Compliance in General

Compliance is when the government or another regulatory body requires you to comply with their rules in general and their security standards in particular. In the context of the Oracle database, we are talking about regulated security.

Compliance in Practice

While different regulations have different perspectives, the auditing portion will usually revolve around auditing the same specific activities (Declarative Auditing):
The entire compliance process is a bit more complex, and usually is not defined in technical terms. Looking at compliance regulations, it is easy to see two trends:
  • Specific requirements to audit DBA activity, sensitive table activity etc
  • A requirement for follow a risk-control process using a framework like CobiT
Compliance regulations include one of the two trends, or a combination of both. For example, PCI-DSS has only specific requirements, While SOX and HIPAA have a combination of both.
The risk-control process usually follows this methodology:
  1. List all the Assets (databases, users, sensitive information, etc)
  2. Identify Risks to the assets
  3. Setup appropriate Controls to mitigate the risks
  4. Monitor the system and reevaluate the risks and controls
As far as database auditing is concerned, the result usually ends up that:
  • DBAs and Privileges users pose a risk that can only be mitigated by monitoring their activity
  • Sensitive information needs to have least privileged access control, and be monitored
  • The current schemas, users, and privilges need to be approved, and then monitored for changes (to ensure they remain approved)
Whether the regulation follows specific requirements, the risk-control process, or a combination of both, the result in database auditing ends up being the same.
This type of auditing is called Declarative Auditing since it concentrates on monitoring particular activities. Intelligent Auditing is another type of auditing available in Core Audit and is described further in the Security section.

Challenges

In databases, there are three parts in the compliance process the pose the most challenge:
  • Discovery – Listing the assets usually entails a long discovery process. Finding all the databases and figuring out what’s in them and who’s using them can take time. Some tools can assist in this process, but eventually it is all about doing the leg work and spending the time.
  • Preventative Controls – Removing users that shouldn’t exist, eliminating unnecessary privileges, and isolating sensitive data is another time consuming effort, though usually not technically challenging.
  • Monitoring – This is where most people hit the wall. While Oracle has sufficient means of controlling access, it has no means of monitoring the thousands of SQLs executed every second. To make matters worse, tasking the DBAs with monitoring themselves is a pointless exercise. This is where Core Audit can solve your problem.

Reports

To be compliant, someone will have to eventually get daily reports and sign off on them. This paper trail is important to pass the audit. Core Audit has out-of-the-box wizards that can generate most (or not all) of what you’ll need, and the rest can be easily customized to fit any requirement. Below are a few examples of the built-in reports. To more about reports and see more examples, see the reports page.

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question