oracle database security diagnostic service
DESCRIPTION
Oracle Database Security Diagnostic ServiceTRANSCRIPT
<Insert Picture Here>
Oracle WE Technology ConsultingDatabase Security Diagnostic Service
Database Security Diagnostic Service Why ?
• Today, organizations increasingly store sensitive data,customer and employee information, strategic plans,research, etc. Keeping this information is a must and anobligation, even to be required by law (LOPD, SOX)
• As important as the best protection of data againstunauthorized access, is to have the ability to detect
2
unauthorized access, is to have the ability to detectunauthorized accesses if they occur. In short, having thesecurity level that allows me to answer questions such as:ü Who has access to protected data through Information Systems?ü When ?ü What data ?
Database Security Diagnostic Service What is it?
• The Database Security Diagnostic is a service designed to provide high value in a short time
• This service is complementary to other more large term Security Diagnostic (Systems, Communications, Data Protection Act, ISO 27001, etc.).
3
Protection Act, ISO 27001, etc.).• Identifies the vulnerabilities of the layer closest to the data: the engine of Oracle's Database.
• Proposed corrective measures from the almost immediate implementation to others that require a defined action plan as part of the service.
Database Security Diagnostic ServiceWhere are we?
• Do I Base Security on Trust and not Facts?
• What can I answer if my manager or Director asks mewhat extent is my system safe ?
• How many “back doors" have my system ?• Do I know my system vulnerabilities before the
4
• Do I know my system vulnerabilities before theattackers ?
• Do I know how to resolve these vulnerabilities ?
• Main goals of the Database Security Diagnostic:ü Verification that the security measures implemented in
the Oracle database meet the needs of integrity,confidentiality and availability of Customer’sinformation.
Database Security Diagnostic Service Goals
5
information.ü Verification of compliance of safety measures to the
applicable regulations.ü Identification of the deviation between current and
desired situation.
• Database Security Diagnostic focuses on the database in a specific and concrete form.
• The Database Security Diagnostic is developed on the following areas:
ü System configuration.
Database Security Diagnostic Service Scope
6
ü System configuration.ü Users identification and authentication.ü Access control measures (monitoring and auditing).ü Confidentiality and integrity.ü Security policies, rules and procedures.ü Applicable law and standards.
7
Using our best practices and standards, our expertswill conduct an assessment of the security of theirOracle systems and provide a report with concreteproposals for improvement, to support theorganization in implementing the measuresnecessary to achieve the goal of “OrganizationProtected"
Database Security Diagnostic Service Methodology
We analyze and Planning Draft Document
Final Diagnostic Document:Meeting to get information Resolve doubts
1. Presentation and Service Scope 2. Meetings, Questionnaires and Scripts
3. Information Analysis and Document Preparation
4. Document Validation by Customer
Critically Assets
Technical Qualification
DB/OS Scripts
Risk AnalysisDiagnostic Presentation
8
Final Diagnostic Document:-Scorecard Risk Analysis -Description of Main Vulnerabilities-Details of all identified Vulnerabilities-Assessment and -Recommendations-Level of Compliance with Regulation-Deployment Proposal for Corrective Measures
6. Result Presentation to High Level
Meeting to get information Resolve doubts and other information
Continuous Improvement Process
7. Implementation Security Measures (NOT included in service)
Deliver it to Different Areas
5. Document Delivery
Customer validates the document and we modified it if necessary
Database Security Diagnostic Service Deliverables
0
10
20
30Integridad
Alto
Medio
Bajo
Proyecto
Database Security Diagnostic results:n Current statusn Checkpoint analyzedn Lacks and vulnerabilitiesn Regulatory compliancen Propose recommendations
IntegrityHighMedLowProject
Risk measures
9
DisponibilidadConfidencialidad
10
0
10
20
30
Nivel de Riesgo
1
Riesgo Global EstimadoGlobal estimated risk
Confidentiality Availability
Risk level
Improvement actions
Security Diagnostic ServiceDeliverables
• The effort (thus cost) of the service will be based on customer‘dimensions’, however a standard approach for only one database has been created:Approachlevel
Deliverables Estimate
Ø Questionnaire of Criticality Assessment
10
One Database
Ø Questionnaire of Criticality Assessment Ø Questionnaire of Technological Qualification
Ø Final Diagnostic Document (between 50 and 70 pages)ü Scorecard Risk Analysis ü Description of the Main Vulnerabilities Identifiedü Details of all identified Vulnerabilitiesü Assessment and Recommendations of corrective measures
based on specific solutions for each of the identified vulnerabilitiesü Level of Compliance with Regulationü And Deployment Proposal for Corrective Measures
Ø Result Presentation to High Level (Depend of Audience Technical or not)
15 days
Database Security Diagnostic Service Advantages
• Delivered using a complete methodology, including a set of tools:ü Risk analysis modelü Document templatesü Automated tools for risk calculationü Technical scripts (PL/SQL)ü Commercial tools (vulnerability scanners)
• Provides a critical view of security risks and needs of your Database
11
• Provides a critical view of security risks and needs of your Database