Implementing Security Compliance Using Policy Groups - Sig

  • Uploaded by: Rob Zoeteweij
  • 0
  • 0
  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Implementing Security Compliance Using Policy Groups - Sig as PDF for free.

More details

  • Words: 693
  • Pages: 32
Implementing Security Compliance using Policy Groups Rob Zoeteweij Copyright – 2009 Zoeteweij Consulting 1

This Presentation… • • • •

Is pretty technical Includes several (many) Screen dumps Covers OEM 10.2.0.4 – 10.2.0.5 Gives you an insight overview of: How to … / How it works • Is about how we do this at Rabobank

2

Agenda • • • •

Security at Rabobank Policy Rules Policy Groups Q&A

3

Security at Rabobank • SOX • Sarbanes-Oxley Act of 2002 (Wikipedia) • Public Company Accounting Reform and Investor Protection Act of 2002 • AKA – Sarbanes-Oxley, Sarbox or SOX • Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley • In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom

4

Security at Rabobank • SOX • • • •

Not a static List Not a standard List Actual measurements can be different per Company Both organisational and technical

5

Security at Rabobank • SOX • Measurements to keep compliant with RABO Security Rules • Separation of facilities for Development, Testing and Production • Developers / testers don’t have access to Production servers • … • Backups need to be available and tested • Will be located on other location then source • Need to be accessible for authorized employees only • Audit logs need to be created • All user actions must be logged and fully traceable to an individual • … • System access • Based on “Least privilege” and “Need to know” • ... 6

Security at Rabobank • BIV code • Availability – Integrity – Confidentiality • B - [1-3], I – [1-3], V – [1-3] • Impact • 1 – Low, 2 – Middle, 3 - High • Example • I=2 • Financial Transactions that can be reversed without any (Image) damage • I=3 • Financial Transactions that can not be reversed without any (Image) damage 7

Security at Rabobank • BIV code • Availability – Integrity – Confidentiality • Applied to Systems • Applications • Application Servers • Servers (Hosts) • Database Listeners • Databases 8

Security at Rabobank • BIV – codes in use • 222 – 232 – 233 – 322 – 332 – 333

9

Security implementation in OEM Policy Rules • Policies • Policies define the desired behaviour or characteristics of systems • A Policy is compliant if is determined that a target meets the desired state • Example: Oracle Home Executable Files Permission • Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions • If a Target does not meet this state, the Policy is violated 10

Security implementation in OEM Policy Rules • Policies – other examples • Ensure database auditing is enabled • Each activity in the database should be traceable • Default passwords • Ensure there are no default passwords for known accounts • Open Ports • Ensure that no unintended ports are left open • …

11

12

Security implementation in OEM Policy Rules • Based on BIV codes in use • Monitoring Templates • Only Policy Rules included • STP – - BIV • STP – Listener – BIV332 • STP – HTTP Server – BIV223 • STP – Cluster Database – BIV 322 • … 13

14

Security implementation in OEM Policy Rules • Use Groups to apply the Templates to the Targets • Group organisation • PG-_BIV_ • PG-Cluster_Databases_BIV233_Test • PG-Database_Instances_BIV333_Prod • …

15

Group PG-Cluster_Databases_BIV332_Test

Includes all Cluster Databases for which BIV code 332 apply

16

17

18

19

20

21

Security implementation in OEM Policy Groups • Policy Groups • Compliance • Logical Group of Policies • 10.2.0.4 – 3 Out of Box Groups • Secure Configuration for Oracle Database • Secure Configuration for Oracle Listener • Secure Configuration for Oracle Real Application Cluster • 10.2.0.5 – Create your own 22

Security implementation in OEM Policy Groups Policy Group

Evaluation Schedule

Rule 1 Rule 2

Target 1 Target 2

Rule n Group

Target n 23

24

25

26

27

28

29

30

31

Q&A

32

Related Documents


More Documents from "vivek gangwar"