, DB2, Oracle, XML
SOA/ Web Services
Logistic Apps
MS Office
Etc...
Mainframe, Unix, Linux
Multiple Environments
Administration
Security
Monitoring
Auditing Logging
11
What if you could

• Confidently demonstrate to your executive
  management/ compliance officers that you have IT
  Controls in place to
• Secure access to your programs and data
• Manage the application change management process
• Monitor the access and changes made to your
  programs data
• Ensure information and operational processes are
  available when you need it, as soon as you need
  it, especially in case of audit
• And provide succinct reports that show
• WHO accessed WHAT data, WHEN and HOW
• WHO made WHAT changes to your applications and
  WHEN

12
Control Objectives supported by Software AG
Solutions

• Manage Changes
• Test, validate authorize changes prior to move
  to production
• Monitor Report
• View of performance, access, errors, security
• Ensure Systems Security
• Secure to prevent unauthorized use, disclosure,
  modification, loss
• Access to Programs Data
• Ensure Continuous Services and information
  availability

13
Create Confidence with Applicable IT Controls
forAdabas and Natural Systems

• Change Management
• Predict Application Control (PAC)
• Monitoring Reporting
• Adabas REVIEW
• Natural Productivity Pack
• Security
• Natural SAF Security
• Natural Security
• Adabas Security
• Adabas SAF Security
• Access to Programs Data
• High Availability
• Parallel Services
• Cluster Services (IBM Parallel Sysplex Support)
• Disaster Recovery
• Event Replicator for Adabas

Create Confidence with IT Governance
14
Enforce Change Management Procedures withPredict
Application Control

• Control the System Development Lifecycle (SDLC)
• One Change Management Systemto control Programs,
  DatabaseMaintenance, and Metadata
• Controlled migration of Natural, COBOL, JCL, and
  Assembler Objects
• Other Key Features
• Unique test plan
• Segregation of duties
• Synchronizationof changes
• Easy to use GUI
• Mixed environment controls
• Expedited path foremergencies
• Migration
• Security
• Archiving
• Auditing
• Reporting

15
Client Plug-ins Predict Application Control
16
Client Plug-ins Predict Application Control
17
Client Plug-ins Predict Application Control
18
Client Plug-ins Predict Application Control
19
Client Plug-ins Predict Application Control
20
Client Plug-ins Predict Application Control
21
Client Plug-ins Predict Application Control
22
Client Plug-ins Predict Application Control
23
Client Plug-ins Predict Application Control
24
Compliance with COBIT Manage Changes
Ensures Integrity of Financial Reporting Systems
25
Report Changes Track Dependencies withNatural
Productivity Pack Maintenance Tools
Metrics
Coding Standards
Search Tools
Re-documentation Code Beautifying
Automatic code changes
Variable Usage
Structure Analyzer
Diagramming
26
Monitor Access to Programs and Data withAdabas
Review

• Report WHO accessed WHAT data, WHEN and HOW
• Custom reporting for Executive Management
• Multiple databases captured in single report
• Select and choose the most relevant information
  for proper reporting
• Excellent source for compliance dashboards like
  Stellent Sarbanes-Oxley Solution
• Monitors both Read/Write Access to Adabas from
  ANY Source
• on-line, batch
• Natural, COBOL
• Java, .NET, SQL, Xquery, etc.
• Provides a Single View of all Adabas Instances
• Regular Adabas, Cluster Services Parallel
  Services
• Detailed Monitoring with Minimal Performance
  Overhead
• Leverages Command Logs (CLOG) over Protection
  Logs (PLOGs)
• CLOGs show ALL read/write access
• PLOGs show only write access

27
Compliance with COBIT Control Domain Monitoring

• Monitoring with Accountability
• Monitor all database activity
• IT Governance Pack Features
• Centralized Information Gathering
• Scaleable to Performance Needs
• Maintain Audit History Reports
• Integrates to dashboards like Stellent
  Sarbanes-Oxely Solution
• Real-time and historical tracking

28
Secure Access to Your Programs and Data

• Secure Systems to Prevent Unauthorized Use
• Protect from fraudulent access under a stolen
  identity
• Authenticate against common user databases like
  RACF, ACF2 or TopSecret via the SAF (Security
  Access Facility) API
• Block password phishing with secure communication
  channels, like the Supervisor Call (SVC)
• Protect from unauthorized access to data store
• "Access-/update-level" protection on a
  file-by-file basis
• "Value-level" protection for specific values or
  for value ranges
• Dataset encryption with pass phrase protection
• Single Sign On in a heterogeneous environment
• SAML-based (Security Assertion Markup Language)
  Web service
• SAF-based authentication
• Field-level protection of database records

29
Compliance with COBIT Ensure Systems Security
Provides Assurance Systems Are Secured to Prevent
Unauthorized Use, Disclosure, Modification,
Damage or Loss of Data
30
Ensure Readily Available Processes Historical
Information

• Protection from DB and OS Failure (High
  Availability)
• Access when you need it - 24x7x52
• Adabas Parallel Services
• Adabas Cluster Services (IBM Parallel Sysplex
  Support)
• Protection from Facility/Site Failure (Disaster
  Recovery)
• Prepare for Disperse Geographical Backups
• Event Replicator for Adabas
• Archive Data Instantly Available when Needed
• Separating relevant/current data from historical
• Adabas Vista

Compliance with PAOCB Access to Programs and
Data Ensure information and operational
processes are available when you need it, as soon
as you need it
31
Benefits of Leveraging Software AG Solutionsfor
IT Governance

• Reduces risk for non-compliance
• Secure access to your programs and data
• Manage the application change management process
• Monitor the access and changes made to your
  programs data
• Ensure information and operational processes are
  available when you need it, as soon as you need
  it, especially in case of audit
• Keeps documentation in synch with procedures
• Reduces costs
• Automates controls reporting
• Reduces time and expense
• Prepares you for the future
• Good IT Governance Practices preparesYour IT
  Department for complying withSOX, HIPPAA and
  other Regulations

32
Now You are Ready to Link intoCompany-wide
Compliance Initiatives
Stellent Sarbanes-Oxley Solution
33
Sarbanes-Oxley Section 404Internal Control over
Financial Reporting
Most would agree that the reliability of
financial reporting is heavily dependent on a
well-controlled IT environment. IT
Governance Institute, IT Control Objectives for
Sarbanes-Oxley
34
(No Transcript)
35
High Availability withAdabas Cluster Services

• Adabas Cluster Services
• Distribute and balance users across multiple
  processors and operating system images

• Key Features
• Increased throughput
• Better response times for all users (batch and
  online)
• No need to buy a new machine to improve
  performance
• Maximum scalability
• No changes to applications
• Administration very similar to regular Adabas
• 24 x 7 availability - no single-point-of-failure
• z/OS ONLY
• Maximum 20 KM

36
Disaster Recovery withEvent Replicator for Adabas

• Event Replicator Disaster Recovery Solution
• Hot, standby system(s) in a remote facility with
  ongoing changes transferred in real-time
• Ensuring business continuity in event of failure
• Software
• Hardware
• Power
• Natural disaster
• Advantage
• Avoid time-consuming database recovery procedures
• Upon failure hot, standby immediately becomes
  primary production DB and continues replication
  other hot, standby systems

Disaster Recovery
37
Information Archiving and High Availabilitywith
Adabas Vista

• Adabas Vista
• Access relevant information with exceptional
  performance
• Avoid degradation of service and expense of
  maintaining unnecessary data
• High availability in a partitioned environment
• logical ordering of data
• reduces file sizes to improve performance
• improves performance against files by using
  multiple CPUs
• limits the usage of data by hiding partitions
• Quickly easily manage large volumes of data
• Better backup restore time windows
• Better load balancing on your environment
• No change to applications
• Online and batch
• The physical files can be on separate Adabas
  nuclei

38
Regulatory Compliance A Perfect Storm
The Challenge Manage the wide range of
associated risk while maintaining business
efficiency, agility, and creating shareholder
value
Drinking Water
Sarbanes-Oxley
hipaa
HDDA 45
GLBA
General Liability
NASD
ELV
21 CRF Part 11
Local Rules
Home Land Security
Basel II
FTC
TSCA
RoHS
SEC
FERC
State Requirements
Patriot Act
NRC
SEC
WEEE
RMP
OSHA
EPA
FAA
Storm Water
39
Other Software AG SolutionsIntegrated Compliance
Platform
BASEL II
SOX
GLB
Single View of Compliance
Main frame
Enterprise Information Integrator
Enterprise Process Manager
Enterprise Service Integrator
Content Management
Stellent Section 404
ERP
Content Server
GLB
Basel II
AS/400