1 S311345-Database Auditing Demystified: The What, the How, and the Why

1S311345-Database Auditing Demystified: The What, the How, and the Why

S311345 - Database Auditing Demystified: The What, the How, and the Why

Jan [email protected]

Tammy BednarOracle Sr. Principal Product [email protected]


<Insert Picture Here>

Program Agenda

• Why Governance Risk & Compliancefor the database?• Oracle Audit Vault Overview• How does Audit Vault help Auditors

and Customers? • Summary• Q & A


Why GRCfor the database?


The “current state”

Expansion of risk and control

oversight functions

Anti- Fraud

Privacy

InfoSec.

ERM Criteria

BCPSOX

Credit

ConsumerProtection FCPA

Op Risk

Business Unit

• Business fatigue• Lack of coordination• Duplicate efforts• Risks falling through the cracks• Competition for attention

Internal AuditComplianceRisk MgmtFinanceLegalIT

Increasing stakeholder demands

Expanding risks, lawsand regulations

+

+

=

Shareholders Board Community Rating Agencies Others

Perspective: Establish a GRC framework

© 2009 PricewaterhouseCoopers


The evolving state of GRC

SoxAuditing

Standard #5

Integrated Governance, Risk and Compliance

(iGRC)

• Largely a manual environment

• Ensure compliance at any cost

• Built risk oversight “silos”

• GRC was “bolted on” to business processes

• AS5 responded to “over auditing” of the control system

• Required a “risk based” approach

• Encouraged the use of “automated” controls

• Management begins to rethink its GRC investment

• Recognition that GRC processes must be “built in” vs. “bolted on”.

• Requires the use of a business process framework enabled by technology

Technology

Point technology solutions

Enterprise-wide technology solutions

Management’s Response



Current State

GRC controls maturity model

Level 1 - IndividualAdhoc processes,detective remediation& manual clean-up

Level 2 - CoordinatedStandardizedand repeatableprocesses

Level 3 - LeveragedSimplifiedand automatedprocesses

Level 4 - IntegratedIntegrated withexisting businessprocesses

People/Strategy/Governance

Process

Technology

Developing Established Optimized



Identify logical points of integration Numerous opportunities for integration usually exist


XXXXXXX•TrainingXXXXXXXXX•CommunicationsXXXXXXX XXXX•Records managementXXXX XXXX•Change managementXXXXXXXXXXX•ReportingXXXXXXXXXXX•Deficiency managementXXXXXXXXXX•Incident managementXXXXXXXXXXX•Policy and procedure

Illustrative

XXXXXXXXXX•AdvisoryXXXXXXXX•Control testing/validationXXXXXXXXX•KPIs/KRIsXXXXXXXX•Control monitoringXXXXXXXXX•Risk/control assessmentXXXXXXXXXXX•Event definition/scoping

Ope

ratio

nal

risk

Inte

rnal

aud

it

Reg

ulat

ory

com

plia

nce

SO

X (

bus

and

IT)

Ant

i-fra

ud

Lega

l

Rec

ords

m

anag

emen

t

Info

rmat

ion

secu

rity

Bus

ines

s co

ntin

uity

pla

nnin

g

Cre

dit /

mar

ket

risk

IT p

robl

em

man

agem

ent

Com

mon

act

iviti

es

Common governance, risk and control functions


Oracle GRC – Controls & Security

Inh

ere

ntC

on

tro

ls

Se

curi

tyC

on

tro

ls

Co

nfig

ura

ble

Co

ntr

ols

ERP

Supporting Infrastructure

Business Objectives & Processes

Ma

nu

al &

Pro

ced

ura

lC

on

tro

ls

Technology PeopleBusiness Process



What Is Audit Vault And How Does It Fit Into GRC?


Oracle Database

IBM DB2

Microsoft SQL Server

Oracle Audit VaultTrust-but-Verify

Sybase ASE

Consolidate and Secure Audit Data

Simplify Compliance Reporting

Alert on Security Threats

Lower IT Costs With Audit Policies


Oracle Audit VaultDatabase Audit Support

• Oracle– Database Audit Tables

• Collect audit data for standard and fine-grained auditing, & Database Vault specific audit records

– Oracle audit trail from OS files• Collect audit records written in XML or standard text file

– Operating system SYSLOG• Collect Oracle database audit records from SYSLOG

– Redo log• Extract before/after values and DDL changes to table

• Microsoft SQL server versions 2000, 2005, 2008• Server side trace – set specific audit event • Windows event audit – specific audit events that are viewed by the

windows event viewer• C2 - automatically sets all auditable events and collects them in the audit

log• IBM DB2 8.2, 9.1, 9.5 on Linux, Unix, Windows

– Extract binary audit files into a trace file• Sybase ASE 12.5.4 - 15.0.x

– Utilize the native audit tables


Reports

• Entitlement Reports– Snapshot of Oracle database users, roles, privileges, and

profiles– Compare changes in settings

• Compliance Reports– Meet compliance

in the areas of Credit Card, Financial Materiality, and Health Care data activity

– Customization to define your compliance report and filter data

• Schedule, print, and save reports in PDF format– Attest and add review notes


Oracle Audit Vault PoliciesCentralized Management of Audit Policies

• Policy definition– Named, centrally managed,

collection of audit settings

• Policy audit settings– Settings can be extracted from an

existing database with auditing– Manual entry supported

• Policy provisioning– Policies applied to databases from

the Audit Vault console

• Policy maintenance– Compare and contrast approved

policy with current settings

SOX Audit Settings

Privilege User Audit Settings

Privacy Audit Settings

Financial Database

Customer Database

HR Database

Oracle Audit Vault


Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT

• Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault• Reduces DBA manageability challenges with audit trails

Database

2) Update last inserted record

1) Transfer audit trail data

3) Delete older audit records


How Can Audit Vault Help

Customers and Auditors?


DS 5.3 Identity Management

• Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities…..

• Auditor Questions– What accounts have what level of access?– Who has access to these accounts?



Audit Vault User Entitlements

• View all user accounts in the Oracle database• Retrieve a snapshot of user

entitlement data• Filter data based on users or

privileges• View or print report in PDF format• Compare changes in user

accounts and privileges• View SYSDBA/SYSOPER

privileges


What accounts have what level of access?Database User Privileges Report

• Display all Oracle database users, privileges, and roles• Regulations– SOX, PCI, HIPAA, SAS 70, STIG


Who has access to these accounts? Database Logon

• Display database user logins• Regulations– PCI, HIPAA, SOX


DS 5.4 User Account Management

• Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. ….

• Auditor Questions– Who can make or has made changes to accounts and their

privileges / roles?– Who has accountability for an account?



Who can make or has made changes to accounts and their privileges & roles?User Privilege Change Activity

• Display user and role privilege changes• Regulations– PCI, HIPAA, SOX


Who has accountability for an account?Audit Vault Attestation Capability

• Track report attestations and notations • Regulations– PCI, HIPAA, SOX


DS 5.5 Security Testing, Surveillance and Monitoring

• Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

• Auditor Questions– What activity do we monitor and on what tables?– What accounts do we monitor and for what activity?– What sources are monitored and what is collected?– Who reviews the reports?



What activity do we monitor and on what tables?

Audit Vault Policy Manager

• Snapshot of Oracle database audit settings• Provision the required changes centrally• Regulations– PCI, HIPAA, SOX


What accounts do we monitor and for what activity?Audit Vault Policy Manager

• View all activity being monitored by a specific user• Regulations– PCI, HIPAA, SOX


What sources are monitored and what is collected?


• View all databases being monitored• Review and provision changes to the database• Regulations– PCI, HIPAA, SOX


Who reviews the reports?Audit Vault Attestation

• View saved reports and who attested to them• Add additional

notes for future forensics• Regulations– PCI, HIPAA, SOX


DS 5.7 Protection of Security Technology

• Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.

• Auditor Questions– What security setups / settings are in the DB?



What security setups / settings are in the database? Entitlement Reports

• View Oracle database profiles and their settings• Regulations– PCI, HIPAA, SOX


DS 11.6 Security Requirements for Data Management

• Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization's security policy and regulatory requirements.

• Auditor’s Questions– Who can change data in the DB?



Who can change data in the database?Financial Related Data Modifications

• Concerned with materiality • Regulations– PCI, HIPAA, SOX


AC 2 Source Data Collection and Entry

• Ensure that data input is performed in a timely manner by authorized and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.

• Auditor’s Questions– Who can change or deploy application code?



Who can change or deploy application code?Program Changes

• Review procedure code changes for business implications • Regulations– PCI, HIPAA, SOX


DS 9.3 Configuration Integrity Review

• Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.

• Auditor’s Questions– Who can change Audit Vault configuration settings – Who can view / change audit data in Audit Vault?– Is the Audit Vault database monitored for changes?



Summary


COBIT Control Objectives

COBIT Section

Description Audit Vault Report

DS 5.3 Identity Management User Entitlement Reports

Database Logon

DS 5.4 User Account Management User Privilege Change Activity

Report Attestation

DS 5.5 Security Testing, Surveillance and Monitoring


Report Attestation

DS 5.7 Protection of Security Technology User Entitlement Reports

DS 11.6 Security Requirements for Data Financial Related Data Modifications

AC 2 Source Data Collection and Entry Program Changes

DS 9.3 Configuration Integrity Review – Audit Audit Vault

Policy Manger, User Entitlements, …


Oracle Audit Vault 10.2.3.2Summary

• Consolidate and secure audit data– Oracle 9i Release 2 and higher– SQL Server 2000, 2005, 2008– IBM DB2 UDB 8.5, 9.1, & 9.2– Sybase ASE 12.5.4 - 15.0 – Secure and scalable– Cleanup of source audit data

• Centralized reporting– Entitlement reports– Compliance Reports to help meet PCI, SOX,

and HIPAA– Flexible and customizable reports

• Alert on security threats– Detect and alert on security

relevant events– Integration with Remedy and email

Oracle Database

IBM DB2

Microsoft SQL Server

Sybase ASE


Oracle Database Security Learn More At These Oracle Sessions

S311340 Classify, Label, and Protect: Data Classification and Security with Oracle Label Security

Monday 14:30 - 15:30 Moscone South Room 307

S308113 Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World

Tuesday 11:30 - 12:30 Moscone South Room 102

S311338 All About Data Security and Privacy: An Industry Panel Tuesday 13:00 - 14:00 Moscone South Room 103

S311455 Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database


S311339 Meet the Database Security Development Managers: Ask Your Questions


S311345 Database Auditing Demystified: The What, the How, and the Why


S311342 Do You Have a Database Security Plan? Wednesday 11:45 - 12:45 Moscone South Room 102

S311332 Encrypt Your Sensitive Data Transparently in 30 Minutes or Less

Wednesday 13:00 - 13:30 Moscone South Room 103

S311337 Secure Your Existing Application Transparently in 30 Minutes or Less

Wednesday 13:45 - 14:15 Moscone South Room 103

S311344 Securing Your Oracle Database: The Top 10 List Wednesday 17:00 - 18:00 Moscone South Room 308

S311343 Building an Application? Think Data Security First Thursday 13:30 - 14:30 Moscone South Room 104


For More Information

•Visit PwC at Booth 911 (Moscone South)

•For more information on this topic (and other related topics), visit our website at: www.pwc.com/us/oracle

•PwC is proud to be one of Oracle’s elite “globally managed partners”

PricewaterhouseCoopers Notices:PwC prepared remarks and materials in this presentation are contained on the pages with the © 2009 PricewaterhouseCoopers branding included at the bottom of the page.

© 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.

The information contained in this presentation is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional adviser.


For More Information

search.oracle.com

or

oracle.com


Audit Vault


The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Documents

1 S311345-Database Auditing Demystified: The What, the How, and the Why