Transcript Slide 1

S311345-Database Auditing Demystified: The What, the How, and the Why
1
S311345 - Database Auditing Demystified:
The What, the How, and the Why
Tammy Bednar
Oracle Sr. Principal Product Manager
[email protected]
Jan Wentzel
PricewaterhouseCoopers
[email protected]
Program Agenda
• Why Governance Risk & Compliance
for the database?
• Oracle Audit Vault Overview
• How does Audit Vault help Auditors
and Customers?
• Summary
• Q&A
S311345-Database Auditing Demystified: The What, the How, and the Why
<Insert Picture Here>
3
Why GRC
for the database?
S311345-Database Auditing Demystified: The What, the How, and the Why
4
Perspective: Establish a GRC framework
The “current state”
Shareholders
Board
Community
Rating Agencies
Others
Increasing
stakeholder
demands
+
Expansion of risk
and control
oversight functions
IT
Legal
Finance
Risk Mgmt
+
Compliance
Info
Sec.
Credit
Privacy
Expanding risks, laws
and regulations
SOX
ERM Criteria
BCP
Consumer
Protection
=
•
•
•
•
•
Business fatigue
Lack of coordination
Duplicate efforts
Risks falling through the cracks
Competition for attention
Internal Audit
FCPA
Op Risk
AntiFraud
Business Unit
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
5
The evolving state of GRC
Auditing
Standard #5
Sox
Integrated
Governance, Risk
and Compliance
(iGRC)
Management’s Response
• Largely a manual
• AS5 responded to “over
• Management begins to
environment
• Ensure compliance at
any cost
• Built risk oversight
“silos”
• GRC was “bolted on” to
business processes
auditing” of the control
system
• Required a “risk based”
approach
• Encouraged the use of
“automated” controls
rethink its GRC
investment
• Recognition that GRC
processes must be “built
in” vs. “bolted on”.
• Requires the use of a
business process
framework enabled by
technology
Technology
Point technology
solutions
S311345-Database Auditing Demystified: The What, the How, and the Why
Enterprise-wide
technology
solutions
© 2009 PricewaterhouseCoopers
6
GRC controls maturity model
Developing
Established
Optimized
Current State
Level 1 - Individual
Adhoc processes,
detective remediation
& manual clean-up
Level 2 - Coordinated
Standardized
and repeatable
processes
Level 3 - Leveraged
Simplified
and automated
processes
Level 4 - Integrated
Integrated with
existing business
processes
People/Strategy/Governance
Process
Technology
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
7
Identify logical points of integration
Numerous opportunities for integration usually exist
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
S311345-Database Auditing Demystified: The What, the How, and the Why
X
X
X
X
X
X
X
X
X
X
X
X
Records
management
Legal
Anti-fraud
SOX (bus
and IT)
Operational
risk
Regulatory
compliance
Internal audit
Common activities
•Event definition/scoping
•Risk/control assessment
•Control monitoring
•KPIs/KRIs
•Control testing/validation
•Advisory
•Policy and procedure
•Incident management
•Deficiency management
•Reporting
•Change management
•Records management
•Communications
•Training
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
IT problem
management
Business
continuity planning
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Illustrative
Credit / market
risk
Information
security
Common governance, risk and control functions
X
X
X
X
X
X
X
X
X
X
X
X
X
X
© 2009 PricewaterhouseCoopers
8
Oracle GRC – Controls & Security
ERP
Supporting Infrastructure
Technology
Manual & Procedural
Controls
Security
Controls
Configurable
Controls
Inherent
Controls
Business Objectives & Processes
People
Business Process
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
9
What Is Audit Vault And How
Does It Fit Into GRC?
S311345-Database Auditing Demystified: The What, the How, and the Why
10
Oracle Audit Vault
Trust-but-Verify
Consolidate and Secure
Audit Data
Simplify Compliance
Reporting
Alert on Security
Threats
Lower IT Costs With
Audit Policies
Sybase
ASE
Oracle
Database
S311345-Database Auditing Demystified: The What, the How, and the Why
Microsoft
SQL Server
IBM
DB2
11
Oracle Audit Vault
Database Audit Support
• Oracle
– Database Audit Tables
• Collect audit data for standard and fine-grained auditing, & Database
Vault specific audit records
– Oracle audit trail from OS files
• Collect audit records written in XML or standard text file
– Operating system SYSLOG
• Collect Oracle database audit records from SYSLOG
– Redo log
• Extract before/after values and DDL changes to table
• Microsoft SQL server versions 2000, 2005, 2008
• Server side trace – set specific audit event
• Windows event audit – specific audit events that are viewed by the
windows event viewer
• C2 - automatically sets all auditable events and collects them in the audit
log
• IBM DB2 8.2, 9.1, 9.5 on Linux, Unix, Windows
– Extract binary audit files into a trace file
• Sybase ASE 12.5.4 - 15.0.x
– Utilize the native audit tables
S311345-Database Auditing Demystified: The What, the How, and the Why
12
Reports
• Entitlement Reports
– Snapshot of Oracle database users, roles, privileges, and
profiles
– Compare changes in settings
• Compliance Reports
– Meet compliance
in the areas of Credit Card, Financial
Materiality, and Health Care data
activity
– Customization to define your
compliance report and filter data
• Schedule, print, and save
reports in PDF format
– Attest and add review notes
S311345-Database Auditing Demystified: The What, the How, and the Why
13
Oracle Audit Vault Policies
Centralized Management of Audit Policies
• Policy definition
Oracle
Audit Vault
– Named, centrally managed,
collection of audit settings
• Policy audit settings
– Settings can be extracted from an
existing database with auditing
– Manual entry supported
• Policy provisioning
– Policies applied to databases from
the Audit Vault console
Privilege
User Audit
Settings
SOX Audit
Settings
Privacy
Audit
Settings
• Policy maintenance
– Compare and contrast approved
policy with current settings
S311345-Database Auditing Demystified: The What, the How, and the Why
HR
Database
Financial
Database
Customer
Database
14
Oracle Audit Vault
Audit Trail Clean-Up: DBMS_AUDIT_MGMT
• Automatically deletes Oracle audit trails from target
after they are securely inserted into Audit Vault
• Reduces DBA manageability challenges with audit trails
Database
1) Transfer audit trail data
3) Delete older
audit records
2) Update last inserted record
S311345-Database Auditing Demystified: The What, the How, and the Why
15
How Can Audit Vault Help
Customers and Auditors?
S311345-Database Auditing Demystified: The What, the How, and the Why
16
DS 5.3 Identity Management
• Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment,
system operations, development and maintenance) are uniquely
identifiable. Enable user identities via authentication
mechanisms. Confirm that user access rights to systems and
data are in line with defined and documented business needs
and that job requirements are attached to user identities…..
• Auditor Questions
– What accounts have what level of access?
– Who has access to these accounts?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
17
Audit Vault
User Entitlements
• View all user accounts in the
Oracle database
• Retrieve a snapshot of user
entitlement data
• Filter data based on users or
privileges
• View or print report in PDF format
• Compare changes in user
accounts and privileges
• View SYSDBA/SYSOPER
privileges
S311345-Database Auditing Demystified: The What, the How, and the Why
18
What accounts have what level of access?
Database User Privileges Report
• Display all Oracle database users, privileges, and roles
• Regulations
– SOX, PCI, HIPAA, SAS 70, STIG
S311345-Database Auditing Demystified: The What, the How, and the Why
19
Who has access to these accounts?
Database Logon
• Display database user logins
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
20
DS 5.4 User Account Management
• Address requesting, establishing, issuing,
suspending, modifying and closing user accounts and
related user privileges with a set of user account
management procedures. ….
• Auditor Questions
– Who can make or has made changes to accounts and their
privileges / roles?
– Who has accountability for an account?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
21
Who can make or has made changes
to accounts and their privileges &
roles?
User Privilege Change Activity
• Display user and role privilege changes
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
22
Who has accountability for an
account?
Audit Vault Attestation Capability
• Track report
attestations and
notations
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
23
DS 5.5 Security Testing, Surveillance
and Monitoring
• Test and monitor the IT security implementation in a proactive
way. IT security should be reaccredited in a timely manner to
ensure that the approved enterprise’s information security
baseline is maintained. A logging and monitoring function will
enable the early prevention and/or detection and subsequent
timely reporting of unusual and/or abnormal activities that may
need to be addressed.
• Auditor Questions
–
–
–
–
What activity do we monitor and on what tables?
What accounts do we monitor and for what activity?
What sources are monitored and what is collected?
Who reviews the reports?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
24
What activity do we monitor and on
what tables?
Audit Vault Policy Manager
• Snapshot of Oracle database audit settings
• Provision the required changes centrally
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
25
What accounts do we monitor and for
what activity?
Audit Vault Policy Manager
• View all activity being monitored by a specific user
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
26
What sources are monitored and what
is collected?
Audit Vault Policy Manager
• View all databases being monitored
• Review and provision changes to the database
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
27
Who reviews the reports?
Audit Vault Attestation
• View saved reports
and who attested to
them
• Add additional
notes for future
forensics
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
28
DS 5.7 Protection of Security Technology
• Make security-related technology resistant to
tampering, and do not disclose security
documentation unnecessarily.
• Auditor Questions
– What security setups / settings are in the DB?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
29
What security setups / settings are in
the database?
Entitlement Reports
• View Oracle
database profiles
and their settings
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
30
DS 11.6 Security Requirements for Data
Management
• Define and implement policies and procedures to
identify and apply security requirements applicable to
the receipt, processing, storage and output of data to
meet business objectives, the organization's security
policy and regulatory requirements.
• Auditor’s Questions
– Who can change data in the DB?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
31
Who can change data in the database?
Financial Related Data Modifications
• Concerned with materiality
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
32
AC 2 Source Data Collection and Entry
• Ensure that data input is performed in a timely
manner by authorized and qualified staff. Correction
and resubmission of data that were erroneously input
should be performed without compromising original
transaction authorization levels. Where appropriate
for reconstruction, retain original source documents
for the appropriate amount of time.
• Auditor’s Questions
– Who can change or deploy application code?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
33
Who can change or deploy application
code?
Program Changes
• Review procedure code changes for business implications
• Regulations
– PCI, HIPAA, SOX
S311345-Database Auditing Demystified: The What, the How, and the Why
34
DS 9.3 Configuration Integrity Review
• Periodically review the configuration data to verify and confirm
the integrity of the current and historical configuration.
Periodically review installed software against the policy for
software usage to identify personal or unlicensed software or any
software instances in excess of current license agreements.
Report, act on and correct errors and deviations.
• Auditor’s Questions
– Who can change Audit Vault configuration settings
– Who can view / change audit data in Audit Vault?
– Is the Audit Vault database monitored for changes?
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
35
Summary
S311345-Database Auditing Demystified: The What, the How, and the Why
36
COBIT Control Objectives
COBIT
Section
Description
Audit Vault Report
DS 5.3
Identity Management
User Entitlement Reports
Database Logon
DS 5.4
User Account Management
User Privilege Change Activity
Report Attestation
DS 5.5
Security Testing, Surveillance and
Monitoring
Audit Vault Policy Manager
Report Attestation
DS 5.7
Protection of Security Technology
User Entitlement Reports
DS 11.6
Security Requirements for Data
Financial Related Data
Modifications
AC 2
Source Data Collection and Entry
Program Changes
DS 9.3
Configuration Integrity Review – Audit Policy Manger, User Entitlements,
Audit Vault
…
S311345-Database Auditing Demystified: The What, the How, and the Why
37
Oracle Audit Vault 10.2.3.2
Summary
• Consolidate and secure audit data
–
–
–
–
–
–
Oracle 9i Release 2 and higher
SQL Server 2000, 2005, 2008
IBM DB2 UDB 8.5, 9.1, & 9.2
Sybase ASE 12.5.4 - 15.0
Secure and scalable
Cleanup of source audit data
• Centralized reporting
– Entitlement reports
– Compliance Reports to help meet PCI,
SOX, and HIPAA
– Flexible and customizable reports
Sybase
ASE
• Alert on security threats
– Detect and alert on security
relevant events
– Integration with Remedy and email
Oracle
Database
S311345-Database Auditing Demystified: The What, the How, and the Why
Microsoft
SQL Server
IBM
DB2
38
Oracle Database Security
Learn More At These Oracle Sessions
S311340
Classify, Label, and Protect: Data Classification and
Security with Oracle Label Security
Monday 14:30 - 15:30 Moscone South Room 307
S308113
Oracle Data Masking Pack: The Ultimate DBA Survival
Tool in the Modern World
Tuesday 11:30 - 12:30 Moscone South Room 102
S311338
All About Data Security and Privacy: An Industry Panel
Tuesday 13:00 - 14:00 Moscone South Room 103
S311455
Tips/Tricks for Auditing PeopleSoft and Oracle EBusiness Suite Applications from the Database
Tuesday 14:30 - 15:30 Moscone South Room 306
S311339
Meet the Database Security Development Managers: Ask
Your Questions
Tuesday 16:00 - 17:00 Moscone South Room 306
S311345
Database Auditing Demystified: The What, the How, and
the Why
Tuesday 17:30 - 18:30 Moscone South Room 306
S311342
Do You Have a Database Security Plan?
Wednesday 11:45 - 12:45 Moscone South Room 102
S311332
Encrypt Your Sensitive Data Transparently in 30 Minutes
or Less
Wednesday 13:00 - 13:30 Moscone South Room 103
S311337
Secure Your Existing Application Transparently in 30
Minutes or Less
Wednesday 13:45 - 14:15 Moscone South Room 103
S311344
Securing Your Oracle Database: The Top 10 List
Wednesday 17:00 - 18:00 Moscone South Room 308
S311343
Building an Application? Think Data Security First
Thursday 13:30 - 14:30 Moscone South Room 104
S311345-Database Auditing Demystified: The What, the How, and the Why
39
For More Information
• Visit PwC at Booth 911 (Moscone South)
• For more information on this topic (and other related
topics), visit our website at: www.pwc.com/us/oracle
• PwC is proud to be one of Oracle’s elite “globally managed
partners”
PricewaterhouseCoopers Notices:
PwC prepared remarks and materials in this presentation are contained on the pages with the © 2009 PricewaterhouseCoopers branding included at the bottom of the page.
© 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as
the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.
The information contained in this presentation is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in
rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional
adviser.
S311345-Database Auditing Demystified: The What, the How, and the Why
40
For More Information
search.oracle.com
Audit Vault
or
oracle.com
S311345-Database Auditing Demystified: The What, the How, and the Why
© 2009 PricewaterhouseCoopers
41
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
S311345-Database Auditing Demystified: The What, the How, and the Why
42
S311345-Database Auditing Demystified: The What, the How, and the Why
43