 |
Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley & The Gramm Leach Bliley Act GLB
Customer Reviews: 3 Average Customer Rating:    Write a Review and tell the world about this title! People who purchase this book frequently purchase: Books on similar topics, in best-seller order:Books from the same publisher, in best-seller order:
Written by one the world's top
developers and author of best-selling Oracle books, Don Burleson and Arup Nanda
target their substantial knowledge of Oracle Internals to this important book.
With decades of experience installing Oracle auditing, Arup Nanda shares secrets
for the effective creation of auditing mechanisms for HIPAA compliant Oracle
systems.
The
Health/Insurance Portability and Accountability Act of 1996 (HIPAA) was created
to ensure privacy for medical patient data. HIPAA requires complete
auditing to show everyone who has viewed confidential
medical patient information. This permeates from Hospitals, insurance
companies, and dozens of healthcare related industries. HIPAA
is a framework that provides a complete security access and auditing for Oracle
database information.
This book provides complete details
for using Oracle auditing features, including auditing from Oracle redo logs,
using system-level triggers, and using Oracle9i fine-grained auditing (FGA)
for auditing of the retrieval on sensitive information.
Best of all, Burleson & Nanda
share dozens of working samples in his online code depot. Examples from all
areas of auditing are covered with working scripts and code snippets. Your time
savings from a single script is worth the price of this great book.
Key Features:
-
Provides
a complete conceptual framework for all areas of Oracle auditing.
-
Covers
HIPAA requirements and shows Oracle techniques for enforcing HIPAA requirements
inside the Oracle database.
-
Offers
fast working examples for basic Oracle auditing techniques and scripts.
-
Show
the use of the Oracle9i LogMiner to retrieve audits of database updates.
-
Shows
how to implement all Oracle system-level triggers for auditing, including
DDL triggers, servererror triggers, and use login and log-off triggers.
-
Provides
working code examples for auditing the viewing of sensitive information
using triggers and Oracle9i fine grained auditing (FGA).
Table of Contents
Section I - Overview
Chapter
1: Introduction to HIPAA
Introduction to HIPAA,
the law, the requirements and the mandates placed by the new regulation. The chapter
stresses that HIPAA consists of two important domains – (i) the mandate to protect
data and enforce security and privacy and (ii) the description of several types
of EDI/EC transactions; and this book covers the first domain, pertaining to security
and data protection.
Chapter 2: Introduction to Oracle Security
A detailed overview
of the Oracle security mechanisms and their relevance to HIPAA.
·
Grant security
·
Role-based security
·
Profile based security
·
Grant execute security (invoker & definer rights)
·
Virtual private databases (row-level security, fine-grained access
control)
·
Application Server Security
Chapter
3: Introduction to Oracle Auditing
An overview of the tools
and techniques that are used for HIPAA auditing of Oracle databases.
·
DDL auditing
·
DML auditing
·
SELECT auditing
o
Oracle audit SQL commands
o
Fined-grained auditing
·
Auditing backup & recovery
o
Auditing disaster recovery plan
o
Auditing continuous availability plan
·
Auditing replicated data
·
Auditing sources for materialized views
Section II - Security
Chapter
4: General Oracle Security
This is a review of the standard relational grant security as expected
in the HIPAA requirements.
·
Profile Security
·
Grant security
o
System privileges
o
Object privileges
o
Granting to public
o
Grants with ADMIN option
·
Role-based security
o
Views and grant security
o
Row-level security with views
·
Grant execute security
o
Definer rights and invoker rights.
·
SQL*Plus Security
o
The use of product_user_profile
o
Restricting Logon Attempts
Chapter
5: Virtual Private Database
Topics include a detailed description of VPD and how they can be used
to enforce security and privacy as per HIPAA requirements.
·
Benefits of FGAC
o
Dynamic security – Predicates are assigned to users at runtime,
and there is no need to maintain complex roles and grants.
o
Multiple security - Place more than one policy on each object, as
well as stack them upon other base policies.
o
No dictionary view proliferation – Thousands of views are no longer
required to manage row-level security
o
No back-doors - Users no longer bypass security policies embedded
in applications, because the security policy is attached to the data.
o
Complex access rules – Scalar values (e.g. where salary >
50000) can be deployed.
·
Issues with FGAC
o
Requires a user account for every person accessing Oracle
o
Difficult to reconcile with other GRANT security
o
Access rules are stored inside stored procedures, which can be changed.
o
Foreign key referential integrity can be used to bypass FGAC
o
Cursor caching in pre 8.1.7 allow bypassing of FGAC
·
Predicate-based security internals
·
Security policies
·
Application contexts
·
Example of FGAC in action
Chapter
6: Data Encryption in Oracle
A description of all types of encryption (available in Oracle) to satisfy
HIPAA requirements.
·
Types of encryption – DES, 3DES, MD5, etc.
·
Details on using the dbms_obfuscation_toolkit package
·
Using hashing functions to encrypt data
·
Using data compression as encryption
Chapter 7: Oracle Network Security
·
Vulnerabilities and threats in Oracle Networks
·
Listener Buffer Overflow
·
SQL Injection
·
Packet Sniffing
·
IP Filtering with Connection Manager
Section III - Auditing
Chapter 8: Oracle Audits
·
Audits in Oracle for various DML statements
·
Managing audit tables
·
Archiving Audit Tables to archival media like CDROM or Tape
·
Various examples describing the auditing functionality in Oracle.
Chapter
9: Oracle Trigger Auditing
·
DDL Auditing
o
System triggers for DDL auditing
o
Using Dictionary-based DDL
o
Auditing source code changes
o
Auditing DDL versioning
·
DML Auditing
o
Installing Automatic Auditing Using LogMiner
o
Usage of Logminer for HIPAA update auditing requirements
o
Auditing with DML triggers
·
Server Error Auditing
o
Servererror trigger
o
Reports
Chapter
10: Auditing Grants Security
Overview of data dictionary query scripts to locate faults in grant-based
and role-based security to satisfy HIPAA requirements.
·
Auditing for system privileges
·
Auditing for WITH ADMIN option
•Auditing for synonyms
•Auditing for PUBLIC objects
Chapter 11: Oracle Fine Grained Auditing
The Fine Grained Auditing (FGA) in Oracle 9i provides the hitherto impossible
area of auditing the exact statement used by a user to simply select data, not
update it, as required by HIPAA.
·
Use of the dbms_fga package
·
Auditing select access as per the HIPAA mandated auditing of Patient
Health Information (PHI).
·
Archiving of audit information to tertiary media (optimal CD-ROM
& Tape)
·
Combining FGA and Flashback queries to answer the most important
question in addition to who saw the data, what they saw.
Chapter
12: HIPAA Checklists for Security and Auditing
A checklist of HIPAA requirements (and the Oracle features described
in this book) that can be used to satisfy the requirements.
This book covers Oracle security audit.
About the Authors
Arup Nanda is the recipient of the coveted DBA of the
Year 2003 award by Oracle Corporation. This award is among the
most highly coveted in the database industry, and each year only one of more
than a quarter million Oracle professionals is honored by this distinction.
A decade of experience as a DBA has made Arup an expert in many Oracle areas
including Oracle Design, Oracle Modeling, Oracle Performance Tuning and Oracle
Backup & Recovery.
Arup is a frequent speaker in many Oracle related conferences
including IOUG Live and has written several Oracle related articles in technical
journals in the US and Europe. He is on the editorial board for SELECT Journal,
the publication of the International Oracle Users Group.
Don Burleson is one of the world’s top Oracle Database
experts with more than 20 years of full-time DBA experience. He specializes
in creating database architectures for very large online databases and he has
worked with some of the world’s most powerful and complex systems.
A former Adjunct Professor, Don Burleson has written 14 books, published more
than 100 articles in National Magazines, and serves as Editor-in-Chief of Oracle
Internals. Don is a popular lecturer and teacher and is a frequent speaker at
Oracle Openworld and other international database conferences.
Customer Reviews
Customer Reviews: 3 Average Customer Rating: Jan 11, 2005 Bernard from US
Where is the SOX information
Other than the cover page...could not find any mention of any related SOX data
Dec 26, 2004 Hank
No Focus
Book is not well thought out. No focus. Not edited well. Does cover auditing but not in relation to each of the federal law requirements identified in the title. Does brush some Oracle seurity features. 10g information is not accurate.
Jan 25, 2004
Excellent Coverage, Good Writing
I was waiting for this to come on Bookpool. Decision to buy it was a little hard - it's pricey and primary author Arup Nanda is not very well known; but after going through it, I think I have recovered more than it's worth. At least the section on Virtual Private Database along with application contexts is simply excellent. The authors know their stuff.
|
|
