INNOV-05: The Rocky Road to Compliance

1
INNOV-05 The Rocky Road to Compliance

• Shari Zedeck
• Director of Product Management

2
Agenda

• The Road to Regulations
• Translating Regulations to Requirements
• How OpenEdge Helps

3
The Road to Regulations
How did we get here?

• September 11
• Privacy Concerns
• Corporate Scandals -- Enron, WorldCom/MCI,
  Merrill Lynch, Tyco and others

4
Software Security
Year 2000 2001 2002 2003 2004
Vulnerabilities 1,090 2,437 4,129 3,784 3,780
Over 16,000 software security vulnerabilities
have been reported by CERT to web site owners and
software product developers over the last five
years
Source The CERT Coordination Center
5
Who Cares about Security?
Government Agencies and SIGs Worldwide
6
Privacy

• Protecting Personal Information
• Information Privacy
• Confidentiality
• Identity Theft

7
The Face of Business Today
Old World Order New World Order
(1995 2002)
(2003 to 2006)

• Executive Decisions
• Creative Accounting
• Secrecy
• Industry Guidance
• Investors Seek Ideas
• Guidelines
• Management

• Executive Accountability
• Compliance Accounting
• Transparency
• Industry Oversight
• Investors Seek Value
• Policies
• Governance

Source Gartner Group
8
The Road to Regulations
What are the Regulations?

• General Regulations
• Sarbanes-Oxley Act
• Title 21 CFR Part 11
• US Patriot Act
• California SB 1386
• Foreign Corrupt Practice Act
• European Union Data Protection Directive of
  1998/2001

9
The Road to Regulations
What are the Regulations?

• Industry Specific Regulations
• Health Insurance Portability and Accountability
  Act (HIPAA) in Health Care
• Basel Accord II
• Gramm-Leach-Bliley Act (GLBA) in Financial
  Services
• Visa Cardholder Information Security Program
  (CISP) for Retail/Merchants

10
Why Comply?
...Simply complying with the rules is not
enough. if companies view the new laws as
opportunitiesopportunities to improve internal
controls, improve the performance of the board,
and improve their public reportingthey will
ultimately be better run, more transparent, and
therefore more attractive to investors.
William Donaldson, SEC Chairman, 4 November, 2004
11
The Road to Regulations
What do these Regulations tell us?

• Not enough
• No specifics
• Best practices
• Appropriate behaviors

12
Compliance Myth or Reality?
Highest Global Concern of IT Managers
13
Agenda

• The Road to Regulations
• Translating Regulations to Requirements
• How OpenEdge Helps

14
Achieving Compliance
What should your company do?

• Interpret what the regulation says
• Understand what your company currently does
• Document a plan for achieving compliance
• Assign resources
• Pick a process framework
• Understand what your auditors expect
• Execute the plan
• Devise measures and controls that prove that you
  have implemented the plan

15
Sarbanes-Oxley
What does it tell you?

• Leadership is accountable
• Conflicts of interest must be avoided
• Executive boards must include two Certified
  Public Accountants and three other financially
  literate members
• Companies must adopt standards of ethics and
  quality control for auditors and review
  compliance regularly
• Any info gathered by the Board must remain
  confidential and privileged
• US Securities and Exchange Commission, Federal
  Reserve, and Treasury Department all have rights
  to administer necessary disciplinary action

16
Translating Regs into Requirements
Sarbanes-Oxley

• Data integrity and quality are necessary to
  decrease operational risk
• More real-time financial information sources and
  reporting are required
• The walls between traditionally independent
  applications must come down (integration)
• Information must be from auditable, certifiable
  sources
• Evidence must be available that information was
  not tampered with (information security)
• Protection (privacy) must be provided for
  whistle blowers
• Their communication must remain confidential,
  anonymous (if requested), and traceable (audit
  trail)

17
Sarbanes-Oxley
SOX offers significant long-term benefit in
helping to prevent fraud and misdirection of
corporate resources and in improving the accuracy
of financial reporting. . This should lead to
better input for management decisions and higher
quality information and stronger protection for
investors.
William Donaldson, Chairman, US Securities and
Exchange Commission, February 7, 2005
18
Gramm-Leach-Bliley Act
What does it tell you?

• Financial institutions must disclose their
  information privacy and sharing policies
• Differentiate between public and non-public
  personal financial information
• Ensure the confidentiality of customer
  information
• Security of customer records / info
• Protection against threats (on the security and
  integrity of data)
• Prevention of unauthorized access / use of data
  that would cause inconvenience to or harm to a
  customer

19
Translating Regs into Requirements
Gramm-Leach-Bliley Act

• Customers believe that personal financial info
  should be private - make sure privacy policies
  are clear
• Corporate customers demand similar protection for
  their financial info ensure its security /
  confidentiality
• Background check internal staff to limit their
  becoming significant sources of sensitive info
  leaks (security)
• All points through which sensitive information
  pass must be protected equally, or all are liable
• Third-party service providers are subject to the
  same risk management and information privacy
  policies for transactions as if you were
  performing them directly know your partners

20
Gramm-Leach-Bliley
"The Gramm-Leach-Bliley Act creates wholly new
financial services organizations in
America. "Americans today spend about 350
billion on financial services on fees and
charges and interest. there are tens of
billions of dollars of savings for the American
consumer that will be produced by the reforms of
this bill."
Senator Phil Gramm November 4, 1999
21
Basel II
What does it tell you?

• Banks and financial institutions must regulate
  risk
• Risk oversight, review and management procedures
  must be evaluated periodically
• Certain event types require risk assessment and
  regulatory treatment
• Internal and external fraud
• Employment practices and workplace safety
• Clients, products and business practices
• Damage to physical assets
• Business disruption and system failures

22
Translating Regs into Requirements
Basel II The International Convergence of
Capital Measurement and Capital Standards

• Identifying, assessing, mitigating, transferring,
  controlling and monitoring credit, market and
  operational risks require information sharing via
  scorecarding and advanced analytics, reporting,
  and integration -- across an enterprise.

23
Basel II
Basel II provides banks with .. incentives to
improve their risk management systems and
processes. The framework will help ensure that
capital supervision continues to serve as a
cornerstone to safety and soundness in the
banking system. Both make banks more resilient,
less sensitive to the ups and downs of the
business cycle, and better able to serve as a
source of credit and growth for businesses and
consumers.
Jaime Caruana, Governor of the Bank of Spain and
Chairman of the Basel Committee, 11 November 2004
24
Translating Regs to Requirements
Pulling Them All Together

• Sarbanes-Oxley
• Basel II
• Gramm-Leach-Bliley

25
Mapping Business Functions to Technologies
Source Gartner Research (September 2003)
26
Translating Regs into Requirements
What does it all mean?
Security Identity and access management, intrusion prevention, information/data security and privacy, network security, authorization, authentication
Auditing Access authorization and authentication, audit trails, segregation of duties
Integration Integration of data and applications
Disaster Recovery Rollback and failover for business continuity and disaster recovery, especially financial reporting records
Performance and Risk Management Real-time reporting, planning and forecasting, budgeting, financial reporting, management of risk, monitoring of business systems
27
Agenda

• The Road to Regulations
• Translating Regulations to Requirements
• How OpenEdge Helps

28
Under Development

• This talk includes information about potential
  future products and/or product enhancements.
• What I am going to say reflects our current
  thinking, but the information contained herein is
  preliminary and subject to change. Any future
  products we ultimately deliver may be materially
  different from what is described here.

29
Meeting Regulatory Requirements
For Security
OpenEdge 10.0B Data encryption (and decryption) securing of data by transforming plain text into a less readable form
OpenEdge 10.0B Secure Socket Layer (SSL) support securing the connection to the internet
OpenEdge 10.1 Auditing Reliable secure recording of events, producing an audit trail to reconstruct and examine the events
OpenEdge Future Authentication Verification of a users identity
OpenEdge Future Authorization The types of access that a user may have to a particular resource
30
Meeting Regulatory Requirements
For Auditing
OpenEdge 10.1 Facilitate guaranteed non-repudiation of audit data
OpenEdge 10.1 High performance, scalable and efficient storage of audit data
OpenEdge 10.1 Audit policy configuration and extensible architecture
in the OpenEdge database, 4GL application, SQL
server, and database maintenance tools
31
Meeting Regulatory Requirements
For Integration
OpenEdge Adapters 10.0B / 10.1 Facilitate the integration of data and applications using Sonic technology
SonicMQ Highly available, secure and reliable messaging backbone to remote offices and business partners
Sonic ESB An enterprise service bus which simplifies the integration and reuse of business components using a standards-based, SOA
32
Meeting Regulatory Requirements
For Disaster Recovery and Business Continuity
Fathom Replication Efficient failover and backup for business continuity. Protection and recovery of mission-critical business and financial reporting information, providing complete data protection.
Fathom Management Continuous availability - keeps essential systems up and running. Monitoring and management of resources. Automatic detection, alerts and correction of potential problem areas.
33
Meeting Regulatory Requirements
For Performance / Risk Management
Crystal Reports Scheduled or on-demand reports to consolidate information Publish to a server, portal, or extranet to gain real-time visibility and provide rapid disclosure of material events
Corvu Dashboards and drill-down to automatically monitor alert on variances, and summarize financial results under tight deadlines Scorecarding to provide visibility within an organization
34
Meeting Regulatory Requirements
For Performance / Risk Management
CorStrategy For collecting data in a range of forms and producing quality briefing books with high quality real-time reliable information
CorPlanning For planning and managing a budget around key initiatives and creating standard financial reports.
CorRisk Performance Management framework to manage and monitor key business drivers, levers, and performance, as well as mitigate and manage threats
35
Meeting Regulatory Requirements
For Performance / Risk Management
CorBusiness For reporting, graphical analysis, and KPI management.
CorPortfolio Performance Management framework to manage and monitor key business drivers, levers, and performance, as well as mitigate and manage threats
HyperVu For Business Intelligence deployment via the web, with scalable live access to performance management data
36
In Summary

• Regulatory compliance can no longer be ignored
• Being regulatory compliant can give you a
  competitive edge
• OpenEdge provides features to support the
  security, auditing, integration, disaster
  recovery, business continuity, risk management
  and reporting needs of regulatory compliance

37
For Additional Information

• Financial Services Information Sharing and
  Analysis Center www.fsisac.com
• Sarbanes-Oxley www.aicpa.org
• Basel II www.bis.org/publ/bcbsca.htm and
  www.basel-ii-risk.com
• GLBA www.ftc.gov/privacy/glbact/
• COBIT www.isaca.org/cobit
• COSO www.aicpa.org

38
Questions?
Upcoming Exchange Sessions and Birds-of-a-Feather
Meetings
Topic Sessions Birds-of-a-Feather
Security DEV-09, DEV-17, INNOV-09
Common Business Services Auditing ARCH-08, DONE-07 Business Svcs Tues 6pm Auditing Weds 8am
Web Services and Application Integration SOA-03, SOA-04, SOA-06, SOA-07, SOA-08 Integration Tues 6pm
Business Continuity and Disaster Recovery COMP-09 Mgmt Services Tues 6pm
Business Intelligence and Reporting COMP-08, COMP-11, COMP-12, COMP-13 EPM Tues 6pm Business Objs Weds 8am
39
Thank you for your time!
40
(No Transcript)