Sarbanes-Oxley (SOX) in Oracle Databases

Sarbanes-Oxley (SOX) in Oracle Databases
Sarbanes-Oxley (SOX) is a federal law that aims to ensure accurate information is provided to investors.
As part of the effort of making financial reports accurate, focus is also placed on ensuring the financial information the reports are based on has not been tampered with. This is were Oracle database auditing comes into play.


SOX paints a good picture of the responsibility placed on the CEO to ensure the financial reports are accurate and are reviewed by independent auditors. SOX is enforced by the Securities and Exchange Commission (SEC) that publish regulations with more details on how to comply.
As part of the regulations, companies are required to setup internal control over financial reporting that use a recognized control framework (such as CobiT).
Oracle database auditing is explicitly required by the SEC regulations, by the compliance framework, and by the risk-control process. For a better understanding of the law, the regulation, the control framework, and the practical implications, read the detailed analysis
While every Oracle database environment is different, our initial recommendation is to cover:
  • User Logons – ensure that all the users, programs, machines, etc that connect to the database are allowed to do so.
  • Application Account – ensure the application account is only accessed by the application program, from the application servers. Especially when accessing financial records
  • DBAs & Privileged Users – ensure DBAs and Privileged users do not abuse their access by accessing financial records
  • SQL Source Anomaly – alert on Oracle accounts, programs, machines, OS users, or combination of those that haven’t been seen recently
  • SQL Injection – alert on application SQLs that hasn’t been seen recently
  • Financial Record Access – alert on SQLs accessing financial records that haven’t been seen from this program and Oracle account
  • Time of Day – alert on access to financial records at an unusual hour
  • Authorization Changes – ensure all changes to users, roles, and privileges have been approved
  • Change Control – ensure all changes in the database have gone through change control

Data Capture

Data Capture
Compliance and implementation of Oracle database auditing always poses multiple challenges, the most difficult of which is the data capture. Data capture is the method used to collect the audit information from the Oracle database and transport it to the secured log facility.
The reason this is a problematic issue is the data volume. Oracle databases tend to process thousands if not tens of thousands of SQLs per second, and auditing each one have the potential of slowing the database to a halt.
In order to successfully deploy an Oracle database auditing solution on a production Oracle database, the first and most important requirement is Full Capture with Low Overhead – the ability to capture all the Oracle SQL activity without impacting the production system. Blue Core Research developed Full Capture and Core Audit is the only product capable of capturing all the Oracle database activity at less than 3% overhead.

Data Processing

The other challenges in implementation of Oracle database auditing relate to processing of the audit data, storage, long term retention, and reporting.
Being a fully featured Oracle database auditing solution, Core Audit comes built-in with everything needed, including reports, alerts, analysis engines, forensic tools and more.
To provide even more value, Core Audit can also feed most SIEM solutions using SYSLOG and CEF. Giving SIEM visibility into Oracle database activity can enhance to correlation and analysis SIEM products perform to include the Oracle database.

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question
  • Sarbanes-Oxley detailed analysis – Read
  • General guide to Oracle database compliance – Read
  • Oracle database compliance – Read