1 S Database Auditing Demystified: The What, the How, and the Why

Jan Wentzel PricewaterhouseCoopers Tammy Bednar Oracle Sr. Principal Product Manager

3 S Database Auditing Demystified: The What, the How, and the Why Program Agenda Why Governance Risk & Compliance for the database? Oracle Audit Vault Overview How does Audit Vault help Auditors and Customers? Summary Q & A

4 S Database Auditing Demystified: The What, the How, and the Why Why GRC for the database?

5 S Database Auditing Demystified: The What, the How, and the Why The “current state” Expansion of risk and control oversight functions Anti- Fraud Privacy Info Sec. ERM Criteria BCP SOX Credit Consumer Protection FCPA Op Risk Business Unit Business fatigue Lack of coordination Duplicate efforts Risks falling through the cracks Competition for attention Internal AuditComplianceRisk MgmtFinanceLegalIT Increasing stakeholder demands Expanding risks, laws and regulations + + = ShareholdersBoardCommunityRating AgenciesOthers Perspective: Establish a GRC framework © 2009 PricewaterhouseCoopers

6 S Database Auditing Demystified: The What, the How, and the Why The evolving state of GRC Sox Auditing Standard #5 Integrated Governance, Risk and Compliance (iGRC) Largely a manual environment Ensure compliance at any cost Built risk oversight “silos” GRC was “bolted on” to business processes AS5 responded to “over auditing” of the control system Required a “risk based” approach Encouraged the use of “automated” controls Management begins to rethink its GRC investment Recognition that GRC processes must be “built in” vs. “bolted on”. Requires the use of a business process framework enabled by technology Technology Point technology solutions Enterprise-wide technology solutions Management’s Response © 2009 PricewaterhouseCoopers

7 S Database Auditing Demystified: The What, the How, and the Why Current State GRC controls maturity model Level 1 - Individual Adhoc processes, detective remediation & manual clean-up Level 2 - Coordinated Standardized and repeatable processes Level 3 - Leveraged Simplified and automated processes Level 4 - Integrated Integrated with existing business processes People/Strategy/Governance Process Technology DevelopingEstablishedOptimized © 2009 PricewaterhouseCoopers

8 S Database Auditing Demystified: The What, the How, and the Why Identify logical points of integration Numerous opportunities for integration usually exist © 2009 PricewaterhouseCoopers XXXXXX X Training XXXXXXXX X Communications XXXXXXXXXX X Records management XXXXXXXX Change management XXXXXXXXXX X Reporting XXXXXXXXXX X Deficiency management XXXXXXXXX X Incident management XXXXXXXXXX X Policy and procedure Illustrative XXXXXXXXXX Advisory XXXXXXX X Control testing/validation XXXXXXXXX KPIs/KRIs XXXXXXXX Control monitoring XXXXXXXX X Risk/control assessment XXXXXXXXXX X Event definition/scoping Operational risk Internal audit Regulatory compliance SOX (bus and IT) Anti-fraud LegalRecords management Information security Business continuity planning Credit / market risk IT problem management Common activities Common governance, risk and control functions

9 S Database Auditing Demystified: The What, the How, and the Why Oracle GRC – Controls & Security Inherent Controls Security Controls Configurable Controls ERP Supporting Infrastructure Business Objectives & Processes Manual & Procedural Controls Technology People Business Process © 2009 PricewaterhouseCoopers

10 S Database Auditing Demystified: The What, the How, and the Why What Is Audit Vault And How Does It Fit Into GRC?

11 S Database Auditing Demystified: The What, the How, and the Why Oracle Database IBM DB2 Microsoft SQL Server Oracle Audit Vault Trust-but-Verify Sybase ASE Consolidate and Secure Audit Data Simplify Compliance Reporting Alert on Security Threats Lower IT Costs With Audit Policies

12 S Database Auditing Demystified: The What, the How, and the Why Oracle Audit Vault Database Audit Support Oracle – Database Audit Tables Collect audit data for standard and fine-grained auditing, & Database Vault specific audit records – Oracle audit trail from OS files Collect audit records written in XML or standard text file – Operating system SYSLOG Collect Oracle database audit records from SYSLOG – Redo log Extract before/after values and DDL changes to table Microsoft SQL server versions 2000, 2005, 2008 Server side trace – set specific audit event Windows event audit – specific audit events that are viewed by the windows event viewer C2 - automatically sets all auditable events and collects them in the audit log IBM DB2 8.2, 9.1, 9.5 on Linux, Unix, Windows – Extract binary audit files into a trace file Sybase ASE x – Utilize the native audit tables

13 S Database Auditing Demystified: The What, the How, and the Why Reports Entitlement Reports – Snapshot of Oracle database users, roles, privileges, and profiles – Compare changes in settings Compliance Reports – Meet compliance in the areas of Credit Card, Financial Materiality, and Health Care data activity – Customization to define your compliance report and filter data Schedule, print, and save reports in PDF format – Attest and add review notes

14 S Database Auditing Demystified: The What, the How, and the Why Oracle Audit Vault Policies Centralized Management of Audit Policies Policy definition – Named, centrally managed, collection of audit settings Policy audit settings – Settings can be extracted from an existing database with auditing – Manual entry supported Policy provisioning – Policies applied to databases from the Audit Vault console Policy maintenance – Compare and contrast approved policy with current settings SOX Audit Settings Privilege User Audit Settings Privacy Audit Settings Financial Database Customer Database HR Database Oracle Audit Vault

15 S Database Auditing Demystified: The What, the How, and the Why Oracle Audit Vault Audit Trail Clean-Up: DBMS_AUDIT_MGMT Automatically deletes Oracle audit trails from target after they are securely inserted into Audit Vault Reduces DBA manageability challenges with audit trails Database 2) Update last inserted record 1) Transfer audit trail data 3) Delete older audit records

16 S Database Auditing Demystified: The What, the How, and the Why How Can Audit Vault Help Customers and Auditors?

17 S Database Auditing Demystified: The What, the How, and the Why DS 5.3 Identity Management Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities….. Auditor Questions – What accounts have what level of access? – Who has access to these accounts? © 2009 PricewaterhouseCoopers

18 S Database Auditing Demystified: The What, the How, and the Why Audit Vault User Entitlements View all user accounts in the Oracle database Retrieve a snapshot of user entitlement data Filter data based on users or privileges View or print report in PDF format Compare changes in user accounts and privileges View SYSDBA/SYSOPER privileges

19 S Database Auditing Demystified: The What, the How, and the Why What accounts have what level of access? Database User Privileges Report Display all Oracle database users, privileges, and roles Regulations – SOX, PCI, HIPAA, SAS 70, STIG

20 S Database Auditing Demystified: The What, the How, and the Why Who has access to these accounts ? Database Logon Display database user logins Regulations – PCI, HIPAA, SOX

21 S Database Auditing Demystified: The What, the How, and the Why DS 5.4 User Account Management Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. …. Auditor Questions – Who can make or has made changes to accounts and their privileges / roles? – Who has accountability for an account? © 2009 PricewaterhouseCoopers

22 S Database Auditing Demystified: The What, the How, and the Why Who can make or has made changes to accounts and their privileges & roles? User Privilege Change Activity Display user and role privilege changes Regulations – PCI, HIPAA, SOX

23 S Database Auditing Demystified: The What, the How, and the Why Who has accountability for an account? Audit Vault Attestation Capability Track report attestations and notations Regulations – PCI, HIPAA, SOX

24 S Database Auditing Demystified: The What, the How, and the Why DS 5.5 Security Testing, Surveillance and Monitoring Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed. Auditor Questions – What activity do we monitor and on what tables? – What accounts do we monitor and for what activity? – What sources are monitored and what is collected? – Who reviews the reports? © 2009 PricewaterhouseCoopers

25 S Database Auditing Demystified: The What, the How, and the Why What activity do we monitor and on what tables? Audit Vault Policy Manager Snapshot of Oracle database audit settings Provision the required changes centrally Regulations – PCI, HIPAA, SOX

26 S Database Auditing Demystified: The What, the How, and the Why What accounts do we monitor and for what activity? Audit Vault Policy Manager View all activity being monitored by a specific user Regulations – PCI, HIPAA, SOX

27 S Database Auditing Demystified: The What, the How, and the Why What sources are monitored and what is collected? Audit Vault Policy Manager View all databases being monitored Review and provision changes to the database Regulations – PCI, HIPAA, SOX

28 S Database Auditing Demystified: The What, the How, and the Why Who reviews the reports? Audit Vault Attestation View saved reports and who attested to them Add additional notes for future forensics Regulations – PCI, HIPAA, SOX

29 S Database Auditing Demystified: The What, the How, and the Why DS 5.7 Protection of Security Technology Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily. Auditor Questions – What security setups / settings are in the DB? © 2009 PricewaterhouseCoopers

30 S Database Auditing Demystified: The What, the How, and the Why What security setups / settings are in the database? Entitlement Reports View Oracle database profiles and their settings Regulations – PCI, HIPAA, SOX

31 S Database Auditing Demystified: The What, the How, and the Why DS 11.6 Security Requirements for Data Management Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization's security policy and regulatory requirements. Auditor’s Questions – Who can change data in the DB? © 2009 PricewaterhouseCoopers

32 S Database Auditing Demystified: The What, the How, and the Why Who can change data in the database? Financial Related Data Modifications Concerned with materiality Regulations – PCI, HIPAA, SOX

33 S Database Auditing Demystified: The What, the How, and the Why AC 2 Source Data Collection and Entry Ensure that data input is performed in a timely manner by authorized and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorization levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time. Auditor’s Questions – Who can change or deploy application code? © 2009 PricewaterhouseCoopers

34 S Database Auditing Demystified: The What, the How, and the Why Who can change or deploy application code? Program Changes Review procedure code changes for business implications Regulations – PCI, HIPAA, SOX

35 S Database Auditing Demystified: The What, the How, and the Why DS 9.3 Configuration Integrity Review Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations. Auditor’s Questions – Who can change Audit Vault configuration settings – Who can view / change audit data in Audit Vault? – Is the Audit Vault database monitored for changes? © 2009 PricewaterhouseCoopers

36 S Database Auditing Demystified: The What, the How, and the Why Summary

37 S Database Auditing Demystified: The What, the How, and the Why COBIT Control Objectives COBIT Section DescriptionAudit Vault Report DS 5.3Identity ManagementUser Entitlement Reports Database Logon DS 5.4 User Account ManagementUser Privilege Change Activity Report Attestation DS 5.5 Security Testing, Surveillance and Monitoring Audit Vault Policy Manager Report Attestation DS 5.7 Protection of Security TechnologyUser Entitlement Reports DS 11.6 Security Requirements for DataFinancial Related Data Modifications AC 2 Source Data Collection and EntryProgram Changes DS 9.3Configuration Integrity Review – Audit Audit Vault Policy Manger, User Entitlements, …

38 S Database Auditing Demystified: The What, the How, and the Why Oracle Audit Vault Summary Consolidate and secure audit data – Oracle 9i Release 2 and higher – SQL Server 2000, 2005, 2008 – IBM DB2 UDB 8.5, 9.1, & 9.2 – Sybase ASE – Secure and scalable – Cleanup of source audit data Centralized reporting – Entitlement reports – Compliance Reports to help meet PCI, SOX, and HIPAA – Flexible and customizable reports Alert on security threats – Detect and alert on security relevant events – Integration with Remedy and Oracle Database IBM DB2 Microsoft SQL Server Sybase ASE

39 S Database Auditing Demystified: The What, the How, and the Why Oracle Database Security Learn More At These Oracle Sessions S311340Classify, Label, and Protect: Data Classification and Security with Oracle Label Security Monday 14: :30 Moscone South Room 307 S308113Oracle Data Masking Pack: The Ultimate DBA Survival Tool in the Modern World Tuesday 11: :30 Moscone South Room 102 S311338All About Data Security and Privacy: An Industry PanelTuesday 13: :00 Moscone South Room 103 S311455Tips/Tricks for Auditing PeopleSoft and Oracle E- Business Suite Applications from the Database Tuesday 14: :30 Moscone South Room 306 S311339Meet the Database Security Development Managers: Ask Your Questions Tuesday 16: :00 Moscone South Room 306 S311345Database Auditing Demystified: The What, the How, and the Why Tuesday 17: :30 Moscone South Room 306 S311342Do You Have a Database Security Plan?Wednesday 11: :45 Moscone South Room 102 S311332Encrypt Your Sensitive Data Transparently in 30 Minutes or Less Wednesday 13: :30 Moscone South Room 103 S311337Secure Your Existing Application Transparently in 30 Minutes or Less Wednesday 13: :15 Moscone South Room 103 S311344Securing Your Oracle Database: The Top 10 ListWednesday 17: :00 Moscone South Room 308 S311343Building an Application? Think Data Security FirstThursday 13: :30 Moscone South Room 104

40 S Database Auditing Demystified: The What, the How, and the Why For More Information Visit PwC at Booth 911 (Moscone South) For more information on this topic (and other related topics), visit our website at: PwC is proud to be one of Oracle’s elite “globally managed partners” PricewaterhouseCoopers Notices: PwC prepared remarks and materials in this presentation are contained on the pages with the © 2009 PricewaterhouseCoopers branding included at the bottom of the page. © 2009 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. The information contained in this presentation is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional adviser.

41 S Database Auditing Demystified: The What, the How, and the Why For More Information search.oracle.com or oracle.com © 2009 PricewaterhouseCoopers Audit Vault

42 S Database Auditing Demystified: The What, the How, and the Why The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

43 S Database Auditing Demystified: The What, the How, and the Why