Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle DBMS Audit Findings

Published byChester Booker Modified over 6 years ago

Similar presentations

Presentation on theme: "Oracle DBMS Audit Findings"— Presentation transcript:

1 Oracle DBMS Audit Findings
F.E.I. Internal Audit Group Oracle DBA Management Team Audit Period: February 26, April 9, 2018 Heiang Cheung || M. Sarush Faruqi || James Foggie || Nathan Van Cleave MIS IT Audit Process - Professor Yao

2 Agenda Executive Summary Audit Scope Good Practices Audit Findings
Appendices

3 Executive Summary Overall Audit Opinion Key Message Key Message
The DBA team is experienced and the management team works in a collaborative manner. While the internal control framework has been established, audit identified four findings during the review. These findings are related to the Access and Service Management Sub-Risk areas and reflect gaps in a maturing control framework. With two major and two minor findings, audit recognizes the Overall Audit Opinion as Needs Improvement. Needs Improvement Satisfactory Needs Improvement Urgent Action Findings Audit Context Management disclosed during planning that the DBA Support group had recently completed a organizational transformation and key resources had not been retained. This has caused staffing and retention issues. A post-implementation audit was conducted 18 months ago and 2 minor findings related to Password Management and Programme Governance were raised. Audit Context Minor Major

4 Thank You Before we go deeper we just want to say thank you for your cooperation.

5 Scope Oracle Database Environment Evaluate steady state of controls
Emphasis on Confidentiality Risk Area Sub-Risk / Activity Access Management Segregation of Duties Privileged Access Role Based Access Service Management Server Maintenance Full/Incremental Backup The audit scope will encompass a review of the Oracle Database environments steady state processes and controls. With the primary objective to provide assurance over Confidentiality of the environment For this specific audit we’ve identified Access Management and Service Management as risk areas we’d like to focus on. For Access Management, we’ll take a deeper look at segregation of duties, privileged and role based access And for Service Management we’ll look at Server maintenance and full and incremental backup processes.

6 Management Good Practices
Title External certification programme being used to establish key capabilities Control Element Training What did they do? External training is provided to build capability in database management roles for key Database Administration (DBA) Support team members. Training includes a variety of modules to be completed in preparation for Oracle 12c, 11g, and 12c R2 certifications. Governance Boards have approved funding of these training and certifications. Why is it a good practice? This is an example of F.E.I.’s support for workforce development and is an efficient and cost effective way of establishing a standard capability across the DBA organization. It also acts as a motivator for the individuals involved as it gives them a recognised professional certification. Who else might find this useful? Other global risk areas or any area where F.E.I. is looking to develop capability. Give credit

7 Findings Index No Title Classification* Risk Area Control Element
Business Unit 1 Inappropriate privileged access Major Information Protection Standards & Controls DBA Support 2 Gaps in password management Minor 3 Lack of segregation of duties 4 Inadequate backup processes *See Appendix I for Classification Definitions

8 Finding 1 – Inappropriate Privileged Access
Risk Area InfoProtect Classification Major Business Unit DBA Support Control Element Standards & Controls Risk Description The ability to have unauthorized access to sensitive data with the ability update can lead to a compromise in confidentiality and integrity. Finding Description Audit identified 5 users with inappropriate privileges to instances of Oracle database usage in both staging and production environments. It was was discovered that these individuals were no longer a part of the ‘Support-DBA Group’ due to organizational changes, but were still displayed as active users with system and schema (CREATE, READ, UPDATE, DELETE) privileges in the ‘Prod_Support_DBA_Roles’ access list. The finding was discovered when comparing the access list to the active members of the Production Support Team. This finding does not meet the standards of NIST 853-A AC-2(7) and AC-2(10). Root Cause There is currently no formal documented review procedure to analyze the users who are assigned to a particular role based list nor a process to review all user privileges at certain points of the year. As a result, specific users accounts were not disabled upon their departure from the ‘Support-DBA Group’. Corrective Actions / Recommendations Develop a review procedure to determine active vs inactive users in all role based access lists Develop process to review all user privileges in a given timeframe Monitor privilege usage of active users in role based list

9 Finding 2 - Gaps in Password Management
Risk Area InfoProtect Classification Minor Business Unit DBA Support Control Element Standards & Controls Risk Description If there is inadequate password security, this could result in unauthorised access to systems Finding Description Audit identified password configuration deficiencies related to the complexity standard outlined in SOP-IT Specifically, configurations did not meet Control minimum length and special character requirements. This finding was also identified in the 2017 post-implementation Oracle DB audit and has not been remediated. Root Cause During the audit, audit confirmed that key team resources transitioned out of the DBA Support group shortly after the 2017 audit. As a result, the issue persisted as the corrective action was appropriately transferred to a new owner. Corrective Actions / Recommendations Update the password configurations Implement the minimum password length (though greater than 7 characters is recommended) Designate at least one special character be used Include password configurations as part of periodic review Determine mechanism to ensure compliance to requirements

10 Finding 3 – Lack of Segregation of Duties
Risk Area InfoProtect Classification Minor Business Unit DBA Support Control Element Standards & Controls Risk Description Lack of segregation of duties could lead to less oversight and fraud. Finding Description Audit identified control weaknesses in segregation of duties between the application development and database administration functions. 2 application developers that provide support for database design, data management, and applications development and support were found. This does not meet the SOD standards outlined in ISO A Audit reviewed the audit logs from the past 30 days of the latest release and found no exceptions related to this issue. Root Cause Audit confirmed that recent turnover in the DBA support group has caused the DBA group to go understaffed and as a result they needed help from the applications development group. Corrective Actions / Recommendations Revise the job function of the 2 application developers to remove those related to database design and data management. Application developers and users should have no responsibility for database structural maintenance, design. Access, and design. We found control weaknesses in FEI segregation of duties standards. We found 2 application developers that provide support for database design, data management, and applications development and support. The root cause of this is due to recent turnover within the DBA group. We classified this as Minor because we revied the audit logs from the past 30 days of the release and found no exceptions and other area of FEI IT do respect the segregation of database duties. For example, mainframe developers submit formal documented requests to the DBA for database services within their database environment..

11 Finding 4 – Inadequate Backup Processes
Risk Area InfoProtect Classification Major Business Unit DBA Support Control Element Standards & Controls Risk Description Unavailable data due to failed backup and recovery process (failing backups) leading to potential loss of data availability and business continuity. Could also result in missed Service Level Agreements (SLAs) due to prolonged data recovery (missed RTO). Finding Description Backups of business critical data are scheduled to run daily and transmitted offsite. Point-in-time checkpoints are taken hourly throughout the day to provide backouts (rollacks) and point-in-time recovery. The last successful full backup for the critical billing application was completed on February 5, 2018 (2 months ago). According to NIST SP : Contingency Planning Guide for Federal Information Systems, data backups should be conducted on a regular basis. The primary purpose of backups is for recovery and business continuity. Root Cause Management did not fully implement the NIST SP (Contingency Planning) control for information backups. F.E.I. did not have controls in place to ensure the availability of backup information and did not regularly test backup information to verify media reliability and information integrity. Corrective Actions / Recommendations DBA Manager should develop a process to regularly test data backups Should develop increased oversight of backup/recovery procedures What was observed (Finding): Backups of business critical data are scheduled to run daily and transmitted offsite. Point-in-time checkpoints are taken hourly throughout the day to provide backouts (rollacks) and point-in-time recovery. The last successful full backup for the critical billing application was completed on February 5, 2018 (2 months ago). According to NIST SP : Contingency Planning Guide for Federal Information Systems, data backups be conducted on a regular basis. The primary purpose of backups is for recovery and business continuity. F.E.I. did not fully implement the NIST SP control for information backups. F.E.I. did not have controls in place to ensure the availability of backup information and did not regularly test backup information to verify media reliability and information integrity. Standards & Guides: NIST SP : Contingency Planning Guide for Federal Information Systems NIST SP : Assessing Security and Privacy Controls in Federal Information Systems and Organization (Contingency Planning Family, pg 126/196) Root Cause: Lack of controls, plans and procedures <list more details> Impact to Business: Loss of Data Availability of business critical billing information (during recovery scenarios) Potential missed SLAs due to prolonged recoveries due to missing backup data. Recommendations: The Database Administration (DBA) Manager should develop a process to regularly test data backups to verify information integrity. The DBA Manager should develop increased oversight procedures for backup/recovery

12 Next Steps Findings Agreement Corrective Actions & Owners Assigned
Final Report Issuance 6 Month Check-in To close, we want to touch on the next steps. We’ll discuss with you and agree to findings We will work with you to help chart corrective actions with assigned owners Issue the final report And schedule a 6 month check in With that, we’d like to end here and answer any questions you may have.

13 Appendix I Findings Classifications Critical
A significant compliance issue, control weakness, or business issue that poses unacceptable risk. Immediate attention and priority action for resolution by appropriate senior management is required. Major A compliance issue, control weakness, or business issue that poses or has the potential to pose high risk. Timely attention and priority action for resolution by management is required. Minor A compliance issue, control weakness, or business issue that poses or has the potential to pose moderate risk. Timely attention by management is required.

Download ppt "Oracle DBMS Audit Findings"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.

IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Information Security Policies and Standards

Information Security Policies and Standards
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Purpose of the Standards

Purpose of the Standards
1 Change Management FOR University Medical Group Saint Louis University Click this icon for Audio.

1 Change Management FOR University Medical Group Saint Louis University Click this icon for Audio.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
NIST Special Publication Revision 1

NIST Special Publication Revision 1
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Appendix C: Designing an Operations Framework to Manage Security.

Appendix C: Designing an Operations Framework to Manage Security.

Similar presentations

Ads by Google