Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Functional Database Model wikipedia , lookup
Database model wikipedia , lookup
Clusterpoint wikipedia , lookup
S311345-Database Auditing Demystified: The What, the How, and the Why 1 S311345 - Database Auditing Demystified: The What, the How, and the Why Tammy Bednar Oracle Sr. Principal Product Manager [email protected] Jan Wentzel PricewaterhouseCoopers [email protected] Program Agenda • Why Governance Risk & Compliance for the database? • Oracle Audit Vault Overview • How does Audit Vault help Auditors and Customers? • Summary • Q&A S311345-Database Auditing Demystified: The What, the How, and the Why <Insert Picture Here> 3 Why GRC for the database? S311345-Database Auditing Demystified: The What, the How, and the Why 4 Perspective: Establish a GRC framework The “current state” Shareholders Board Community Rating Agencies Others Increasing stakeholder demands + Expansion of risk and control oversight functions IT Legal Finance Risk Mgmt + Compliance Info Sec. Credit Privacy Expanding risks, laws and regulations SOX ERM Criteria BCP Consumer Protection = • • • • • Business fatigue Lack of coordination Duplicate efforts Risks falling through the cracks Competition for attention Internal Audit FCPA Op Risk AntiFraud Business Unit S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 5 The evolving state of GRC Auditing Standard #5 Sox Integrated Governance, Risk and Compliance (iGRC) Management’s Response • Largely a manual • AS5 responded to “over • Management begins to environment • Ensure compliance at any cost • Built risk oversight “silos” • GRC was “bolted on” to business processes auditing” of the control system • Required a “risk based” approach • Encouraged the use of “automated” controls rethink its GRC investment • Recognition that GRC processes must be “built in” vs. “bolted on”. • Requires the use of a business process framework enabled by technology Technology Point technology solutions S311345-Database Auditing Demystified: The What, the How, and the Why Enterprise-wide technology solutions © 2009 PricewaterhouseCoopers 6 GRC controls maturity model Developing Established Optimized Current State Level 1 - Individual Adhoc processes, detective remediation & manual clean-up Level 2 - Coordinated Standardized and repeatable processes Level 3 - Leveraged Simplified and automated processes Level 4 - Integrated Integrated with existing business processes People/Strategy/Governance Process Technology S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 7 Identify logical points of integration Numerous opportunities for integration usually exist X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X S311345-Database Auditing Demystified: The What, the How, and the Why X X X X X X X X X X X X Records management Legal Anti-fraud SOX (bus and IT) Operational risk Regulatory compliance Internal audit Common activities •Event definition/scoping •Risk/control assessment •Control monitoring •KPIs/KRIs •Control testing/validation •Advisory •Policy and procedure •Incident management •Deficiency management •Reporting •Change management •Records management •Communications •Training X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X IT problem management Business continuity planning X X X X X X X X X X X X X X Illustrative Credit / market risk Information security Common governance, risk and control functions X X X X X X X X X X X X X X © 2009 PricewaterhouseCoopers 8 Oracle GRC – Controls & Security ERP Supporting Infrastructure Technology Manual & Procedural Controls Security Controls Configurable Controls Inherent Controls Business Objectives & Processes People Business Process S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 9 What Is Audit Vault And How Does It Fit Into GRC? S311345-Database Auditing Demystified: The What, the How, and the Why 10 Oracle Audit Vault Trust-but-Verify Consolidate and Secure Audit Data Simplify Compliance Reporting Alert on Security Threats Lower IT Costs With Audit Policies Sybase ASE Oracle Database S311345-Database Auditing Demystified: The What, the How, and the Why Microsoft SQL Server IBM DB2 11 Oracle Audit Vault Database Audit Support • Oracle – Database Audit Tables • Collect audit data for standard and fine-grained auditing, & Database Vault specific audit records – Oracle audit trail from OS files • Collect audit records written in XML or standard text file – Operating system SYSLOG • Collect Oracle database audit records from SYSLOG – Redo log • Extract before/after values and DDL changes to table • Microsoft SQL server versions 2000, 2005, 2008 • Server side trace – set specific audit event • Windows event audit – specific audit events that are viewed by the windows event viewer • C2 - automatically sets all auditable events and collects them in the audit log • IBM DB2 8.2, 9.1, 9.5 on Linux, Unix, Windows – Extract binary audit files into a trace file • Sybase ASE 12.5.4 - 15.0.x – Utilize the native audit tables S311345-Database Auditing Demystified: The What, the How, and the Why 12 Reports • Entitlement Reports – Snapshot of Oracle database users, roles, privileges, and profiles – Compare changes in settings • Compliance Reports – Meet compliance in the areas of Credit Card, Financial Materiality, and Health Care data activity – Customization to define your compliance report and filter data • Schedule, print, and save reports in PDF format – Attest and add review notes S311345-Database Auditing Demystified: The What, the How, and the Why 13 Oracle Audit Vault Policies Centralized Management of Audit Policies • Policy definition Oracle Audit Vault – Named, centrally managed, collection of audit settings • Policy audit settings – Settings can be extracted from an existing database with auditing – Manual entry supported • Policy provisioning – Policies applied to databases from the Audit Vault console Privilege User Audit Settings SOX Audit Settings Privacy Audit Settings • Policy maintenance – Compare and contrast approved policy with current settings S311345-Database Auditing Demystified: The What, the How, and the Why HR Database Financial Database Customer Database 14 Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT • Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault • Reduces DBA manageability challenges with audit trails Database 1) Transfer audit trail data 3) Delete older audit records 2) Update last inserted record S311345-Database Auditing Demystified: The What, the How, and the Why 15 How Can Audit Vault Help Customers and Auditors? S311345-Database Auditing Demystified: The What, the How, and the Why 16 DS 5.3 Identity Management • Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities….. • Auditor Questions – What accounts have what level of access? – Who has access to these accounts? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 17 Audit Vault User Entitlements • View all user accounts in the Oracle database • Retrieve a snapshot of user entitlement data • Filter data based on users or privileges • View or print report in PDF format • Compare changes in user accounts and privileges • View SYSDBA/SYSOPER privileges S311345-Database Auditing Demystified: The What, the How, and the Why 18 What accounts have what level of access? Database User Privileges Report • Display all Oracle database users, privileges, and roles • Regulations – SOX, PCI, HIPAA, SAS 70, STIG S311345-Database Auditing Demystified: The What, the How, and the Why 19 Who has access to these accounts? Database Logon • Display database user logins • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 20 DS 5.4 User Account Management • Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. …. • Auditor Questions – Who can make or has made changes to accounts and their privileges / roles? – Who has accountability for an account? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 21 Who can make or has made changes to accounts and their privileges & roles? User Privilege Change Activity • Display user and role privilege changes • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 22 Who has accountability for an account? Audit Vault Attestation Capability • Track report attestations and notations • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 23 DS 5.5 Security Testing, Surveillance and Monitoring • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed. • Auditor Questions – – – – What activity do we monitor and on what tables? What accounts do we monitor and for what activity? What sources are monitored and what is collected? Who reviews the reports? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 24 What activity do we monitor and on what tables? Audit Vault Policy Manager • Snapshot of Oracle database audit settings • Provision the required changes centrally • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 25 What accounts do we monitor and for what activity? Audit Vault Policy Manager • View all activity being monitored by a specific user • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 26 What sources are monitored and what is collected? Audit Vault Policy Manager • View all databases being monitored • Review and provision changes to the database • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 27 Who reviews the reports? Audit Vault Attestation • View saved reports and who attested to them • Add additional notes for future forensics • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 28 DS 5.7 Protection of Security Technology • Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily. • Auditor Questions – What security setups / settings are in the DB? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 29 What security setups / settings are in the database? Entitlement Reports • View Oracle database profiles and their settings • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 30 DS 11.6 Security Requirements for Data Management • Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization's security policy and regulatory requirements. • Auditor’s Questions – Who can change data in the DB? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 31 Who can change data in the database? Financial Related Data Modifications • Concerned with materiality • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 32 AC 2 Source Data Collection and Entry • Ensure that data input is performed in a timely manner by authorized and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. • Auditor’s Questions – Who can change or deploy application code? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 33 Who can change or deploy application code? Program Changes • Review procedure code changes for business implications • Regulations – PCI, HIPAA, SOX S311345-Database Auditing Demystified: The What, the How, and the Why 34 DS 9.3 Configuration Integrity Review • Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations. • Auditor’s Questions – Who can change Audit Vault configuration settings – Who can view / change audit data in Audit Vault? – Is the Audit Vault database monitored for changes? S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 35 Summary S311345-Database Auditing Demystified: The What, the How, and the Why 36 COBIT Control Objectives COBIT Section Description Audit Vault Report DS 5.3 Identity Management User Entitlement Reports Database Logon DS 5.4 User Account Management User Privilege Change Activity Report Attestation DS 5.5 Security Testing, Surveillance and Monitoring Audit Vault Policy Manager Report Attestation DS 5.7 Protection of Security Technology User Entitlement Reports DS 11.6 Security Requirements for Data Financial Related Data Modifications AC 2 Source Data Collection and Entry Program Changes DS 9.3 Configuration Integrity Review – Audit Policy Manger, User Entitlements, Audit Vault … S311345-Database Auditing Demystified: The What, the How, and the Why 37 Oracle Audit Vault 10.2.3.2 Summary • Consolidate and secure audit data – – – – – – Oracle 9i Release 2 and higher SQL Server 2000, 2005, 2008 IBM DB2 UDB 8.5, 9.1, & 9.2 Sybase ASE 12.5.4 - 15.0 Secure and scalable Cleanup of source audit data • Centralized reporting – Entitlement reports – Compliance Reports to help meet PCI, SOX, and HIPAA – Flexible and customizable reports Sybase ASE • Alert on security threats – Detect and alert on security relevant events – Integration with Remedy and email Oracle Database S311345-Database Auditing Demystified: The What, the How, and the Why Microsoft SQL Server IBM DB2 38 Oracle Database Security Learn More At These Oracle Sessions S311340 Classify, Label, and Protect: Data Classification and Security with Oracle Label Security Monday 14:30 - 15:30 Moscone South Room 307 S308113 Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World Tuesday 11:30 - 12:30 Moscone South Room 102 S311338 All About Data Security and Privacy: An Industry Panel Tuesday 13:00 - 14:00 Moscone South Room 103 S311455 Tips/Tricks for Auditing PeopleSoft and Oracle EBusiness Suite Applications from the Database Tuesday 14:30 - 15:30 Moscone South Room 306 S311339 Meet the Database Security Development Managers: Ask Your Questions Tuesday 16:00 - 17:00 Moscone South Room 306 S311345 Database Auditing Demystified: The What, the How, and the Why Tuesday 17:30 - 18:30 Moscone South Room 306 S311342 Do You Have a Database Security Plan? Wednesday 11:45 - 12:45 Moscone South Room 102 S311332 Encrypt Your Sensitive Data Transparently in 30 Minutes or Less Wednesday 13:00 - 13:30 Moscone South Room 103 S311337 Secure Your Existing Application Transparently in 30 Minutes or Less Wednesday 13:45 - 14:15 Moscone South Room 103 S311344 Securing Your Oracle Database: The Top 10 List Wednesday 17:00 - 18:00 Moscone South Room 308 S311343 Building an Application? Think Data Security First Thursday 13:30 - 14:30 Moscone South Room 104 S311345-Database Auditing Demystified: The What, the How, and the Why 39 For More Information • Visit PwC at Booth 911 (Moscone South) • For more information on this topic (and other related topics), visit our website at: www.pwc.com/us/oracle • PwC is proud to be one of Oracle’s elite “globally managed partners” PricewaterhouseCoopers Notices: PwC prepared remarks and materials in this presentation are contained on the pages with the © 2009 PricewaterhouseCoopers branding included at the bottom of the page. © 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. The information contained in this presentation is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional adviser. S311345-Database Auditing Demystified: The What, the How, and the Why 40 For More Information search.oracle.com Audit Vault or oracle.com S311345-Database Auditing Demystified: The What, the How, and the Why © 2009 PricewaterhouseCoopers 41 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. S311345-Database Auditing Demystified: The What, the How, and the Why 42 S311345-Database Auditing Demystified: The What, the How, and the Why 43