Oracle Identity Management—Governance, Risk, and
Compliance Architecture, Third Edition
Preface
An identity management system is defined as the management of the identity life cycle of entities (subjects or objects) during which the identity is established, described, and destroyed. What this definition fails to cover is the social, personal, and financial impact of the identity life cycle.
Before I joined Oracle as director of GRC Product Strategy with the goal of creating a product that would address corporate governance, shareholder risk, and regulatory compliance, I had been a specialist in identity management for 14 years. Having worked at Netscape with Tim Howes and Frank Chen, and having participated in IETF working groups, I was no stranger to the social impact of technologies.
After Netscape was acquired by AOL and then Time Warner, I learned that the corporate ocers had acted unethically, issuing three times the stock options for which they had shares. I was crushed, because I not only believed in my former employer but I believed in the value of the stock options. During that time in my life, I had been diagnosed with a rare form of Hodgkin's lymphoma and was in need of a stem cell transplant. The insurance handled most of the medical bills, but the co-payments were costly. Without the ability to exercise my stock options, I lacked the funds for the insurance co-payments.
Fortunately, I still had professional worth despite my partial inability to work, and an excellent manager from Oracle hired me. I found Oracle to be an ethical company for giving me health benefits while I was ill, and due to my employment with them, I was able to receive treatment through two years of stem cell transplant and chemotherapy while working remotely. It was at this juncture that I realized my career was more than a way to increase the wealth and efficiency of the corporation for which I worked; it was a way for me to take this life lesson and become an instrument of change.
Introduction
Corporations are often seen as inherently amoral and driven to secure profits for their shareholders. This is because those empowered to ensure accountability often have no visibility into the inner workings of the business. Legislation is the tool society uses to hold those in power responsible to the community in which they interact, but without a strong regulatory \system,\cancer cells injure a body.
Identity management is the first line of defense in the corporate internal ecosystem; it enables the corporate structure to know who is doing what, where. From this base knowledge of identity patterns, behavior and governance can then be established to ensure the corporate entity
behaves in a healthy, symbiotic manner with its partners, shareholders, employees, and society. In this work we strive to create a governance ecosystem that enables a business to act in a profitable manner, employing enlightened self-interest to create a better world. This is the best I can do with the second chance I have been given.
The goal of this work is to enable you to leverage the Oracle Identity Management Suite in conjunction with Oracle's other governance, risk, and compliance products to facilitate regulatory compliance and good corporate governance. In the first four chapters we cover the nature of what has come to be called governance, risk, and compliance or GRC for short. We outline a common taxonomy for the GRC space, cite standards that are used, and illustrate compliance frameworks that information systems auditors and corporate performance experts use to measure good corporate governance and security. We then present a meta-framework that we at Oracle use to abstract the control criteria defined by legislation and the compliance frameworks themselves, which often have overlapping interpretations and measures.
Using this meta-model, we present you with a detailed method to implement and configure our identity management product suite to obtain the control objectives we have identified through analysis of auditor reports, compliance frameworks, and the legislation itself. Finally, we provide a taxonomy of the legislation we have encountered throughout the world and, in Appendix A, illustrate how our applications and technology, including our Identity Management product suite, enable a corporation to meet the legal mandates within multiple legal jurisdictions with a single unified solution.
A secondary goal of this book is to empower those charged with stewardship of the corporation, be they corporate board members, legal expert witnesses, or auditors, with a tool they can use to measure their own efforts in meeting the compliance duties entrusted to them. Board members and executive management need technical guidance when reviewing the solutions presented. Consultants and vendors alike often pitch product and service without mapping the solution back to the legislative driver that spawned its adoption. This soloed approach leads to redundancy of effort and excessive expense, directly counter to the board members' duties to shareholders. Using this text, a corporate steward can map those solutions directly to region and legislation, and can hold service providers accountable for the proper deployment and configuration of those service.
Implement Multinational Regulatory Compliance Solutions
This comprehensive new resource from Oracle details the legal and technological aspects of Oracle Identity Management, the integrated suite of database security tools. You will get installation and configuration instruction as well as in-depth coverage of multinational regulations and guidelines to ensure compliance with minimal effort. This work covers over 220 legislative mandates in over 60 countries and provides metrics against such frameworks as ITIL, COBIT, ISO, BSI IT-Grundschutz, GAIT, and FISMA.
Summary
The Oracle Identity Management Suite, when properly configured, deployed, and used, provides all the technical controls necessary to meet the legal challenges imposed by a global marketplace. It is important to remember that no software product, no matter how sophisticated and complex, will manage regulatory compliance for a company. Regulatory compliance and good corporate governance happen as a result of policy, process, and procedure implemented by the employees, managers, and executives of a corporation. It is the individual's responsibility to act from a perspective of enlightened self-interest to further the symbiosis of the corporate structure and the environment in which that corporate structure functions. The environment must be expanded from the traditional market perspective to encompass all those aspects that make up the marketplace. This holistic approach must include social responsibility and environmental stewardship and must result in the corporation assuming a position of moral and ethical leadership if the era of the corporation is to survive.
Part I: Fundamental Concepts
Chapter List
Chapter 1: Enterprise Risk
Chapter 2: Compliance Frameworks
Chapter 3: Oracle Governance, Risk, and Compliance Management Architecture
Chapter 1: Enterprise Risk
Identity and its governance has become the principal concern of chief information security officers and those charged with the management and compilation of personally identifiable information. this chapter provides a primer for the information professional. this chapter details elements of risk management, risk analysis, and the measures to which the efforts of those charged with the custodianship of personally identifiable information are held in multiple jurisdictions and regions.
What Is Risk Management?
Risk management planning is about making informed business decisions. Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization. this involves achieving the appropriate balance between realizing opportunities for gains while minimizing losses. As such, risk management can be defined as the identification, analysis, control, and minimization of loss associated with events that affect the enterprise. As such, risk management is an integral part of good management practice and an essential element of good corporate governance. It is an iterative process consisting of steps that, when undertaken in sequence, enable continuous improvement in decision making and in performance. It is important to remember that totally eliminating risk in an enterprise cannot be achieved without ceasing operations.
Risk Mitigation
Risk mitigation means finding out what level of risk the enterprise can safely tolerate and still continue to function effectively. To enable this process, some properties of the various elements will need to be determined, such as the value of assets, threats, and vulnerabilities, and the
likelihood of events. there are many practical benefits to performing a risk analysis. Performing a risk analysis creates a clear cost-to-value ratio for security protections and influences the decision-making process dealing with hardware and software systems design. However, more importantly, risk analysis helps a company to focus its resources where they are needed most, influencing planning and growth. Organizations that manage risk effectively and efficiently are more likely to achieve their objectives and do so at lower overall cost.
What Is Risk Analysis?
The first major element of risk analysis is to access the value of the information itself. Information asset value is the heart of the risk assessment process. Any security analysis must include a detailed inventory and empirical assessment of the value of the information resources. Although it is possible to make a detailed assessment of security unctionality of specific IT components without considering the value of the data they transmit, store, and process, it is impossible to define security requirements for a system without the value of the data in question. The consequences of damage by a risk incident might not just be quantifiable initially in monetary terms, such as in the loss of valuable assets or by destructive levels of litigation, but by criminal penalties levied against a company's officers and board members. Risk management planning is about making informed business decisions.
Risk has two primary components for a given event:
? ?
The probability (likelihood) of occurrence of that event Impact of the event occurring (amount at stake)
The first step in risk management is to identify all potential risk issues. The second step is to quantify and document the threats, assets, vulnerabilities, exposure factors, and safeguards.
Definitions Used in the Risk Analysis Process
Definitions are important to establish a common lexicon for discussion to provide background and a general understanding of the governance initiative within the software industry. The term risk analysis means many things to different people. All of these definitions have merit; thus, it is important to establish the context for the definition in use at the moment. For our purposes, we will use the following general definition:
?
Asset: An asset is a resource, product, process, or digital infrastructure element that an organization has determined must be protected.
The identification of risk to an organization entails defining the following four basic elements:
? ? ? ?
The actual threat
The possible consequences of the realized threat The probable frequency of the occurrence of a threat The confidence level that a threat will happen
In that light, the following definitions are vital to the process of risk management:
? ? ? ? ?
Treat: The presence of any potential event that causes a detrimental impact on the organization.
Vulnerability: The absence or weakness of a safeguard counter to a threat.
Safeguard: A control or countermeasure employed to reduce the risk associated with a specific threat or group of threats.
Exposure factor (EF): The percentage of loss a realized threat event would have on a specific asset.
Single loss expectancy (SLE): A financial amount assigned to a single realized threat event representing a loss to the organization.
o
? ?
Asset Value × Exposure Factor (EF) = SLE
Annualized rate of occurrence (ARO): A number that represents the estimated frequency of an expected threat.
Annualized loss expectancy (ALE): A financial figure that represents the annual expected loss from threats. It is derived from the following formula:
o
?
SLE × ARO = ALE
Preliminary security examination (PSE): A PSE is often conducted before the actual quantitative risk analysis (RA). The PSE helps to gather together the elements that will be needed when the actual RA takes place. It also helps to focus risk analysis.
The difference between quantitative and qualitative RA is fairly simple: Quantitative RA attempts to assign independently objective numeric values. Risk analysis begins with a detailed study of the risk issues that have been identified and approved by decision makers for further evaluation. The objective is to gather enough information about the risk issues to judge the likelihood of occurrence and cost, schedule, and technical consequences if the risk occurs. There are a number of approaches to risk:
? ? ? ? ?
Accept the risk. Avoid the risk. Reduce the risk. Contain the risk. Transfer the risk.
However, before we determine how to deal with risk, we must first identify the risk in a concrete, auditable format. The following are common risk identification methods:
?
Objective-based risk identification: Organizations set objectives. Any event that may endanger achieving an objective is identified as risk. Objective-based risk