ORACLE provides a vast option for enabling audit. However most companies struggle to understand how to use the options and what options need to be enabled in order to be compliant. There is also the question of what are the audit options that need to be enabled without any compromise on the performance of the systems. The solution to that is to strike a balance between properly configuring auditing and only auditing appropriate tables that will not have any measurable performance impact and therein lays the challenge.

Below are some of pointers that organization should keep in mind in order to make best use of the options that ORACLE provides for audit and at the same time not compromise the performance.

Initial Steps

One of the most simple of ways to audit is to ensure that a basic set of audit trails is enabled all the time. These could be as basic as ensuring that system logs capture the user access and the privileges that are assigned to the various users. Also ensure that logs capture the changes that are being made to the database schema and the users who are making the changes. Although this may not be the most comprehensive of audits this will ensure that attacks can get detected and other detailed audits can be enabled.

Auditing Users

Oracle’s standard audit commands allow all system privileges to be audited along with access at the object level to any table or view on the database for select, delete, insert or update. Audit can be activated either for successful attempts or failures or for both. Audit trails can also be enabled for individual groups and it can also be done for groups or privilege levels. In case of an action level audit individual record is created per action. At a session level one record is created for all audit actions per session.

Tackling Performance Issues

The common misunderstanding is that enabling audit generally makes the system slower and affect performance negatively. Although this feeling may not be without reason, the real reason may also be unawareness of how to balance audit and performance. If all audit trails are enabled yes the performance may get affected. However it is also true that this will churn out an audit trial which really may not make too much sense. It will be extremely difficult to manage and interpret such huge amounts of data into something that can be used as an effective control mechanism. The key word factor here is to “Keep It Simple”. As mentioned earlier organizations need to identify the critical tables and for starters enable only audit trails only on those tables. In case any attacks are detected it can be probed further. So also for user level auditing. Organizations need to decide on wanting to turn on action level or session level audit without affecting the performance of the systems. Although too much may be said about performance it is also true that audit needs also need to be catered to and the balance between both is typically where organizations struggle.

Finally organizations should realize that there is no one standard one size fits all approach to auditing any application or database. What works for one organization may not be good for you and what used to work earlier may no longer be good today. With the growth of technology as well as cyber crimes you need to keep updating your triggers as well as audit trials. Row level audits may not be the solution to all audit questions. Management inclination for better audit is a must. It needs to be complimented by better reporting and governance structures in order to ensure that information is secure.

In today world along with the growth of technologies new threats to information have also become a fact for most organizations. That being said information security has become one of the main pillars of any IT organization with a company. Simply put Information security is the process by which an organization implements controls in place which ensure that business critical servers and applications are protected from unauthorized usage. This requires deployment, compliance and implementation of appropriate protection and prevention mechanisms.

ISO27001 Approach

ISO 27001 is the international standard defining the desired methods of controlling the confidentiality, integrity and availability of information. The CIA triad is the pillar on which the ISO 27001 implementation would revolve. CIA (Confidentiality – Integrity – Availability)

• Confidentiality: Keeping private information away from individuals who should not have access.
• Integrity: Integrity means that data is consistent and that it hasn't been modified.
• Availability: Availability means to have reliable and timely access to the data and resources you are authorized to use

AN ISO27001 implementation would also help evolve effective ISMS (Information Security Management System). A typical ISO27001 policy follows a PDCA (Plan – Do – Check –Act) cycle.

Establish ISMS – This would help to define the scope and boundaries of the ISMS. As simple as this may sound this is where most companies struggle to strike a balance between the costs of implementation with the scope of activities with the certification. Once the scope is finalized define the ISMS policy and decide on the risk assessment methodology, the risk treatment options and prepare the statement of Applicability (SoA). The RA will help identify critical assets that need to be protected and controls that exist / need to be implemented. Organizations need to decide on the acceptable levels of risk since control implementation will have costs associated with it.

Implement and operate ISMS – This follows your RA and evaluation of cost of controls. Identified risks for critical assets need to be reduced to bring it down to the acceptable levels of risk. This could be through implementing new controls or just modifying existing controls. What remains are also knows as residual risk.
Post implementation organization would need to

Monitor and Review ISMS – The organization would need to undertake periodic review of the effectiveness of the ISMS in order to ensure that control objectives are being met and are aligned with business objectives. This review is should be conducted by the MISF.
Following a typical PDCA cycle, organization also need to continuously review the ISMS implementation in order to ensure that identified improvement measures get executed.

Conclusion: The way ahead for ISO is that it should be flexible to deal with the growing complexity and scale of information security threats to the organization.
It should ensure that the supporting information security policy is sound and enforceable and recognize that people and processes are critical, and that technology is just a small part of an overall IT Framework.