DESHPANDE GURURAJ (US)
ADYA ANAND (US)
DESHPANDE GURURAJ (US)
| US20090192867A1 | 2009-07-30 | |||
| US20090319312A1 | 2009-12-24 | |||
| US20090299804A1 | 2009-12-03 | |||
| US20090265209A1 | 2009-10-22 | |||
| US20080103857A1 | 2008-05-01 | |||
| US20050075916A1 | 2005-04-07 |
| CLAIMS What is claimed is: 1. A method for use in a Governance, Risk Management, and Compliance (GRC) Integration Management (GRC IM) unit, the method comprising: obtaining system configuration information associated with an Enterprise System; generating inter-system normalization information indicating one or more relationships between the system configuration information associated with the Enterprise System and system configuration information associated with a GRC system; and generating an integration interface based on the inter-system normalization information, wherein the integration interface includes a GRC system compliant interface and an Enterprise System compliant interface, and wherein the Enterprise System compliant interface is not a GRC system compliant interface. 2. The method of claim 1, further comprising: receiving a GRC request from the GRC system; generating an Enterprise System request based on the GRC request and the inter-system normalization information; and transmitting the Enterprise System request to the Enterprise System. 3. The method of claim 2, wherein the generating an integration interface includes generating a Real-Time Agent (RTA) associated with the Enterprise System, wherein the transmitting the Enterprise System request includes transmitting via the RTA. 4. The method of claim 1, wherein the generating an integration interface includes: analyzing a constraint associated with the Enterprise System; and generating a control to encapsulate the constraint within the GRC system. 5. The method of claim 1, further comprising: monitoring the Enterprise System; detecting a change in the Enterprise System; and reporting the change to the GRC system. 6. The method of claim 5, wherein the generating an integration interface includes configuring a monitoring metric, wherein the monitoring is performed based on the monitoring metric. 7. The method of claim 5, wherein the monitoring includes monitoring system configuration information, control data, policies, or transaction data. 8. A Governance, Risk Management, and Compliance (GRC) Integration Management (GRC IM) unit comprising: a Common Metadata Framework (CDF) module configured to: obtain system configuration information associated with an Enterprise System, and generate inter-system normalization information indicating one or more relationships between the system configuration information associated with the Enterprise System and system configuration information associated with a GRC system; and a Custom Adapters and Controls (CAC) module configured to generate an integration interface based on the inter-system normalization information, wherein the integration interface includes a GRC system compliant interface and an Enterprise System compliant interface, and wherein the Enterprise System compliant interface is not a GRC system compliant interface. 9. The GRC IM unit of claim 8, wherein the integration interface is configured to receive a GRC request from the GRC system, further comprising: an Execution Control module configured to generate an Enterprise System request based on the GRC request and the inter-system normalization information; and a Connection Framework module configured to transmit the Enterprise System request to the Enterprise System via the Enterprise System compliant interface. 10. The GRC IM unit of claim 8, wherein the generating an integration interface includes generating a Real-Time Agent (RTA) associated with the Enterprise System, wherein the transmitting the Enterprise System request includes transmitting via the RTA. 11. The GRC IM unit of claim 8, wherein the CAC module is configured to generate the integration interface by: analyzing a constraint associated with the Enterprise System; and generating a control to encapsulate the constraint within the GRC system. 12. The GRC IM unit of claim 8, wherein integration interface is configured to: monitor the Enterprise System; detect a change in the Enterprise System; and report the change to the GRC system. 13. The GRC IM unit of claim 12, wherein CAC module is configured to configure a monitoring metric and the integration interface is configured to monitor the Enterprise System based on the monitoring metric. 14. The GRC IM unit of claim 12, wherein the integration interface is configured to monitor the Enterprise System by monitoring system configuration information, control data, policies, or transaction data. |
AUTOMATED GOVERNANCE, RISK MANAGEMENT,
AND COMPLIANCE INTEGRATION
[0002] CROSS REFERENCE TO RELATED APPLICATION
[0003] This application claims the benefit of U.S. Provisional Application
No. 61/314,034 filed March 15, 2010, the contents of which are hereby incorporated by reference herein.
[0004] BACKGROUND
[0005] Governance, Risk Management, and Compliance (GRC) systems provide automated tracking and control for the systematic and effective execution of GRC policies for business entities. Governance includes controls affecting policy management structures, business processes, and information flow. Risk management includes the identification and analysis of risk, including technological and financial risk. Compliance includes ensuring conformance with defined governance and risk management policies.
[0006] Business entities may employ a variety of heterogeneous enterprise systems, such as sales systems, human resources systems, accounting systems, and the like. Each of the Enterprise Systems may affect, or be affected by, GRC policies. However, Enterprise Systems may not integrate with GRC systems. Accordingly, a method and apparatus for automated governance, risk management, and compliance integration would be advantageous.
[0007] SUMMARY
[0008] A method and apparatus for automated governance, risk management, and compliance (GRC) integration are provided. A GRC Integration
Management (GRC IM) unit may integrate one or more Enterprise Systems with a GRC system. The GRC IM may obtain system configuration information from an Enterprise System. The GRC IM may generate inter-system normalization information to define relationships between the Enterprise System configuration information and a GRC. Custom controls may be generated to encapsulate control data and policy information from the Enterprise System in the GRC system. An integration interface, which may include a Real-Time Agent, may be generated. The GRC IM may communicate with the GRC system using a GRC system compliant interface and may communicate with the Enterprise System using an Enterprise System compliant interface to perform real-time automated cross-system analysis, compliance, preventive access security, and transaction monitoring for GRC.
[0009] BRIEF DESCRIPTION OF THE DRAWINGS
[0010] A more detailed understanding may be had from the following description, given by way of example in conjunction with the accompanying drawings wherein:
[0011] Figure 1 shows a diagram of an example of an Integration
Architecture for automated Governance, Risk Management, and Compliance;
[0012] Figure 2 shows an example of a method of custom real-time agent configuration; and
[0013] Figure 3 shows a process flow diagram of an example of a
Governance, Risk Management, and Compliance request.
[0014] DETAILED DESCRIPTION
[0015] Figure 1 shows a diagram of an example of an automated
Governance, Risk Management, and Compliance (GRC) Integration Architecture (GRC IA) 1000. The GRC IA 1000 may include a GRC Integration Management unit (GRC IM) 1100, a GRC Access Control and Process Control Risk Management System (GRC System) 1200, and one or more Enterprise Systems 1300. The GRC IM 1100 and the GRC System 1200 may be configured separately, as shown, or the GRC IM 1100 and the GRC System 1200 may be configured in a single device. For example, the GRC system may be an SAP GRC system configured in a NetWeaver Java Stack, and the GRC IM 1100 may be configured in the NetWeaver Java Stack.
[0016] The GRC IM 1100 may communicate with the GRC System 1200 and the Enterprise Systems 1300 to perform real-time automated cross- system analysis, compliance, preventive access security, and transaction monitoring for GRC. For example, the GRC IM 1110 may establish a connection to an Enterprise System 1300, normalize the Enterprise System's GRC related data to the GRC system 1200, and provide the GRC system 1200 with a synchronous (real-time), or asynchronous, connection to the Enterprise System's data. The GRC IM 1100 may add, update, or modify data within the Enterprise System 1300. For example, the GRC IM 1100 may perform Compliant User Provisioning (CUP), which may include analyzing user configurations and generating or modifying users data, such as role and responsibility assignments and profile information on the Enterprise System 1300.
[0017] The GRC System 1200 may include one or more GRC modules 1210, such as a risk analysis and remediation (RAR) module, a compliant user provisioning (CUP) module, a process control (PC) module, an access control (AC) module, a Risk Management (RM) module, or a PCRM module. Although Figure 1 shows three GRC modules 1210 for simplicity, the GRC System 1200 may include any number of GRC modules 1210. The GRC System 1200 may include an interface 1220, which may be a web services (WS) interface. The GRC System 1200 may include a GRC data module (GRCDM) 1230, which may include a GRC schema, GRC system control data, and GRC policies. The GRC System 1200 may include a Visual Administrator (VA) 1230, which may include an interface to the GRCDM 1230.
[0018] An Enterprise System 1300, such as a custom system or a legacy system, may include an Enterprise Data Module (EDM) 1310. For example, a custom Enterprise System may include a custom EDM 1310 and a legacy
Enterprise System may include a legacy EDM 1310. An EDM 1310 may include an Enterprise System schema, Enterprise System policies, Enterprise System control data, and Enterprise System transaction data. An Enterprise System 1300 may include an Enterprise System interface (ESI). The ESI may include a connection to the Enterprise System 1300, the EDM 1310, or both. The ESI may be a synchronous ESI, such as a WS, which may respond to requests in real time. The ESI may be an asynchronous ESI, which may respond to requests in batch form. Although Figure 1 shows three Enterprise Systems 1300 for simplicity, the GRC IA 1000 may include any number of Enterprise Systems 1300.
[0019] The GRC IM 1100 may include an Common Development
Environment (CDE) module 1110, a Common Metadata Framework (CMF) module 1120, a Supplementary Analysis (SA) module 1130, a Custom Adapters and Controls (CAC) module 1140, a reporting module 1150, an Automated Batch Extraction (ABE) module 1160, a Common Deployment Framework (CDF) module 1170, and a GRC IM data module (GRC IMDM) 1180, which may include a GRC IM schema. The GRC IM 1100 may generate and store the GRC IMDM in the GRCDM 1230, as shown, or may be generated and stored in another data module.
[0020] The GRC IM 1100 may include one or more Real-Time Agents
(RTAs) 1102. An RTA 1102 may be associated with an Enterprise System 1300 and may communicate synchronously with the Enterprise System 1300. An RTA 1102 may be configured at the GRC IM 1100, at the Enterprise System 1300, or at a combination of the GRC IM 1100 and the Enterprise System 1300. An RTA 1102 may communicate with an Enterprise System 1300 via an associated ESI. An RTA 1102 may communicate with an ESD 1310 directly, or via an associated ESI.
[0021] The GRC IM 1100 may include one or more ABEs 1104. An ABE
1104 may be associated with an Enterprise System 1300 and may communicate asynchronously with the Enterprise System 1300. An ABE 1104 may be configured at the GRC IM 1100, at the Enterprise System 1300, or at a combination of the GRC IM 1100 and the Enterprise System 1300. An ABE 1104 may communicate with an Enterprise System 1300 via an associated ESI. An ABE 1104 may communicate with an ESD 1310 directly, or via an associated ESI. [0022] The CDE module 1110 may include a common user interface (CUI) for accessing the GRC system 1200, the Enterprise Systems 1300, or both. The CUI may include a user interface (UI) for the CMF module 1120, the SA module 1130, the CAC module 1140, the reporting module 1150, the ABE module 1160, the CDF module 1170, and the GRC IMDM 1180.
[0023] The CMF module 1120 may generate inter-system normalization information (metadata) that identifies and defines relationships between the GRC system 1200 and the Enterprise Systems 1300. For example, the inter- system normalization information may define relationships between the Enterprise System's system configuration information and the GRC system's system configuration information. The inter- system normalization information may include relationship descriptions for schema, control data, and policy definitions. The inter- system normalization information may include one or more inter- system normalization information elements. The inter- system normalization information may include customization information, such as Enterprise Resource Planning (ERP) customization information, associated with each relationship definition. For example, an EDM 1310 may include a custom entity, such as a customized menu option. The CMF module 1120 may identify and define a relationship between the custom entity and a GRCDM 1230 entity, such as a transaction code. The metadata may be associated with one or more Enterprise Systems 1300 of an Enterprise System type, and may include customization information associated with each Enterprise System 1300. The CMF module 1120 may store the inter-system normalization information in the GRC IMDM 1180.
[0024] The SA module 1130 may generate supplementary integration controls (custom controls) for an Enterprise System 1300. An EDM 1310 may include constraints that may not be included the inter- system normalization information. The SA module 1130 may analyze the constraints and may generate supplementary integration controls to encapsulate constraints.
[0025] The CAC module 1140 may generate an integration interface, including one or more RTAs 1102 for integrating an Enterprise System 1300 with the GRC system 1200. Generating an RTA 1102 may include generating metadata, defining an API, generating queries or scripts, defining relationships between the EDM 1310 and the GRCDM 1230, and configuring monitoring for the Enterprise System 1300. Generating an RTA 1102 may include using the metadata generated by the CMF module 1120.
[0026] Generating an RTA 1102 may include detecting and analyzing system configuration information for an Enterprise System 1300. For example, The CAC module 1140 may obtain system configuration information, such as control data, from an EDM 1310. The CAC module 1140 may generate and execute a request, a query, or a script to obtain the data. The CAC module 1140 may generate inter- system normalization information that identifies and defines relationships between control data and policy information in the GRC system 1200 and the Enterprise System 1300 based on the system configuration information.
[0027] The CAC module 1140 may configure an integration interface or an
RTA 1102 to monitor system configuration information, control data, policies, or transaction data for an Enterprise System 1300. Monitoring may include detecting, analyzing, and reporting changes in the Enterprise System 1300. The configuration may include identifying the data to be monitored and defining monitoring metrics, such as reporting thresholds. For example, monitoring transaction data may include identifying anomalies, such as control violations, and reporting the anomalies to the GRC system 1200. An RTA 1102 may be configured to monitor an Enterprise System 1300 autonomously, without user input, interactively, in response to user input, or to use a combination of interactive and autonomous reporting.
[0028] The reporting module 1160 may generate reports, such as security reports and audit reports, for an Enterprise System 1300. Report generation may include defining reporting metrics, such as reporting thresholds, associating the report with an RTA, and scheduling the report. Scheduling may include executing the report immediately, or establishing periodic execution for the report. [0029] The Automated Batch Extraction (ABE) module 1160 may generate an ABE 1104 to extract and store data from an Enterprise System 1300. Generating an ABE 1104 may include associating the ABE with an ESI 1320, such as an asynchronous ESI 1320, and scheduling execution of the ABE 1104. The ABE 1104 may extract and store the information from the Enterprise System 1300. The GRC system 1200 may analyze and report on the extracted information. For example, the ABE 1104 may be configured to execute on a nightly bases, and to store the extracted information in a specified location, such as a file. The GRC system 1200 may obtain and import the stored information, and may analyze the information independently of the Enterprise System 1300.
[0030] The CDF module 1170 may install, configure, and host one or more integration interfaces, RTAs, or ABEs. Installing and configuring an RTA 1102 or ABE 1104 may include installing on an Enterprise System 1300 or EDM 1310. Installing and configuring an RTA 1102 or ABE 1104 may include generating instance specific connection information, such as a system identification (ID), system location information, and system credentials, for one or more Enterprise Systems 1300. The configuration information may be stored in the GRC IMDM 1180. Hosting an RTA 1102 or ABE 1104 may include obtaining the configuration information from the GRC IMDM 1180, instantiating the RTA 1102 or ABE 1104 and establishing a connection between the RTA 1102 or ABE 1104 and an Enterprise System 1300 using the connection information.
[0031] Figure 2 shows an example of a method 2000 of custom RTA
Configuration using the GRC IM1100 shown in Figure 1. The CAC 1140 may generate an RTA 1102 at 2100. The GRC IM 1110 may optimize the RTA 1102 at 2200. Optimization may include evaluating the RTAs performance.
[0032] The GRC IM 1110 may persist (store) the RTA configuration in the
GRC system 1200 at 2300. Storing the RTA configuration may include generating metadata associated with the RTA 1102.
[0033] The GRC system 1200 may register the RTA configuration at 2400.
Registering the RTA configuration may include restricting further configuration of the RTA 1102. The GRC system 1200 may associate the RTA 1102 with a GRC control definition.
[0034] The GRC system 1200 may define metrics associated with the RTA
1102 and schedule execution of the RTA 1102 with the GRC IM 1100 at 2500.
[0035] The GRC IM 1100 may execute the RTA 1102 at 2600. The GRC IM
1100 may execute the RTA 1102 on the Enterprise System 1300 using the configuration information. For example, the RTA 1102 may generate output records, and the number of output records generated may depend on the configuration information. The output records may be transformed into an extensible markup langue (XML) message.
[0036] The GRC IM 1100 may send the XML message to the GRC system
1200 at 2700. The GRC system 1200 may include a user interface and may display the XML message. The GRC system 1200 may sort the XML message, may merge the XML message with other information, such as previously stored XML messages, and may store the XML message.
[0037] Figure 3 shows a process flow diagram of an example of a GRC request in the GRC IA 1000 shown in Figure 1. The GRC IM 1100 may include an Integration Interface module 3010, an Execution Control module 3020, an ES Control module 3030, and a Connection Framework module 3040.
[0038] The GRC IM 1100 may receive a GRC request from the GRC system
1200 at 3100. The GRC request may include an identification (ID) of a target Enterprise System 1300. The Integration Interface module 3010 may analyze the GRC request and may obtain relevant metadata from the GRC IMDM 1180 based on the request and the ID.
[0039] The Execution Control module 3020 may receive the GRC request and metadata from the Integration Interface module 3010 at 3200. The Execution Control module 3020 may instantiate an ES adapter based on the request and the metadata. The Execution Control module 3020 may obtain information regarding the ES adapter from the GRC IMDM 1180.
[0040] The Adapter Control module 3030 may receive the request, the metadata, and the ES adapter from the Execution Control Module 3020 at 3300. The Adapter control module 3030 may generate an ES message based on the ES adapter, the request, and the metadata. The Adapter Control module 3030 may obtain information regarding the ES message from the GRC IMDM 1180.
[0041] The Connection Framework module 3040 may receive the ES message from the Adapter Control module 3030 at 3400. The Connection Framework module 3040 may obtain connection information for the Enterprise System 1300 from the GRC IMDM 1180 and may transmit the ES message to the Enterprise System 1300 via the RTA 1102 at 3400. The RTA 1102 may receive a response from the Enterprise System 1300 and may send the response to the GRC system 1200 via the GRC IM 1100.
[0042] As used herein, the terms "Enterprise System" and "GRC System" broadly refer to any electronic system or device that is capable of performing any governance, risk management, or compliance operation.
[0043] As used herein, the term "processor" broadly refers to and is not limited to a single- or multi-core general purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), a plurality of microprocessors, one or more microprocessors in association with a DSP core, a controller, a microcontroller, one or more Application Specific Integrated Circuits (ASICs), one or more Field Programmable Gate Array (FPGA) circuits, any other type of integrated circuit (IC), a system-on-a-chip (SOC), and/or a state machine.
[0044] As used to herein, the term "computer-readable storage medium" broadly refers to and is not limited to a register, a cache memory, a ROM, a semiconductor memory device (such as a D-RAM, S-RAM, or other RAM), a magnetic medium such as a flash memory, a hard disk, a magneto-optical medium, an optical medium such as a CD-ROM, a DVDs, or BD, or other type of device for electronic data storage.
[0045] Although features and elements are described above in particular combinations, each feature or element can be used alone or in any combination with or without the other features and elements. For example, each feature or element as described above with reference to 1— 3 may be used alone without the other features and elements or in various combinations with or without other features and elements. Sub-elements of the methods and features described above with reference to Figure 1 — 3 may be performed in any arbitrary order (including concurrently), in any combination or sub-combination.