CobiT Detailed Analysis

The Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology management and IT governance. It is often used to help comply with regulations such as Sarbanes-Oxley and HIPAA
Like any compliance framework, CobiT is subject to interpretation by the organizations and implementation that follows a maturity model of gradual acceptance. This article is based on CobiT 4.1 and focuses on portions of sections that have relevance to Oracle database auditing.
Go to page123All

DS5.5 - Security Monitoring

CobiT DS5.5 requires monitoring of IT security (such as Oracle accounts and privileges). The idea is that once the initial base line of users and privileges was approved, any changes to the baseline must be detected and approved. Otherwise, there’s a slow and dangerous drift the privileges that were approved to the ones in reality.
Timely detection of changes to users, roles, and privileges will allow for a quick remediation and prevent a security event. Implementation of CobiT DS5.5 can only be done with an Oracle database auditing solution that can report and alert on changes to the Oracle security model.
To be more specific, Oracle database auditing should monitor for the creation, deletion or modifications of users, roles, privileges and profiles as well as granting and revoking of privileges.

DS5.7 - Tamper-Proofing

CobiT DS5.7 requires security technology to be tamper-proof. The guiding principle being that security technology that can be tampered with is less effective and not as reliable.
This requirement is relevant in two ways:
  • Tampering with Oracle database security must be identified. This refers back to section DS5.5 and reinforces it
  • Any Oracle database auditing solution used should be tamper-proof
Oracle database auditing solutions contain three potential weak points for tampering:
  • Data Capture – If the data capture can be tampered with to not capture certain activity (for example, by the DBA), than the auditing solution is vulnerable. Core Audit cannot be tampered with in such a way.
  • Temporary Log Storage – If the auditing solution stores audit logs on the Oracle database server, those audit logs can be manipulated. Core Audit does not store audit logs on the Oracle database server.
  • Compliance Repository – If the compliance repository can be modified, the data in it is unreliable. Core Audit uses a proprietary repository that does not have deletion or modification functionality. Additionally the compliance storage is locked and encrypted.

DS11.6 - Securing Data

CobiT DS11.6 requires securing of data. This is an overall requirement encompassing data as it enters the IT systems, processed, stored and leaves the IT systems. It can includes many parts of the IT environment, but the Oracle database is at its center. Actual implementations for Oracle databases are likely to include network and disk encryption from OAS (Oracle advanced security), but should also include detective controls.
Detective controls in Oracle databases means Oracle database auditing. For data protection we recommend:
  • DDLs – Audit of changes to users, schemas, triggers, procedures, etc. These can all affect the processing and security of the data
  • Administrative Access – Audit of access to sensitive data by DBAs & privileged users
  • Unapproved Access – Audit of access to sensitive data by the application account but not by the application
  • Abnormal Access – Audit of access to sensitive data using unusual SQLs, from unusual sources, at the wrong time of day, etc

DS13.3 - Infrastructure Activity Auditing

CobiT DS13.3 requires monitoring of the entire IT infrastructure. This is a general auditing requirement for all IT systems in an effort to detect suspicious activity, and perform forensic investigations of attacks and breaches.
Without sufficient auditing, there is little to no chance of internally detecting an attack, a breach, or fraud. Additionally, when detection is achieved (often through external sources), lack of auditing information makes it difficult if not impossible to determine what transpired.
Given that the final goal of most attacks is the data in the database, Oracle database auditing is a central component in this effort. Without Oracle database auditing, the conclusions are often that the database, and any information in it, might have been compromised. CobiT acknowledges the significance of auditing and explicitly requires auditing of the entire infrastructure to allow for the reconstruction of events.
Complete Picture is a feature in Core Audit that, without any configuration, automatically stores vital forensic information. Configuring policies is simple and can add important additional information, and adding reports and alerts will provide detection capabilities as well. Core Audit is a fully featured solution that comes built-in with everything needed for compliance and security.