Oracle Data Safe Security Assessment helps you assess and monitor changes to your database security risks by identifying security misconfigurations, missing policies, users, and entitlements. After the initial risk identification, customers typically evaluate the risks by validating them and their risk levels before remediating them. Sometimes the identified risk is not applicable as there might be some other mitigating control or it might not be important for your business or auditors. Customers would like Data Safe to adjust the findings to match their organization’s specific needs and help streamline the assessment process.
We are pleased to announce that you can now “defer risk” or “change risk” level to match your specific environment and deployment. “Defer Risk” allows you to indicate that you have reviewed the finding and will work on it later (or, eventually, never) so that it doesn’t show up again as a finding in subsequent reports. “Change Risk,” allows you to raise or lower the severity of a finding to suit your requirements.
Use Cases
In the example below, the organization has decided to “defer” the risk for users with expired passwords until they can study who are these users
Figure 1. Data Safe Security Assessment - Deferring or changing a finding risk level.
Use case 1
Data Safe Security Assessment identified that the database does not have a recent backup (no records in the last 90 days) and flagged it as a High Risk. But here, the database was backed up in the last 80 days, but as a cold backup with a 3rd party technology. You have decided that there is no risk, and you can now mark it as a “Pass.” Thus, the assessment report would no longer show this as a “finding”.
Use case 2
Security Assessment identified that you have five users with the DBA role and marked it as “Evaluate.” After careful examination, you’ve noticed that all five users are approved accounts for your company’s database administrators. Despite reading the remarks on why it is better not to use the out-of-the-box DBA role, you consciously decided to mark it as “Low risk.” Database administrators are still using the default DBA role but there are plans to review their privileges with Privilege Analysis and to create a customized DBA role with only the necessary privileges. Additionally, Database Vault realms protect the application schemas to further reduce the risk of misuse or compromise.
Figure 2. Deferring risks for later reevaluation
Use case 3
Security Assessment identified that there is an application service account that allows unlimited failed logins. Investigation reveals that following the last password change several batch processes continued to use the old password, locking the application account and causing an outage. The issue is being worked on, with plans to implement gradual password rollover for all application account profiles. In the meantime, failed login attempts are being audited, and Audit Vault is configured to alert wherever a new failed login attempt is made. Setting this risk to deferred until the password rollover profiles are implemented.
Risk Modification Report
The user changing the risk level will need to provide a justification for the change. The user can also set an expiration date. Setting an expiration date will clear up the overridden level at that time and again let the assessment show the actual finding level.
Modified risk levels are tracked and available under the “Risk modification report.” In this report you will see the originally identified risk level, the modified risk level, or whether the risk was deferred, along with the justification and the expiration date. The user that made the change and the last update time are also tracked.
Figure 3. Data Safe Security Assessment – Risk modification report.
Conclusion
With this addition, Data Safe helps you streamline and adjust the assessment report to meet your corporate and regulatory needs. Now, in addition to assessing your database according to standard practices, you can also customize the risk levels, manually pass findings, and track your progress toward compliance.
Source: oracle.com
0 comments:
Post a Comment