<Insert Picture Here>

Oracle WE Technology ConsultingDatabase Security Diagnostic Service

Database Security Diagnostic Service Why ?

• Today, organizations increasingly store sensitive data,customer and employee information, strategic plans,research, etc. Keeping this information is a must and anobligation, even to be required by law (LOPD, SOX)

• As important as the best protection of data againstunauthorized access, is to have the ability to detect

2

unauthorized access, is to have the ability to detectunauthorized accesses if they occur. In short, having thesecurity level that allows me to answer questions such as:ü Who has access to protected data through Information Systems?ü When ?ü What data ?

Database Security Diagnostic Service What is it?

• The Database Security Diagnostic is a service designed to provide high value in a short time

• This service is complementary to other more large term Security Diagnostic (Systems, Communications, Data Protection Act, ISO 27001, etc.).

3

Protection Act, ISO 27001, etc.).• Identifies the vulnerabilities of the layer closest to the data: the engine of Oracle's Database.

• Proposed corrective measures from the almost immediate implementation to others that require a defined action plan as part of the service.

Database Security Diagnostic ServiceWhere are we?

• Do I Base Security on Trust and not Facts?

• What can I answer if my manager or Director asks mewhat extent is my system safe ?

• How many “back doors" have my system ?• Do I know my system vulnerabilities before the

4

• Do I know my system vulnerabilities before theattackers ?

• Do I know how to resolve these vulnerabilities ?

• Main goals of the Database Security Diagnostic:ü Verification that the security measures implemented in

the Oracle database meet the needs of integrity,confidentiality and availability of Customer’sinformation.

Database Security Diagnostic Service Goals

5

information.ü Verification of compliance of safety measures to the

applicable regulations.ü Identification of the deviation between current and

desired situation.

• Database Security Diagnostic focuses on the database in a specific and concrete form.

• The Database Security Diagnostic is developed on the following areas:

ü System configuration.

Database Security Diagnostic Service Scope

6

ü System configuration.ü Users identification and authentication.ü Access control measures (monitoring and auditing).ü Confidentiality and integrity.ü Security policies, rules and procedures.ü Applicable law and standards.

7

Using our best practices and standards, our expertswill conduct an assessment of the security of theirOracle systems and provide a report with concreteproposals for improvement, to support theorganization in implementing the measuresnecessary to achieve the goal of “OrganizationProtected"

Database Security Diagnostic Service Methodology

We analyze and Planning Draft Document

Final Diagnostic Document:Meeting to get information Resolve doubts

1. Presentation and Service Scope 2. Meetings, Questionnaires and Scripts

3. Information Analysis and Document Preparation

4. Document Validation by Customer

Critically Assets

Technical Qualification

DB/OS Scripts

Risk AnalysisDiagnostic Presentation

8

Final Diagnostic Document:-Scorecard Risk Analysis -Description of Main Vulnerabilities-Details of all identified Vulnerabilities-Assessment and -Recommendations-Level of Compliance with Regulation-Deployment Proposal for Corrective Measures

6. Result Presentation to High Level

Meeting to get information Resolve doubts and other information

Continuous Improvement Process

7. Implementation Security Measures (NOT included in service)

Deliver it to Different Areas

5. Document Delivery

Customer validates the document and we modified it if necessary

Database Security Diagnostic Service Deliverables

0

10

20

30Integridad

Alto

Medio

Bajo

Proyecto

Database Security Diagnostic results:n Current statusn Checkpoint analyzedn Lacks and vulnerabilitiesn Regulatory compliancen Propose recommendations

IntegrityHighMedLowProject

Risk measures

9

DisponibilidadConfidencialidad

10

0

10

20

30

Nivel de Riesgo

1

Riesgo Global EstimadoGlobal estimated risk

Confidentiality Availability

Risk level

Improvement actions

Security Diagnostic ServiceDeliverables

• The effort (thus cost) of the service will be based on customer‘dimensions’, however a standard approach for only one database has been created:Approachlevel

Deliverables Estimate

Ø Questionnaire of Criticality Assessment

10

One Database

Ø Questionnaire of Criticality Assessment Ø Questionnaire of Technological Qualification

Ø Final Diagnostic Document (between 50 and 70 pages)ü Scorecard Risk Analysis ü Description of the Main Vulnerabilities Identifiedü Details of all identified Vulnerabilitiesü Assessment and Recommendations of corrective measures

based on specific solutions for each of the identified vulnerabilitiesü Level of Compliance with Regulationü And Deployment Proposal for Corrective Measures

Ø Result Presentation to High Level (Depend of Audience Technical or not)

15 days

Database Security Diagnostic Service Advantages

• Delivered using a complete methodology, including a set of tools:ü Risk analysis modelü Document templatesü Automated tools for risk calculationü Technical scripts (PL/SQL)ü Commercial tools (vulnerability scanners)

• Provides a critical view of security risks and needs of your Database

11

• Provides a critical view of security risks and needs of your Database