|
 |
|
Oracle Auditing and Data Privacy
Don Burleson
|
Burleson is the co-author of the bestselling
book "Oracle
Privacy Security Auditing: Includes Federal Law Compliance with
HIPAA, Sarbanes-Oxley & The Gramm-Leach-Bliley Act GLB", by Rampant
TechPress.
Managers have realized that the information
gleaned from audit trails of database activity can be the company’s
single largest data resource. They also recognize that their audit
trails provide a temporal “third dimension” of their information, a
valuable time-series view of their production systems that contains
all-important behavioral aspects of their data access.
The main points of this paper addresses the issues of the highest
concern to IT management.
• Avoiding business risk and meeting the demands of customers and
business partners – While the laws demand a thorough and
comprehensive approach to privacy and auditing, the most important
reason for protecting your data integrity is your professional
reputation.
• Satisfying the auditors – Implementing best practices including
Segregation of Duties – When considering the Build vs. Buy approach,
it should be carefully considered that systems administrators,
database administrators and developers cannot have direct access to
the auditing solution because exposures result when they have
intimate knowledge of the internals of the audit mechanism.
•
Avoiding civil and criminal penalties - Data asset management
practices must address business, operational, legal and compliance
needs. Many of the Federal laws such as the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), the Sarbanes
Oxley Act (SOX) and the Gramm Leach Bliley Act (GLBA) change the way
that databases are secured and audited and some of these federal
regulations impose severe criminal penalties for non-compliance and
malfeasance with protected data. Non-compliance with these
regulations can also expose your company to multi-million dollar
civil lawsuits from customers if their private information has been
improperly disclosed.
These are just a few of the concerns of the IT manager in this brave
new world of security, privacy and regulatory compliance. Your
customers and business partners expect you to have a complete
privacy auditing solution. Let’s take a closer look at the issues
and see how you can protect yourself from the common pitfalls and
implement a comprehensive and manageable solution.
Let's
explore the important areas of Oracle data privacy and auditing:
•
Developing a Corporate-wide Oracle Auditing Framework
• Critical
audit system features - Minimizing Auditing Performance Overhead, Real-time notification,
and long-term retention of audit trails
•
The Auditing Traps
•
Auditing Privilege/permission and Logon events
I've tried to articulate the challenges for
the IT department which can be summarized into two kinds of business
risk categories. First, there is inherent risk in managing corporate
data. IT is responsible for the integrity and security of the data
which the organization relies on to manage the business. Secondly,
the increasing regulatory environment is creating new demands from
the executive team and auditors that IT be able to demonstrate
exactly who’s accessing or changing what data, and how.
We examined the requirements for an enterprise auditing solution,
which can be summarized as:
-
Comprehensive capture of all database
activity
-
Supports multiple database platforms
-
Architected for performance
-
No “backdoors” – captures activity of
privileged users with direct database access
-
Alerting for early detection of issues
-
Reporting capabilities to derive business
value from audit data
-
Adheres to auditing and IT best practices,
including segregation of duties
Get the
Oracle auditing book, click here
For an
excellent Oracle auditing product, click here
|
