Hello, I'm Rohit Gupta, Director of Identity Management andSecurity Products at Oracle Corporation, and I'm here today to talk to youabout identity management as it relates to Sarbanes-Oxley reforms.
Now, the Sarbanes-Oxley Act was passed in 2002, specificallyaround providing legislation in response to the accounting and financialscandals that engulfed the likes of Enron, WorldCom, and Tyco. Sarbanes-Oxleyhas two major tenets: Section 404 and Section 302. 404 is centered around whogets access to what data, how often do they get access, what are they doingwith it - fundamentally, talking about setting up a control framework thatgives the enterprise information about access rights. And then 302 aroundnotification whenever changes to these controls are made, so directly playing arole within disclosure.
The sections in Sarbanes-Oxley, the legislations here, havethree common themes: Confidentiality, which is really around insuring that thedata is protected, the right people are seeing the data; the integrity, whichis centered around insuring that the data itself is valid; and then security,which is insuring that the right sort of protective controls are in place foryour data.
The challenges with the Sarbanes-Oxley legislations are,they're pretty broad, and there isn't a specific reference model or referencearchitecture that enables enterprises to implement these efficiently.
Now, Oracle recommends a compliance reference model based onfour primary principles. These include policy definition, which really givesyou the ability to set up your entitlements, or your access rights, based onthings such as role-based access control or policy-based access control - setup your provisioning and administering of your users - gives you the ability toset up preventive controls, so protecting your Web-based data by giving you Websingle sign-on, or your legacy data, which may reside in a mainframe or adesktop client server environment.
Detective controls - again, extremely critical to report onwhat your users are doing. How often do they access data? What are they doingwith that information once they get access to that?
And then, lastly, control validation, which is giving youthe ability to set a processes, such as attestation, on a regular basis; set upyour dashboards; do your gap analysis; et cetera, for both your financial andIT users, in an efficient manner.
Now, the interesting element here is, in order to beeffective with Sarbanes-Oxley reforms, you've got to complete this in asustainable and iterative manner centered around your audit and corporate data.
In summary, identity management can help address theconfidentiality, integrity, and security needs of your Sarbanes-Oxleyrequirements. It'll help you achieve your tactical demands from your auditor,as well as the strategic demands to obtain business efficiencies from yourcompliance requirements.
For more information, I invite you to visitoracle.com/identity to learn what customers are doing with these products.
