SlideShare a Scribd company logo
1 of 11
Download to read offline
<Insert Picture Here>




     Oracle WE Technology Consulting
   Database Security Diagnostic Service
Database Security Diagnostic Service
  Why ?

• Today, organizations increasingly store sensitive data,
  customer and employee information, strategic plans,
  research, etc. Keeping this information is a must and an
  obligation, even to be required by law (LOPD, SOX)
• As important as the best protection of data against
  unauthorized access, is to have the ability to detect
  unauthorized accesses if they occur. In short, having the
  security level that allows me to answer questions such as:
     Who has access to protected data through Information Systems?
     When ?
     What data ?




                                                                     2
Database Security Diagnostic Service
   What is it?

• The Database Security Diagnostic is a service designed to
  provide high value in a short time
• This service is complementary to other more large term
  Security Diagnostic (Systems, Communications, Data
  Protection Act, ISO 27001, etc.).
• Identifies the vulnerabilities of the layer closest to the data:
  the engine of Oracle's Database.
• Proposed corrective measures from the almost immediate
  implementation to others that require a defined action plan
  as part of the service.



                                                                     3
Database Security Diagnostic Service
  Where are we?

• Do I Base Security on Trust and not Facts?
• What can I answer if my manager or Director asks me
  what extent is my system safe ?
• How many “back doors" have my system ?
• Do I know my system vulnerabilities before the
  attackers ?
• Do I know how to resolve these vulnerabilities ?




                                                        4
Database Security Diagnostic Service
  Goals

• Main goals of the Database Security Diagnostic:
     Verification that the security measures implemented in
     the Oracle database meet the needs of integrity,
     confidentiality    and   availability  of   Customer’s
     information.
     Verification of compliance of safety measures to the
     applicable regulations.
     Identification of the deviation between current and
     desired situation.




                                                              5
Database Security Diagnostic Service
  Scope

• Database Security Diagnostic focuses on the database in
  a specific and concrete form.
• The Database Security Diagnostic is developed on the
  following areas:
         System configuration.
         Users identification and authentication.
         Access control measures (monitoring and auditing).
         Confidentiality and integrity.
         Security policies, rules and procedures.
         Applicable law and standards.


                                                              6
Using our best practices and standards, our experts
will conduct an assessment of the security of their
Oracle systems and provide a report with concrete
proposals for improvement, to support the
organization in implementing the measures
necessary to achieve the goal of “Organization
Protected"


                                                  7
Database Security Diagnostic Service
    Methodology
                                                     2. Meetings, Questionnaires and                   3. Information Analysis and
 1. Presentation and Service Scope                                                                     Document Preparation
                                                     Scripts

                                                                       Critically Assets                                Risk Analysis
                   Diagnostic
                                                                   Technical Qualification                           We analyze and Planning
                   Presentation
                                                                        DB/OS Scripts                                Draft Document




                                                                                                           4. Document Validation by Customer
                                                                                                                      Final Diagnostic Document:
                                      Meeting to get information                      Resolve doubts                  -Scorecard Risk Analysis
                                                                                      and other                       -Description of Main Vulnerabilities
                                                                                      information                     -Details of all identified Vulnerabilities
                                                                                                                      -Assessment and -Recommendations
                                                                                                                      -Level of Compliance with Regulation
                         Continuous Improvement Process                                                               -Deployment Proposal for Corrective
                                                                                                                        Measures
7. Implementation Security Measures                                                                           Customer validates the document and we
(NOT included in service)                                                                                     modified it if necessary
                                                 6. Result Presentation to High Level
                                                                                                           5. Document Delivery



                                                                                                                          Deliver it to Different
                                                                                                                          Areas




                                                                                                                                                         8
Database Security Diagnostic Service
Deliverables
Database Security Diagnostic results:
                                                              Risk measures
   Current status
   Checkpoint analyzed                                            Integrity
                                                                 Integridad
                                                                   30                   Alto
                                                                                         High
   Lacks and vulnerabilities                                                            Medio
                                                                                         Med
                                                                  20
   Regulatory compliance                                                                 Low
                                                                                        Bajo
   Propose recommendations                                        10                     Project
                                                                                        Proyecto
                                                                   0


                                    Confidentiality
                                     Confidencialidad                              Disponibilidad
                                                                                   Availability
      Improvement actions

                                                               Riesgo Global Estimado
                                                                Global estimated risk




                                                         30

                                                                              10
                                                         20
                                              Nivel de
                                        Risk level
                                              Riesgo
                                                         10


                                                         0
                                                                         1




                                                                                                    9
Security Diagnostic Service
  Deliverables
• The effort (thus cost) of the service will be based on customer
  ‘dimensions’, however a standard approach for only one database
  has been created:
 Approach       Deliverables                                                                   Estimate
 level


                  Questionnaire of Criticality Assessment
                  Questionnaire of Technological Qualification

                  Final Diagnostic Document (between 50 and 70 pages)
                      Scorecard Risk Analysis
 One Database         Description of the Main Vulnerabilities Identified                       15 days
                      Details of all identified Vulnerabilities
                      Assessment and Recommendations of corrective measures
                      based on specific solutions for each of the identified vulnerabilities
                      Level of Compliance with Regulation
                      And Deployment Proposal for Corrective Measures

                  Result Presentation to High Level (Depend of Audience
                 Technical or not)


                                                                                                          10
Database Security Diagnostic Service
    Advantages

•   Delivered using a complete methodology, including a set of tools:
          Risk analysis model
          Document templates
          Automated tools for risk calculation
          Technical scripts (PL/SQL)
          Commercial tools (vulnerability scanners)

•   Provides a critical view of security risks and needs of your Database




                                                                            11

More Related Content

What's hot

Persistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertisePersistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertiseSebastien RATTIER
 
Verifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasiVerifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasirizqiariy
 
Zi1one Presentation Rev7 Eng(Sep2011)
Zi1one Presentation Rev7 Eng(Sep2011)Zi1one Presentation Rev7 Eng(Sep2011)
Zi1one Presentation Rev7 Eng(Sep2011)Giancarlo Mancinelli
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013Ian Sommerville
 
Advertisement jakarta walk_in_interview_published_nov_20_2011
Advertisement jakarta walk_in_interview_published_nov_20_2011Advertisement jakarta walk_in_interview_published_nov_20_2011
Advertisement jakarta walk_in_interview_published_nov_20_2011Ade Herdiansah
 
ClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieuClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieumHealth Initiative
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceNovell
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012Seema Sheth-Voss
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013Ian Sommerville
 
NCI Network Engineering
NCI Network EngineeringNCI Network Engineering
NCI Network EngineeringChris Young
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013Ian Sommerville
 
Se lect12 btech
Se lect12 btechSe lect12 btech
Se lect12 btechIIITA
 
Se lect13 btech
Se lect13 btechSe lect13 btech
Se lect13 btechIIITA
 
Oerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of ActionOerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of Actiontcollins3413
 
Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10Symantec
 

What's hot (18)

Persistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation ExpertisePersistent Analytical Instrumentation Expertise
Persistent Analytical Instrumentation Expertise
 
Verifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasiVerifikasi dan Validasi keamanan informasi
Verifikasi dan Validasi keamanan informasi
 
Zi1one Presentation Rev7 Eng(Sep2011)
Zi1one Presentation Rev7 Eng(Sep2011)Zi1one Presentation Rev7 Eng(Sep2011)
Zi1one Presentation Rev7 Eng(Sep2011)
 
CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013CS5032 L11 validation and reliability testing 2013
CS5032 L11 validation and reliability testing 2013
 
Advertisement jakarta walk_in_interview_published_nov_20_2011
Advertisement jakarta walk_in_interview_published_nov_20_2011Advertisement jakarta walk_in_interview_published_nov_20_2011
Advertisement jakarta walk_in_interview_published_nov_20_2011
 
ClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.BeaulieuClinicalGradeMobileHealth mHIseminar.Beaulieu
ClinicalGradeMobileHealth mHIseminar.Beaulieu
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
An Identity-focused Approach to Compliance
An Identity-focused Approach to ComplianceAn Identity-focused Approach to Compliance
An Identity-focused Approach to Compliance
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013
 
NCI Network Engineering
NCI Network EngineeringNCI Network Engineering
NCI Network Engineering
 
CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013CS 5032 L2 dependability and security 2013
CS 5032 L2 dependability and security 2013
 
Integration
IntegrationIntegration
Integration
 
Se lect12 btech
Se lect12 btechSe lect12 btech
Se lect12 btech
 
Se lect13 btech
Se lect13 btechSe lect13 btech
Se lect13 btech
 
Oerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of ActionOerlikon Balzers 90 Day Plan Of Action
Oerlikon Balzers 90 Day Plan Of Action
 
Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10
 
Misha Resume Nov 2016
Misha Resume Nov 2016Misha Resume Nov 2016
Misha Resume Nov 2016
 

Viewers also liked

Mobile Solution Set
Mobile Solution SetMobile Solution Set
Mobile Solution Setsheehab2
 
Share point 2010 installation and mainteinance, best practices
Share point 2010   installation and mainteinance, best practices Share point 2010   installation and mainteinance, best practices
Share point 2010 installation and mainteinance, best practices Toni Frankola
 
2014 09 device_trends sevenval-1
2014 09 device_trends sevenval-12014 09 device_trends sevenval-1
2014 09 device_trends sevenval-1Avenga Germany GmbH
 
Презентация компании WANZL "E-Gate платежные терминалы"
Презентация компании WANZL "E-Gate платежные терминалы"Презентация компании WANZL "E-Gate платежные терминалы"
Презентация компании WANZL "E-Gate платежные терминалы"journalrubezh
 
SharePoint 2010 – Installation and maintenance – best practices
SharePoint 2010 – Installation and maintenance – best practicesSharePoint 2010 – Installation and maintenance – best practices
SharePoint 2010 – Installation and maintenance – best practicesToni Frankola
 
Product Guide High Resolution
Product Guide  High  ResolutionProduct Guide  High  Resolution
Product Guide High Resolutionsheehab2
 
Christmas 2009 R. Si C. Ilie
Christmas 2009   R. Si C. IlieChristmas 2009   R. Si C. Ilie
Christmas 2009 R. Si C. Ilieilie rodica
 
Android, iPhone and application development
Android, iPhone and application developmentAndroid, iPhone and application development
Android, iPhone and application developmentKieran Gutteridge
 
Blogging in latin america - Erin de santiago
Blogging in latin america - Erin de santiagoBlogging in latin america - Erin de santiago
Blogging in latin america - Erin de santiagoTBEX
 
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)Tbex 2012 Keystone How to Earn Traffic (without selling your soul)
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)TBEX
 
Gran melia resort & luxury villas daios cove crete
Gran melia resort & luxury villas daios cove   creteGran melia resort & luxury villas daios cove   crete
Gran melia resort & luxury villas daios cove creteilie rodica
 
2015 sevenval device-trends-march
2015 sevenval device-trends-march2015 sevenval device-trends-march
2015 sevenval device-trends-marchAvenga Germany GmbH
 
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechCon
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechConThe Mobile Web Today and Tomorrow - Mobile Night @ MobileTechCon
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechConAvenga Germany GmbH
 

Viewers also liked (17)

Mobile Solution Set
Mobile Solution SetMobile Solution Set
Mobile Solution Set
 
Presentasi uin rumah zakat_051011
Presentasi uin rumah zakat_051011Presentasi uin rumah zakat_051011
Presentasi uin rumah zakat_051011
 
Share point 2010 installation and mainteinance, best practices
Share point 2010   installation and mainteinance, best practices Share point 2010   installation and mainteinance, best practices
Share point 2010 installation and mainteinance, best practices
 
2014 09 device_trends sevenval-1
2014 09 device_trends sevenval-12014 09 device_trends sevenval-1
2014 09 device_trends sevenval-1
 
Networking Works
Networking WorksNetworking Works
Networking Works
 
Презентация компании WANZL "E-Gate платежные терминалы"
Презентация компании WANZL "E-Gate платежные терминалы"Презентация компании WANZL "E-Gate платежные терминалы"
Презентация компании WANZL "E-Gate платежные терминалы"
 
SharePoint 2010 – Installation and maintenance – best practices
SharePoint 2010 – Installation and maintenance – best practicesSharePoint 2010 – Installation and maintenance – best practices
SharePoint 2010 – Installation and maintenance – best practices
 
Product Guide High Resolution
Product Guide  High  ResolutionProduct Guide  High  Resolution
Product Guide High Resolution
 
A venit iarna
A venit iarnaA venit iarna
A venit iarna
 
Christmas 2009 R. Si C. Ilie
Christmas 2009   R. Si C. IlieChristmas 2009   R. Si C. Ilie
Christmas 2009 R. Si C. Ilie
 
Android, iPhone and application development
Android, iPhone and application developmentAndroid, iPhone and application development
Android, iPhone and application development
 
Device trends sept 2013
Device trends sept 2013Device trends sept 2013
Device trends sept 2013
 
Blogging in latin america - Erin de santiago
Blogging in latin america - Erin de santiagoBlogging in latin america - Erin de santiago
Blogging in latin america - Erin de santiago
 
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)Tbex 2012 Keystone How to Earn Traffic (without selling your soul)
Tbex 2012 Keystone How to Earn Traffic (without selling your soul)
 
Gran melia resort & luxury villas daios cove crete
Gran melia resort & luxury villas daios cove   creteGran melia resort & luxury villas daios cove   crete
Gran melia resort & luxury villas daios cove crete
 
2015 sevenval device-trends-march
2015 sevenval device-trends-march2015 sevenval device-trends-march
2015 sevenval device-trends-march
 
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechCon
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechConThe Mobile Web Today and Tomorrow - Mobile Night @ MobileTechCon
The Mobile Web Today and Tomorrow - Mobile Night @ MobileTechCon
 

Similar to Oracle Database Security Diagnostic Service

Building a database security program
Building a database security programBuilding a database security program
Building a database security programmatt_presson
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Mark Frydenberg
 
Defence IT 2012 - Data Quality and Financial Services - Solvency II
Defence IT 2012 - Data Quality and Financial Services - Solvency IIDefence IT 2012 - Data Quality and Financial Services - Solvency II
Defence IT 2012 - Data Quality and Financial Services - Solvency IIDavid Twaddell
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Cybersecurity exchange briefing oct 2012 v2
Cybersecurity exchange briefing oct 2012 v2Cybersecurity exchange briefing oct 2012 v2
Cybersecurity exchange briefing oct 2012 v2Naba Barkakati
 
Bi 4.0 Migration Strategy and Best Practices
Bi 4.0 Migration Strategy and Best PracticesBi 4.0 Migration Strategy and Best Practices
Bi 4.0 Migration Strategy and Best PracticesEric Molner
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentationaksit_services
 
SDPM - Lecture 8 - Software quality assurance
SDPM - Lecture 8 - Software quality assuranceSDPM - Lecture 8 - Software quality assurance
SDPM - Lecture 8 - Software quality assuranceOpenLearningLab
 
Definio Reply Offering
Definio Reply OfferingDefinio Reply Offering
Definio Reply OfferingDefinioReply
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxAdityaChawan4
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinalAlan Hartman
 
NPryadko-LinkedInResume
NPryadko-LinkedInResumeNPryadko-LinkedInResume
NPryadko-LinkedInResumeNadia Pryadko
 

Similar to Oracle Database Security Diagnostic Service (20)

Building a database security program
Building a database security programBuilding a database security program
Building a database security program
 
Ta Security
Ta SecurityTa Security
Ta Security
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009Careers In Computer Information Systems 2008-2009
Careers In Computer Information Systems 2008-2009
 
Defence IT 2012 - Data Quality and Financial Services - Solvency II
Defence IT 2012 - Data Quality and Financial Services - Solvency IIDefence IT 2012 - Data Quality and Financial Services - Solvency II
Defence IT 2012 - Data Quality and Financial Services - Solvency II
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Cybersecurity exchange briefing oct 2012 v2
Cybersecurity exchange briefing oct 2012 v2Cybersecurity exchange briefing oct 2012 v2
Cybersecurity exchange briefing oct 2012 v2
 
Bi 4.0 Migration Strategy and Best Practices
Bi 4.0 Migration Strategy and Best PracticesBi 4.0 Migration Strategy and Best Practices
Bi 4.0 Migration Strategy and Best Practices
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
 
Careers in CIS
Careers in CISCareers in CIS
Careers in CIS
 
SDPM - Lecture 8 - Software quality assurance
SDPM - Lecture 8 - Software quality assuranceSDPM - Lecture 8 - Software quality assurance
SDPM - Lecture 8 - Software quality assurance
 
Software quality
Software qualitySoftware quality
Software quality
 
Energy and engineering services leverages growth
Energy and engineering services leverages growthEnergy and engineering services leverages growth
Energy and engineering services leverages growth
 
Definio Reply Offering
Definio Reply OfferingDefinio Reply Offering
Definio Reply Offering
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
Cloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptxCloud Security Assessment Methods.pptx
Cloud Security Assessment Methods.pptx
 
Privacy audittalkfinal
Privacy audittalkfinalPrivacy audittalkfinal
Privacy audittalkfinal
 
NPryadko-LinkedInResume
NPryadko-LinkedInResumeNPryadko-LinkedInResume
NPryadko-LinkedInResume
 

Oracle Database Security Diagnostic Service

  • 1. <Insert Picture Here> Oracle WE Technology Consulting Database Security Diagnostic Service
  • 2. Database Security Diagnostic Service Why ? • Today, organizations increasingly store sensitive data, customer and employee information, strategic plans, research, etc. Keeping this information is a must and an obligation, even to be required by law (LOPD, SOX) • As important as the best protection of data against unauthorized access, is to have the ability to detect unauthorized accesses if they occur. In short, having the security level that allows me to answer questions such as: Who has access to protected data through Information Systems? When ? What data ? 2
  • 3. Database Security Diagnostic Service What is it? • The Database Security Diagnostic is a service designed to provide high value in a short time • This service is complementary to other more large term Security Diagnostic (Systems, Communications, Data Protection Act, ISO 27001, etc.). • Identifies the vulnerabilities of the layer closest to the data: the engine of Oracle's Database. • Proposed corrective measures from the almost immediate implementation to others that require a defined action plan as part of the service. 3
  • 4. Database Security Diagnostic Service Where are we? • Do I Base Security on Trust and not Facts? • What can I answer if my manager or Director asks me what extent is my system safe ? • How many “back doors" have my system ? • Do I know my system vulnerabilities before the attackers ? • Do I know how to resolve these vulnerabilities ? 4
  • 5. Database Security Diagnostic Service Goals • Main goals of the Database Security Diagnostic: Verification that the security measures implemented in the Oracle database meet the needs of integrity, confidentiality and availability of Customer’s information. Verification of compliance of safety measures to the applicable regulations. Identification of the deviation between current and desired situation. 5
  • 6. Database Security Diagnostic Service Scope • Database Security Diagnostic focuses on the database in a specific and concrete form. • The Database Security Diagnostic is developed on the following areas: System configuration. Users identification and authentication. Access control measures (monitoring and auditing). Confidentiality and integrity. Security policies, rules and procedures. Applicable law and standards. 6
  • 7. Using our best practices and standards, our experts will conduct an assessment of the security of their Oracle systems and provide a report with concrete proposals for improvement, to support the organization in implementing the measures necessary to achieve the goal of “Organization Protected" 7
  • 8. Database Security Diagnostic Service Methodology 2. Meetings, Questionnaires and 3. Information Analysis and 1. Presentation and Service Scope Document Preparation Scripts Critically Assets Risk Analysis Diagnostic Technical Qualification We analyze and Planning Presentation DB/OS Scripts Draft Document 4. Document Validation by Customer Final Diagnostic Document: Meeting to get information Resolve doubts -Scorecard Risk Analysis and other -Description of Main Vulnerabilities information -Details of all identified Vulnerabilities -Assessment and -Recommendations -Level of Compliance with Regulation Continuous Improvement Process -Deployment Proposal for Corrective Measures 7. Implementation Security Measures Customer validates the document and we (NOT included in service) modified it if necessary 6. Result Presentation to High Level 5. Document Delivery Deliver it to Different Areas 8
  • 9. Database Security Diagnostic Service Deliverables Database Security Diagnostic results: Risk measures Current status Checkpoint analyzed Integrity Integridad 30 Alto High Lacks and vulnerabilities Medio Med 20 Regulatory compliance Low Bajo Propose recommendations 10 Project Proyecto 0 Confidentiality Confidencialidad Disponibilidad Availability Improvement actions Riesgo Global Estimado Global estimated risk 30 10 20 Nivel de Risk level Riesgo 10 0 1 9
  • 10. Security Diagnostic Service Deliverables • The effort (thus cost) of the service will be based on customer ‘dimensions’, however a standard approach for only one database has been created: Approach Deliverables Estimate level Questionnaire of Criticality Assessment Questionnaire of Technological Qualification Final Diagnostic Document (between 50 and 70 pages) Scorecard Risk Analysis One Database Description of the Main Vulnerabilities Identified 15 days Details of all identified Vulnerabilities Assessment and Recommendations of corrective measures based on specific solutions for each of the identified vulnerabilities Level of Compliance with Regulation And Deployment Proposal for Corrective Measures Result Presentation to High Level (Depend of Audience Technical or not) 10
  • 11. Database Security Diagnostic Service Advantages • Delivered using a complete methodology, including a set of tools: Risk analysis model Document templates Automated tools for risk calculation Technical scripts (PL/SQL) Commercial tools (vulnerability scanners) • Provides a critical view of security risks and needs of your Database 11