Oracle Auditing and Data Privacy Don Burleson

Burleson is the co-author of the bestselling book "Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes-Oxley & The Gramm-Leach-Bliley Act GLB", by Rampant TechPress.

Managers have realized that the information gleaned from audit trails of database activity can be the company's single largest data resource. They also recognize that their audit trails provide a temporal "third dimension" of their information, a valuable time-series view of their production systems that contains all-important behavioral aspects of their data access.

The main points of this paper addresses the issues of the highest concern to IT management.

• Avoiding business risk and meeting the demands of customers and business partners - While the laws demand a thorough and comprehensive approach to privacy and auditing, the most important reason for protecting your data integrity is your professional reputation.

• Satisfying the auditors - Implementing best practices including Segregation of Duties - When considering the Build vs. Buy approach, it should be carefully considered that systems administrators, database administrators and developers cannot have direct access to the auditing solution because exposures result when they have intimate knowledge of the internals of the audit mechanism.

• Avoiding civil and criminal penalties - Data asset management practices must address business, operational, legal and compliance needs. Many of the Federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX) and the Gramm Leach Bliley Act (GLBA) change the way that databases are secured and audited and some of these federal regulations impose severe criminal penalties for non-compliance and malfeasance with protected data. Non-compliance with these regulations can also expose your company to multi-million dollar civil lawsuits from customers if their private information has been improperly disclosed.

These are just a few of the concerns of the IT manager in this brave new world of security, privacy and regulatory compliance. Your customers and business partners expect you to have a complete privacy auditing solution. Let's take a closer look at the issues and see how you can protect yourself from the common pitfalls and implement a comprehensive and manageable solution.

Let's explore the important areas of Oracle data privacy and auditing:

• Developing a Corporate-wide Oracle Auditing Framework

• Critical audit system features - Minimizing Auditing Performance Overhead, Real-time notification, and long-term retention of audit trails

• The Auditing Traps

• Auditing Privilege/permission and Logon events

I've tried to articulate the challenges for the IT department which can be summarized into two kinds of business risk categories. First, there is inherent risk in managing corporate data. IT is responsible for the integrity and security of the data which the organization relies on to manage the business. Secondly, the increasing regulatory environment is creating new demands from the executive team and auditors that IT be able to demonstrate exactly who's accessing or changing what data, and how.

We examined the requirements for an enterprise auditing solution, which can be summarized as:

• Comprehensive capture of all database activity

• Supports multiple database platforms

• Architected for performance

• No "backdoors" - captures activity of privileged users with direct database access

• Alerting for early detection of issues

• Reporting capabilities to derive business value from audit data

• Adheres to auditing and IT best practices, including segregation of duties

Get the Oracle auditing book, click here

For an excellent Oracle auditing product, click here