Upload
gordon-murphy
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
1S311345-Database Auditing Demystified: The What, the How, and the Why
S311345 - Database Auditing Demystified: The What, the How, and the Why
Tammy BednarOracle Sr. Principal Product [email protected]
3S311345-Database Auditing Demystified: The What, the How, and the Why
<Insert Picture Here>
Program Agenda
• Why Governance Risk & Compliancefor the database?• Oracle Audit Vault Overview• How does Audit Vault help Auditors
and Customers? • Summary• Q & A
4S311345-Database Auditing Demystified: The What, the How, and the Why
Why GRCfor the database?
5S311345-Database Auditing Demystified: The What, the How, and the Why
The “current state”
Expansion of risk and control
oversight functions
Anti- Fraud
Privacy
InfoSec.
ERM Criteria
BCPSOX
Credit
ConsumerProtection FCPA
Op Risk
Business Unit
• Business fatigue• Lack of coordination• Duplicate efforts• Risks falling through the cracks• Competition for attention
Internal AuditComplianceRisk MgmtFinanceLegalIT
Increasing stakeholder demands
Expanding risks, lawsand regulations
+
+
=
Shareholders Board Community Rating Agencies Others
Perspective: Establish a GRC framework
© 2009 PricewaterhouseCoopers
6S311345-Database Auditing Demystified: The What, the How, and the Why
The evolving state of GRC
SoxAuditing
Standard #5
Integrated Governance, Risk and Compliance
(iGRC)
• Largely a manual environment
• Ensure compliance at any cost
• Built risk oversight “silos”
• GRC was “bolted on” to business processes
• AS5 responded to “over auditing” of the control system
• Required a “risk based” approach
• Encouraged the use of “automated” controls
• Management begins to rethink its GRC investment
• Recognition that GRC processes must be “built in” vs. “bolted on”.
• Requires the use of a business process framework enabled by technology
Technology
Point technology solutions
Enterprise-wide technology solutions
Management’s Response
© 2009 PricewaterhouseCoopers
7S311345-Database Auditing Demystified: The What, the How, and the Why
Current State
GRC controls maturity model
Level 1 - IndividualAdhoc processes,detective remediation& manual clean-up
Level 2 - CoordinatedStandardizedand repeatableprocesses
Level 3 - LeveragedSimplifiedand automatedprocesses
Level 4 - IntegratedIntegrated withexisting businessprocesses
People/Strategy/Governance
Process
Technology
Developing Established Optimized
© 2009 PricewaterhouseCoopers
8S311345-Database Auditing Demystified: The What, the How, and the Why
Identify logical points of integration Numerous opportunities for integration usually exist
© 2009 PricewaterhouseCoopers
XXXXXXX•TrainingXXXXXXXXX•CommunicationsXXXXXXX XXXX•Records managementXXXX XXXX•Change managementXXXXXXXXXXX•ReportingXXXXXXXXXXX•Deficiency managementXXXXXXXXXX•Incident managementXXXXXXXXXXX•Policy and procedure
Illustrative
XXXXXXXXXX•AdvisoryXXXXXXXX•Control testing/validationXXXXXXXXX•KPIs/KRIsXXXXXXXX•Control monitoringXXXXXXXXX•Risk/control assessmentXXXXXXXXXXX•Event definition/scoping
Ope
ratio
nal
risk
Inte
rnal
aud
it
Reg
ulat
ory
com
plia
nce
SO
X (
bus
and
IT)
Ant
i-fra
ud
Lega
l
Rec
ords
m
anag
emen
t
Info
rmat
ion
secu
rity
Bus
ines
s co
ntin
uity
pla
nnin
g
Cre
dit /
mar
ket
risk
IT p
robl
em
man
agem
ent
Com
mon
act
iviti
es
Common governance, risk and control functions
9S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle GRC – Controls & Security
Inh
ere
ntC
on
tro
ls
Se
curi
tyC
on
tro
ls
Co
nfig
ura
ble
Co
ntr
ols
ERP
Supporting Infrastructure
Business Objectives & Processes
Ma
nu
al &
Pro
ced
ura
lC
on
tro
ls
Technology PeopleBusiness Process
© 2009 PricewaterhouseCoopers
10S311345-Database Auditing Demystified: The What, the How, and the Why
What Is Audit Vault And How Does It Fit Into GRC?
11S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Database
IBM DB2
Microsoft SQL Server
Oracle Audit VaultTrust-but-Verify
Sybase ASE
Consolidate and Secure Audit Data
Simplify Compliance Reporting
Alert on Security Threats
Lower IT Costs With Audit Policies
12S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Audit VaultDatabase Audit Support
• Oracle– Database Audit Tables
• Collect audit data for standard and fine-grained auditing, & Database Vault specific audit records
– Oracle audit trail from OS files• Collect audit records written in XML or standard text file
– Operating system SYSLOG• Collect Oracle database audit records from SYSLOG
– Redo log• Extract before/after values and DDL changes to table
• Microsoft SQL server versions 2000, 2005, 2008• Server side trace – set specific audit event • Windows event audit – specific audit events that are viewed by the
windows event viewer• C2 - automatically sets all auditable events and collects them in the audit
log• IBM DB2 8.2, 9.1, 9.5 on Linux, Unix, Windows
– Extract binary audit files into a trace file• Sybase ASE 12.5.4 - 15.0.x
– Utilize the native audit tables
13S311345-Database Auditing Demystified: The What, the How, and the Why
Reports
• Entitlement Reports– Snapshot of Oracle database users, roles, privileges, and
profiles– Compare changes in settings
• Compliance Reports– Meet compliance
in the areas of Credit Card, Financial Materiality, and Health Care data activity
– Customization to define your compliance report and filter data
• Schedule, print, and save reports in PDF format– Attest and add review notes
14S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Audit Vault PoliciesCentralized Management of Audit Policies
• Policy definition– Named, centrally managed,
collection of audit settings
• Policy audit settings– Settings can be extracted from an
existing database with auditing– Manual entry supported
• Policy provisioning– Policies applied to databases from
the Audit Vault console
• Policy maintenance– Compare and contrast approved
policy with current settings
SOX Audit Settings
Privilege User Audit Settings
Privacy Audit Settings
Financial Database
Customer Database
HR Database
Oracle Audit Vault
15S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT
• Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault• Reduces DBA manageability challenges with audit trails
Database
2) Update last inserted record
1) Transfer audit trail data
3) Delete older audit records
16S311345-Database Auditing Demystified: The What, the How, and the Why
How Can Audit Vault Help
Customers and Auditors?
17S311345-Database Auditing Demystified: The What, the How, and the Why
DS 5.3 Identity Management
• Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities…..
• Auditor Questions– What accounts have what level of access?– Who has access to these accounts?
© 2009 PricewaterhouseCoopers
18S311345-Database Auditing Demystified: The What, the How, and the Why
Audit Vault User Entitlements
• View all user accounts in the Oracle database• Retrieve a snapshot of user
entitlement data• Filter data based on users or
privileges• View or print report in PDF format• Compare changes in user
accounts and privileges• View SYSDBA/SYSOPER
privileges
19S311345-Database Auditing Demystified: The What, the How, and the Why
What accounts have what level of access?Database User Privileges Report
• Display all Oracle database users, privileges, and roles• Regulations– SOX, PCI, HIPAA, SAS 70, STIG
20S311345-Database Auditing Demystified: The What, the How, and the Why
Who has access to these accounts? Database Logon
• Display database user logins• Regulations– PCI, HIPAA, SOX
21S311345-Database Auditing Demystified: The What, the How, and the Why
DS 5.4 User Account Management
• Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. ….
• Auditor Questions– Who can make or has made changes to accounts and their
privileges / roles?– Who has accountability for an account?
© 2009 PricewaterhouseCoopers
22S311345-Database Auditing Demystified: The What, the How, and the Why
Who can make or has made changes to accounts and their privileges & roles?User Privilege Change Activity
• Display user and role privilege changes• Regulations– PCI, HIPAA, SOX
23S311345-Database Auditing Demystified: The What, the How, and the Why
Who has accountability for an account?Audit Vault Attestation Capability
• Track report attestations and notations • Regulations– PCI, HIPAA, SOX
24S311345-Database Auditing Demystified: The What, the How, and the Why
DS 5.5 Security Testing, Surveillance and Monitoring
• Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.
• Auditor Questions– What activity do we monitor and on what tables?– What accounts do we monitor and for what activity?– What sources are monitored and what is collected?– Who reviews the reports?
© 2009 PricewaterhouseCoopers
25S311345-Database Auditing Demystified: The What, the How, and the Why
What activity do we monitor and on what tables?
Audit Vault Policy Manager
• Snapshot of Oracle database audit settings• Provision the required changes centrally• Regulations– PCI, HIPAA, SOX
26S311345-Database Auditing Demystified: The What, the How, and the Why
What accounts do we monitor and for what activity?Audit Vault Policy Manager
• View all activity being monitored by a specific user• Regulations– PCI, HIPAA, SOX
27S311345-Database Auditing Demystified: The What, the How, and the Why
What sources are monitored and what is collected?
Audit Vault Policy Manager
• View all databases being monitored• Review and provision changes to the database• Regulations– PCI, HIPAA, SOX
28S311345-Database Auditing Demystified: The What, the How, and the Why
Who reviews the reports?Audit Vault Attestation
• View saved reports and who attested to them• Add additional
notes for future forensics• Regulations– PCI, HIPAA, SOX
29S311345-Database Auditing Demystified: The What, the How, and the Why
DS 5.7 Protection of Security Technology
• Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.
• Auditor Questions– What security setups / settings are in the DB?
© 2009 PricewaterhouseCoopers
30S311345-Database Auditing Demystified: The What, the How, and the Why
What security setups / settings are in the database? Entitlement Reports
• View Oracle database profiles and their settings• Regulations– PCI, HIPAA, SOX
31S311345-Database Auditing Demystified: The What, the How, and the Why
DS 11.6 Security Requirements for Data Management
• Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization's security policy and regulatory requirements.
• Auditor’s Questions– Who can change data in the DB?
© 2009 PricewaterhouseCoopers
32S311345-Database Auditing Demystified: The What, the How, and the Why
Who can change data in the database?Financial Related Data Modifications
• Concerned with materiality • Regulations– PCI, HIPAA, SOX
33S311345-Database Auditing Demystified: The What, the How, and the Why
AC 2 Source Data Collection and Entry
• Ensure that data input is performed in a timely manner by authorized and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.
• Auditor’s Questions– Who can change or deploy application code?
© 2009 PricewaterhouseCoopers
34S311345-Database Auditing Demystified: The What, the How, and the Why
Who can change or deploy application code?Program Changes
• Review procedure code changes for business implications • Regulations– PCI, HIPAA, SOX
35S311345-Database Auditing Demystified: The What, the How, and the Why
DS 9.3 Configuration Integrity Review
• Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.
• Auditor’s Questions– Who can change Audit Vault configuration settings – Who can view / change audit data in Audit Vault?– Is the Audit Vault database monitored for changes?
© 2009 PricewaterhouseCoopers
36S311345-Database Auditing Demystified: The What, the How, and the Why
Summary
37S311345-Database Auditing Demystified: The What, the How, and the Why
COBIT Control Objectives
COBIT Section
Description Audit Vault Report
DS 5.3 Identity Management User Entitlement Reports
Database Logon
DS 5.4 User Account Management User Privilege Change Activity
Report Attestation
DS 5.5 Security Testing, Surveillance and Monitoring
Audit Vault Policy Manager
Report Attestation
DS 5.7 Protection of Security Technology User Entitlement Reports
DS 11.6 Security Requirements for Data Financial Related Data Modifications
AC 2 Source Data Collection and Entry Program Changes
DS 9.3 Configuration Integrity Review – Audit Audit Vault
Policy Manger, User Entitlements, …
38S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Audit Vault 10.2.3.2Summary
• Consolidate and secure audit data– Oracle 9i Release 2 and higher– SQL Server 2000, 2005, 2008– IBM DB2 UDB 8.5, 9.1, & 9.2– Sybase ASE 12.5.4 - 15.0 – Secure and scalable– Cleanup of source audit data
• Centralized reporting– Entitlement reports– Compliance Reports to help meet PCI, SOX,
and HIPAA– Flexible and customizable reports
• Alert on security threats– Detect and alert on security
relevant events– Integration with Remedy and email
Oracle Database
IBM DB2
Microsoft SQL Server
Sybase ASE
39S311345-Database Auditing Demystified: The What, the How, and the Why
Oracle Database Security Learn More At These Oracle Sessions
S311340 Classify, Label, and Protect: Data Classification and Security with Oracle Label Security
Monday 14:30 - 15:30 Moscone South Room 307
S308113 Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World
Tuesday 11:30 - 12:30 Moscone South Room 102
S311338 All About Data Security and Privacy: An Industry Panel Tuesday 13:00 - 14:00 Moscone South Room 103
S311455 Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database
Tuesday 14:30 - 15:30 Moscone South Room 306
S311339 Meet the Database Security Development Managers: Ask Your Questions
Tuesday 16:00 - 17:00 Moscone South Room 306
S311345 Database Auditing Demystified: The What, the How, and the Why
Tuesday 17:30 - 18:30 Moscone South Room 306
S311342 Do You Have a Database Security Plan? Wednesday 11:45 - 12:45 Moscone South Room 102
S311332 Encrypt Your Sensitive Data Transparently in 30 Minutes or Less
Wednesday 13:00 - 13:30 Moscone South Room 103
S311337 Secure Your Existing Application Transparently in 30 Minutes or Less
Wednesday 13:45 - 14:15 Moscone South Room 103
S311344 Securing Your Oracle Database: The Top 10 List Wednesday 17:00 - 18:00 Moscone South Room 308
S311343 Building an Application? Think Data Security First Thursday 13:30 - 14:30 Moscone South Room 104
40S311345-Database Auditing Demystified: The What, the How, and the Why
For More Information
•Visit PwC at Booth 911 (Moscone South)
•For more information on this topic (and other related topics), visit our website at: www.pwc.com/us/oracle
•PwC is proud to be one of Oracle’s elite “globally managed partners”
PricewaterhouseCoopers Notices:PwC prepared remarks and materials in this presentation are contained on the pages with the © 2009 PricewaterhouseCoopers branding included at the bottom of the page.
© 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.
The information contained in this presentation is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional adviser.
41S311345-Database Auditing Demystified: The What, the How, and the Why
For More Information
search.oracle.com
or
oracle.com
© 2009 PricewaterhouseCoopers
Audit Vault
42S311345-Database Auditing Demystified: The What, the How, and the Why
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
43S311345-Database Auditing Demystified: The What, the How, and the Why