Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security Compliance using Policy Groups

Published byAnnice Hutchinson Modified over 6 years ago

Similar presentations

Presentation on theme: "Implementing Security Compliance using Policy Groups"— Presentation transcript:

1 Implementing Security Compliance using Policy Groups
12/09/2018 Implementing Security Compliance using Policy Groups Rob Zoeteweij Copyright – 2009 Zoeteweij Consulting Copyright Zoeteweij Consulting

2 This Presentation… Is pretty technical
Includes several (many) Screen dumps Covers OEM – Gives you an insight overview of: How to … / How it works Is about how we do this at Rabobank

3 Agenda Security at Rabobank Policy Rules Policy Groups Q & A

4 Security at Rabobank SOX Sarbanes-Oxley Act of 2002 (Wikipedia)
Public Company Accounting Reform and Investor Protection Act of 2002 AKA – Sarbanes-Oxley, Sarbox or SOX Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom

5 Security at Rabobank SOX Not a static List Not a standard List
Actual measurements can be different per Company Both organisational and technical

6 Security at Rabobank SOX
Measurements to keep compliant with RABO Security Rules Separation of facilities for Development, Testing and Production Developers / testers don’t have access to Production servers Backups need to be available and tested Will be located on other location then source Need to be accessible for authorized employees only Audit logs need to be created All user actions must be logged and fully traceable to an individual System access Based on “Least privilege” and “Need to know” ...

7 Security at Rabobank BIV code
Availability – Integrity – Confidentiality B - [1-3], I – [1-3], V – [1-3] Impact 1 – Low, 2 – Middle, 3 - High Example I = 2 Financial Transactions that can be reversed without any (Image) damage I = 3 Financial Transactions that can not be reversed without any (Image) damage

8 Security at Rabobank BIV code
Availability – Integrity – Confidentiality Applied to Systems Applications Application Servers Servers (Hosts) Database Listeners Databases

9 Security at Rabobank BIV – codes in use
222 – 232 – 233 – 322 – 332 – 333

10 Security implementation in OEM Policy Rules
Policies Policies define the desired behaviour or characteristics of systems A Policy is compliant if is determined that a target meets the desired state Example: Oracle Home Executable Files Permission Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions If a Target does not meet this state, the Policy is violated

11 Security implementation in OEM Policy Rules
Policies – other examples Ensure database auditing is enabled Each activity in the database should be traceable Default passwords Ensure there are no default passwords for known accounts Open Ports Ensure that no unintended ports are left open

12

13 Security implementation in OEM Policy Rules
Based on BIV codes in use Monitoring Templates Only Policy Rules included STP – <Target Type> - BIV<code> STP – Listener – BIV332 STP – HTTP Server – BIV223 STP – Cluster Database – BIV 322

14

15 Security implementation in OEM Policy Rules
Use Groups to apply the Templates to the Targets Group organisation PG-<Target Type>_BIV<Code>_<Phase (Dev, Tst, Stg, Prd)> PG-Cluster_Databases_BIV233_Test PG-Database_Instances_BIV333_Prod

16 Group PG-Cluster_Databases_BIV332_Test
Includes all Cluster Databases for which BIV code 332 apply

17

18

19

20

21

22 Security implementation in OEM Policy Groups
Compliance Logical Group of Policies – 3 Out of Box Groups Secure Configuration for Oracle Database Secure Configuration for Oracle Listener Secure Configuration for Oracle Real Application Cluster – Create your own

23 Security implementation in OEM Policy Groups
Evaluation Schedule Rule 1 Rule 2 Target 1 Rule n Group Target 2 Target n

24

25

26

27

28

29

30

31

32 Q & A

Download ppt "Implementing Security Compliance using Policy Groups"

Similar presentations

1 4 th session: Corporate Governance – Sarbanes Oxley Performance Evaluation IMSc in Business Administration October-November 2009.

1 4 th session: Corporate Governance – Sarbanes Oxley Performance Evaluation IMSc in Business Administration October-November 2009.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
A Practical IT Approach To Sarbanes-Oxley Compliance

A Practical IT Approach To Sarbanes-Oxley Compliance
Adam Bearhalter Kristy Kelly Julie Bland Alex Tiset.

Adam Bearhalter Kristy Kelly Julie Bland Alex Tiset.
Kenneth A. Griggs, Rosemary Wild Orfalea College of Business, California Polytechnic State University, San Luis Obispo, CA, U.S.A.

Kenneth A. Griggs, Rosemary Wild Orfalea College of Business, California Polytechnic State University, San Luis Obispo, CA, U.S.A.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 15 Database Administration and Security

Chapter 15 Database Administration and Security
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Professional, Legal and Ethical Issues CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison.

Professional, Legal and Ethical Issues CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Similar presentations

Ads by Google