Transcript Slide 1
Managing Oracle Data to Support Compliance Initiatives Overview of Best Practices and Best-in-Class Solutions Alan Schneider GCOUG January 18, 2006 © 2005 Princeton Softech, Inc. Today’s Discussion Princeton Softech and Oracle Challenges of Data Growth and Retention Compliance Best Practices in Managing Oracle Data - Establishing Functional Policies and Service Levels - Managing archive and retention processes About Princeton Softech - Optim™ Solution Capabilities © 2005 Princeton Softech, Inc. 2 Challenge: Database Growth © 2005 Princeton Softech, Inc. 3 What’s Driving Data Growth? High-volume online transaction processing: - Customer facing eCommerce applications - ERP/CRM - Supply chain applications Record retention requirements: - Financial Services – Sarbanes-Oxley - Healthcare – HIPAA - Pharmaceutical – 21 CFR 11 - Financial – IRS and SEC Rule 17a-4 Multiplicity of data: - Multiple operational, development and testing environments - Disaster recovery and business continuity - Routine backup and recovery © 2005 Princeton Softech, Inc. 4 Data Retention Example SEC Rule 17a-4 - Retain records for six years from close of account or termination of associated employees - Keep records in an "easily accessible place" - Produce records immediately if the records are located in the office where the request is made - Produce records within three business days if the requested records are located off-site - Display requested records electronically in a local office and immediately produce printed copies to satisfy Rule requirements © 2005 Princeton Softech, Inc. 5 Archiving E-Business Suite Transactions © 2005 Princeton Softech, Inc. 1. Identify the business parameters that will drive an archive 2. Establish service levels for archive access by functional users 3. Place archived data in the storage appropriate medium 4. Provide the appropriate archive access interface 5. Select from multiple tool options available 6. Document improvements 6 Establishing Functional Business Policies Develop a channel of internal communications on functional retention policies - Ensure functional business users understand the needs and costs of long-term, compliance-driven retention - Conduct annual training on retention policies and procedures Ensure that the technical teams preserve the functional requirements in their archive implementation Ensure that your technical staff is comfortable with archive retention mechanisms © 2005 Princeton Softech, Inc. 7 Driving Retention Aspects of Compliance Internal controls and best practices Business unit accountability Real-time monitoring and disclosure Consistent and sustained access to historical transactions © 2005 Princeton Softech, Inc. 8 Preparing for Retention Oriented Compliance Step 1: Develop functional archive policies Step 2: Define those policies to an archive product and storage architecture Step 3: Don’t forget about process © 2005 Princeton Softech, Inc. 9 Step 1: Business Policies Drive Archiving Identify applications that manage regulated data Build consensus among stakeholders on retention and retrieval: - Business owners, application developers, storage - Include CFO, legal, compliance, security Document your business policies: - Types of data (Active, Inactive/Historical, Reference) - Processes for Archiving, Viewing, Retrieving Objects - Processes for Compliance and Disposal © 2005 Princeton Softech, Inc. 10 Functional Requirements for Archive Application Retention (Years) Archiving Recovery / Access Requirements Lead Time GL 3 Yearly Audit; Trend analysis Y Ledgers, Journals, fully posted AP 3 Yearly Audit; Trend analysis Y Vouchers, Payments, fully paid and posted AR 3 Yearly Audit; Trend analysis Y Invoices, items Billing 3 Yearly Audit; Trend analysis Y Invoices Billing Interface 1 Quarterly Troubleshooting Y Billing input AM 3 Yearly Audit; Trend analysis Y Retired assets AM Interface 1 Quarterly Troubleshooting Y Asset input, GL interface Payroll 2 Yearly Audit Y Paycheck processing data and balances © 2005 Princeton Softech, Inc. Type of Data to Archive 11 Define Retention Policies at Business Layer Order Management Archive Orders for any Order Type, Order Category, Customer, Order Numbers, Order Dates, Creation Date values Purchase Order Archive Blanket Agreements and Purchase Orders by a specified Last Activity Date Work in Process Archive Discrete Jobs and Repetitive Schedules for any Accounting Period Accounts Receivable Archive Transactions (other than transactions applied to commitments) posted to General Ledger or prior to a Cut Off Date value © 2005 Princeton Softech, Inc. 12 Archive Templates Know E-Biz Data Model © 2005 Princeton Softech, Inc. 13 Align Service Levels with Business Use Functional Usage / Access Requirements Over Time Functional Data Frequent and Intuitive Access (Self-Help) Infrequent Ad-Hoc, Query-based Access (via Query) Exception-based Reference/Spreadsheets (24-hour IT response) Complete Deletion (Dictates storage planning) Ledgers (GL) Current – 2Y Years 3 - 5 Years 6 - 10 Year 11 Journals (GL) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Vouchers (AP) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Payments (AP) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Invoices (AR) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Items (AR) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Invoices (BI) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Billing Input (BI) Current Year Year 2 Years 3 - 10 Year 11 Retired Assets (AM) Current – 2Y Years 3 – 5 Years 6 - 10 Year 11 Asset Input (AM) Current Year Year 2 Years 3 - 10 Year 11 © 2005 Princeton Softech, Inc. 14 Predefined Business Integrity Checks 1. Archive Transactions together with related adjustments, credits, reversals, calls, sales credits, and receipts 2. Closed transactions include zero-balance invoices, zerobalance debit memos, fully applied credit memos, chargebacks, cash receipts, as well as approved and applied adjustments 3. Receipts must be fully applied and related only to the transactions eligible for purge: - Status of AR_CASH_RECEIPT_HISTORY must be ‘Cleared’, ‘Risk_Eliminated’, or ‘Reversed’ - Debit memo reversals, require a reversal date © 2005 Princeton Softech, Inc. 15 Step 2: Define the Storage Architecture Technical Safeguards (Security) Data integrity safeguards - Access controls – authentication, authorization - Recording media (WORM media or subsystems) - Secure audit trails, duplicate copies, etc. Data privacy safeguards - Access controls – authentication, authorization - Data encryption - Access logs, audits and reports *Exact requirements depend on regulatory environment © 2005 Princeton Softech, Inc. 16 Storage Goals and Criteria Goals: Cost effective Easy to manage and scale Ensure accessibility for many years Selection Criteria: Storage capacity Availability Manageability Performance Cost Existing storage technology to be combined with new storage technology (e.g. ATA disk storage) to help reduce cost. © 2005 Princeton Softech, Inc. 17 Step 3: Don’t Forget About Process Important regulatory requirements specify that the data must remain unaltered and accessed only by the proper individuals. Accessibility, storage and audit policies each result in a specific set of processes that govern their maintenance and education. Consistent, repeatable, controlled, documented archive and access methods and tools © 2005 Princeton Softech, Inc. 18 Summary of Advice Recognize that IT owns Infrastructure, but the Business owns the data Improve functional processes by tiering services by functional need - Higher service levels on current transactions - Lower-cost, lower service levels on historical transactions Limit liability by ensuring real-time compliance controls are sustained and documented in your historical retention processes and tools - Respond quickly and accurately to audit requests - Reduce costs of discovery © 2005 Princeton Softech, Inc. 19 About Princeton Softech Proven leader in Enterprise Data Management - Solving complex data management issues since 1989 - In-depth functional knowledge of mission-critical applications and the business rules that govern them - Over 2,200 customers worldwide Including nearly half of the Fortune 500 - Only true enterprise solution: across applications, databases, hardware platforms and operating systems © 2005 Princeton Softech, Inc. 20 Princeton Softech and Oracle Only Oracle partner offering a single, consistent archive solution across entire Oracle stack - E-Business Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Retek, Siebel - All custom and packaged applications running on Oracle databases Provides a safe, secure path to Project Fusion Accelerated deployment of integrated Oracle partner solutions Repeatable experiences through pre-defined and fixed-scope services Highest quality skill sets and bench strength to augment your project teams, if desired RESULT: no shelf-ware, no surprises! © 2005 Princeton Softech, Inc. 21 Princeton Softech Optim™ Provides a single solution for managing enterprise application data throughout every stage of the information lifecycle Applies business rules and automates processes that govern how to assess, classify, archive, subset, access, store and protect enterprise application data Supports and scales across applications, databases, operating systems and hardware platforms Optimizes the business value of your IT infrastructure © 2005 Princeton Softech, Inc. 22 Princeton Softech Optim™ © 2005 Princeton Softech, Inc. 23 Support for E-Business Suite • Support for Oracle Applications versions 11.0 & 11i • Financials • Manufacturing • Supply Chain • Human Resources • Projects Transaction Processing Audit Reporting Retrieve Archive • Transparent access to data via standard Oracle Applications forms and reports • Pluggable archiving framework designed to support predefined archive templates and local customizations © 2005 Princeton Softech, Inc. 24 Self-help Access to Archived Data • Seamless access to BOTH archived and production data via Oracle Applications • Leverages “Responsibility” to access data, using standard Oracle forms and reports • Steps to view archived data: Login Select Responsibility Access archived data, production data or BOTH Archived Data Production Data © 2005 Princeton Softech, Inc. 25 Audit-Ready Snap-Shot Preserves transactions’ business integrity without variance - Metadata preserved with archive Complete business object archiving - Business reference data contained with purged data © 2005 Princeton Softech, Inc. Future-proofing through consistent and agnostic deployment - Across application vendors - Across application versions - Across database vendors - Access archives independently from native application Enables decommissioning and migrations - Single Archive process for both self-help (transparent) and snap-shot query (audit) access 26 Access Archive Snap-shots for Audit Only Princeton Softech has complete business objects archived for reporting based access stand-alone from any application version or front-end Choice of: - Discoverer - SQL - Reports - Database reporting tools Product enables each access method, without reconfiguring the archive product. Most customers tier access to archives based on age and status of business transactions, and will eventually seek to replace transparent access with report based access to older archives - Plan on eventually archiving the archive – re-use! © 2005 Princeton Softech, Inc. 27 Results from Oracle Sites VOLT Information Sciences Segregated 250 GB of a 500 GB database by age and status Key functional processes now running 25% to 300% faster Upgrade run-time reduced from 140 to 50 hours Bausch and Lomb AIMCO Financial reporting 50% faster Giant Eagle Archiving generated a first-year ROI that exceeded their investment in archive software and labor Other Customers ADVO, AVX, Boeing, State of Georgia © 2005 Princeton Softech, Inc. Implemented and in production in 2 months – by one staffer, part-time project 28 Princeton Softech: Customers © 2005 Princeton Softech, Inc. 29 © 2005 Princeton Softech, Inc.