Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley & The Gramm Leach Bliley Act GLB
暫譯: Oracle 隱私安全審計：包含聯邦法律合規性，涵蓋 HIPAA、薩班斯-奧克斯利法案及格拉姆-利奇-布萊利法案 (GLB)

Description:

Written by one the world's top developers and author of best-selling Oracle books, Don Burleson and Arup Nanda target their substantial knowledge of Oracle Internals to this important book. With decades of experience installing Oracle auditing, Arup Nanda shares secrets for the effective creation of auditing mechanisms for HIPAA compliant Oracle systems.

The Health/Insurance Portability and Accountability Act of 1996 (HIPAA) was created to ensure privacy for medical patient data. HIPAA requires complete auditing to show everyone who has viewed confidential medical patient information. This permeates from Hospitals, insurance companies, and dozens of healthcare related industries. HIPAA is a framework that provides a complete security access and auditing for Oracle database information.

This book provides complete details for using Oracle auditing features, including auditing from Oracle redo logs, using system-level triggers, and using Oracle9i fine-grained auditing (FGA) for auditing of the retrieval on sensitive information.

Best of all, Burleson & Nanda share dozens of working samples in his online code depot. Examples from all areas of auditing are covered with working scripts and code snippets. Your time savings from a single script is worth the price of this great book.

 

Table of Contents:

Section I - Overview
 
Chapter 1: Introduction to HIPAA
 
Introduction to HIPAA, the law, the requirements and the mandates placed by the new regulation. The chapter stresses that HIPAA consists of two important domains – (i) the mandate to protect data and enforce security and privacy and (ii) the description of several types of EDI/EC transactions; and this book covers the first domain, pertaining to security and data protection.

Chapter 2: Introduction to Oracle Security
 
A detailed overview of the Oracle security mechanisms and their relevance to HIPAA.

• Grant security
• Role-based security
• Profile based security
• Grant execute security (invoker & definer rights)
• Virtual private databases (row-level security, fine-grained access control)
• Application Server Security

Chapter 3: Introduction to Oracle Auditing
 
An overview of the tools and techniques that are used for HIPAA auditing of Oracle databases. 

• DDL auditing
• DML auditing
• SELECT auditing
  o       Oracle audit SQL commands
  o       Fined-grained auditing
  ·        Auditing backup & recovery
  o       Auditing disaster recovery plan
  o       Auditing continuous availability plan
• Auditing replicated data
• Auditing sources for materialized views

Section II - Security
 
Chapter 4: General Oracle Security
 
This is a review of the standard relational grant security as expected in the HIPAA requirements.

• Profile Security
• Grant security
  o       System privileges
  o       Object privileges
  o       Granting to public
  o       Grants with ADMIN option
• Role-based security
  o       Views and grant security
  o       Row-level security with views
• Grant execute security
  o       Definer rights and invoker rights.
• SQL*Plus Security
  o       The use of product_user_profile
  o       Restricting Logon Attempts

Chapter 5: Virtual Private Database
 
Topics include a detailed description of VPD and how they can be used to enforce security and privacy as per HIPAA requirements.

• Benefits of FGAC
  o       Dynamic security – Predicates are assigned to users at runtime, and there is no need to maintain complex roles and grants.
  o       Multiple security - Place more than one policy on each object, as well as stack them upon other base policies.
  o       No dictionary view proliferation – Thousands of views are no longer required to manage row-level security
  o       No back-doors - Users no longer bypass security policies embedded in applications, because the security policy is attached to the data.
  o        Complex access rules – Scalar values (e.g. where salary > 50000) can be deployed.
• Issues with FGAC
  o       Requires a user account for every person accessing Oracle
  o       Difficult to reconcile with other GRANT security
  o       Access rules are stored inside stored procedures, which can be changed.
  o       Foreign key referential integrity can be used to bypass FGAC
  o       Cursor caching in pre 8.1.7 allow bypassing of FGAC
• Predicate-based security internals
• Security policies
• Application contexts
• Example of FGAC in action

Chapter 6: Data Encryption in Oracle
 
A description of all types of encryption (available in Oracle) to satisfy HIPAA requirements.

• Types of encryption – DES, 3DES, MD5, etc.
• Details on using the dbms_obfuscation_toolkit package
• Using hashing functions to encrypt data
• Using data compression as encryption

Chapter 7: Oracle Network Security

• Vulnerabilities and threats in Oracle Networks
• Listener Buffer Overflow
• SQL Injection
• Packet Sniffing
• IP Filtering with Connection Manager

Section III - Auditing
 
Chapter 8: Oracle Audits

• Audits in Oracle for various DML statements
• Managing audit tables
• Archiving Audit Tables to archival media like CDROM or Tape
• Various examples describing the auditing functionality in Oracle.

Chapter 9: Oracle Trigger Auditing

• DDL Auditing
  o       System triggers for DDL auditing
  o       Using Dictionary-based DDL
  o       Auditing source code changes
  o       Auditing DDL versioning
• DML Auditing
  o       Installing Automatic Auditing Using LogMiner
  o       Usage of Logminer for HIPAA update auditing requirements
  o       Auditing with DML triggers
• Server Error Auditing
  o       Servererror trigger
  o       Reports

Chapter 10: Auditing Grants Security
 
Overview of data dictionary query scripts to locate faults in grant-based and role-based security to satisfy HIPAA requirements.

• Auditing for system privileges
• Auditing for WITH ADMIN option
• Auditing for synonyms
• Auditing for PUBLIC objects

Chapter 11: Oracle Fine Grained Auditing
 
The Fine Grained Auditing (FGA) in Oracle 9i provides the hitherto impossible area of auditing the exact statement used by a user to simply select data, not update it, as required by HIPAA.

• Use of the dbms_fga package
• Auditing select access as per the HIPAA mandated auditing of Patient Health Information (PHI). 
• Archiving of audit information to tertiary media (optimal CD-ROM & Tape)
• Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.

Chapter 12: HIPAA Checklists for Security and Auditing
 
A checklist of HIPAA requirements (and the Oracle features described in this book) that can be used to satisfy the requirements.
 
This book covers Oracle security audit.