1. <Insert Picture Here>
Oracle WE Technology Consulting
Database Security Diagnostic Service
2. Database Security Diagnostic Service
Why ?
• Today, organizations increasingly store sensitive data,
customer and employee information, strategic plans,
research, etc. Keeping this information is a must and an
obligation, even to be required by law (LOPD, SOX)
• As important as the best protection of data against
unauthorized access, is to have the ability to detect
unauthorized accesses if they occur. In short, having the
security level that allows me to answer questions such as:
Who has access to protected data through Information Systems?
When ?
What data ?
2
3. Database Security Diagnostic Service
What is it?
• The Database Security Diagnostic is a service designed to
provide high value in a short time
• This service is complementary to other more large term
Security Diagnostic (Systems, Communications, Data
Protection Act, ISO 27001, etc.).
• Identifies the vulnerabilities of the layer closest to the data:
the engine of Oracle's Database.
• Proposed corrective measures from the almost immediate
implementation to others that require a defined action plan
as part of the service.
3
4. Database Security Diagnostic Service
Where are we?
• Do I Base Security on Trust and not Facts?
• What can I answer if my manager or Director asks me
what extent is my system safe ?
• How many “back doors" have my system ?
• Do I know my system vulnerabilities before the
attackers ?
• Do I know how to resolve these vulnerabilities ?
4
5. Database Security Diagnostic Service
Goals
• Main goals of the Database Security Diagnostic:
Verification that the security measures implemented in
the Oracle database meet the needs of integrity,
confidentiality and availability of Customer’s
information.
Verification of compliance of safety measures to the
applicable regulations.
Identification of the deviation between current and
desired situation.
5
6. Database Security Diagnostic Service
Scope
• Database Security Diagnostic focuses on the database in
a specific and concrete form.
• The Database Security Diagnostic is developed on the
following areas:
System configuration.
Users identification and authentication.
Access control measures (monitoring and auditing).
Confidentiality and integrity.
Security policies, rules and procedures.
Applicable law and standards.
6
7. Using our best practices and standards, our experts
will conduct an assessment of the security of their
Oracle systems and provide a report with concrete
proposals for improvement, to support the
organization in implementing the measures
necessary to achieve the goal of “Organization
Protected"
7
8. Database Security Diagnostic Service
Methodology
2. Meetings, Questionnaires and 3. Information Analysis and
1. Presentation and Service Scope Document Preparation
Scripts
Critically Assets Risk Analysis
Diagnostic
Technical Qualification We analyze and Planning
Presentation
DB/OS Scripts Draft Document
4. Document Validation by Customer
Final Diagnostic Document:
Meeting to get information Resolve doubts -Scorecard Risk Analysis
and other -Description of Main Vulnerabilities
information -Details of all identified Vulnerabilities
-Assessment and -Recommendations
-Level of Compliance with Regulation
Continuous Improvement Process -Deployment Proposal for Corrective
Measures
7. Implementation Security Measures Customer validates the document and we
(NOT included in service) modified it if necessary
6. Result Presentation to High Level
5. Document Delivery
Deliver it to Different
Areas
8
9. Database Security Diagnostic Service
Deliverables
Database Security Diagnostic results:
Risk measures
Current status
Checkpoint analyzed Integrity
Integridad
30 Alto
High
Lacks and vulnerabilities Medio
Med
20
Regulatory compliance Low
Bajo
Propose recommendations 10 Project
Proyecto
0
Confidentiality
Confidencialidad Disponibilidad
Availability
Improvement actions
Riesgo Global Estimado
Global estimated risk
30
10
20
Nivel de
Risk level
Riesgo
10
0
1
9
10. Security Diagnostic Service
Deliverables
• The effort (thus cost) of the service will be based on customer
‘dimensions’, however a standard approach for only one database
has been created:
Approach Deliverables Estimate
level
Questionnaire of Criticality Assessment
Questionnaire of Technological Qualification
Final Diagnostic Document (between 50 and 70 pages)
Scorecard Risk Analysis
One Database Description of the Main Vulnerabilities Identified 15 days
Details of all identified Vulnerabilities
Assessment and Recommendations of corrective measures
based on specific solutions for each of the identified vulnerabilities
Level of Compliance with Regulation
And Deployment Proposal for Corrective Measures
Result Presentation to High Level (Depend of Audience
Technical or not)
10
11. Database Security Diagnostic Service
Advantages
• Delivered using a complete methodology, including a set of tools:
Risk analysis model
Document templates
Automated tools for risk calculation
Technical scripts (PL/SQL)
Commercial tools (vulnerability scanners)
• Provides a critical view of security risks and needs of your Database
11