We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byArnold Brassfield
Modified about 1 year ago
Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon Image Cameron Larner – President, Absolute Technologies A Case Study at Silicon Image
Copyright © 2004 Absolute Technologies, Inc. Profile of Silicon Image Founded in January 1995 Fabless Semiconductor $173 Million Annual Revenue for 2004 300 Employees Live on Oracle Apps - May 2003 11.5.8 Upgraded Oracle Apps - July 2004 to 11.5.9 Audit Firm - PWC Audit Guidance – Horn, Murdock & Cole
Copyright © 2004 Absolute Technologies, Inc. To establish mechanisms that identify high risk or unauthorized transactions within the company’s Oracle database and associated applications. These mechanisms have the objective of ensuring that Separation of Duties (SOD) procedures and enforcement have been properly established with respect to database activity across both end users and business analysts. Goal
Copyright © 2004 Absolute Technologies, Inc. Company ABC had an analyst (Bob) that really wanted Sysadmin access to Oracle applications. His request was denied by the manager of IT per SOD compliance protocol. So, Bob discovered a way to grant access to himself. Example of the Issue How did he do it?
Copyright © 2004 Absolute Technologies, Inc. Bob considered asking his DBA friend, but decided to do it himself by writing a simple Oracle Alert like the example below: How Bob got Sysadmin access
Copyright © 2004 Absolute Technologies, Inc. Catalyst to Action PWC threatened a material deficiency! Why? DBA had shared role as developer Analysts had superuser access to major applications (one analyst supports multiple modules) DBA and Analysts had APPS SQL access to update Oracle tables without detection
Copyright © 2004 Absolute Technologies, Inc. Course of Action Determined high risk tables to be monitored. Implemented Oracle email alerts on these tables to check for records where Last_updated_by = the Analyst’s user id. Took APPS database access away from analysts. Evaluated tools that could provide configurable audit trails and reporting across specified financial transactions and setups.
Copyright © 2004 Absolute Technologies, Inc. Intro to Absolute Technologies Why Absolute? We already use Absolute’s BBB Intelligence solution for booking, backlog and billing reporting. Their product enables us to get backlog figures for anytime in the past and provides a history of changes to booked orders. And, it’s configurable, so it tracks only what I wanted to track. After sharing our audit requirements with them, they informed us of their latest product offering, Application Auditor for Oracle. We decided to give it a try.
Copyright © 2004 Absolute Technologies, Inc. How is data being accessed and changed? Application End User Access Logins, Responsibilities & Forms Help>Tools>Examine Oracle Alert Direct SQL Access SQL*Plus Toad SQL*Navigator, etc… Scope of Audit
Copyright © 2004 Absolute Technologies, Inc. What, When and Who are making changes? Types of Database Transactions: DML: Insert, Update or Delete Records DDL: Create, Alter or Drop Objects Scope of Audit - Continued
Copyright © 2004 Absolute Technologies, Inc. We evaluated the following: Oracle Database – Audit Feature eBusiness Suite – Row Who Columns eBusiness Suite – End User Access eBusiness Suite – Audit Trail eBusiness Suite – Oracle Alert Absolute Technologies – Application Auditor Auditing Options for Oracle Applications
Copyright © 2004 Absolute Technologies, Inc. In the init.ora file, set the audit_trail parameter to true and restart the database. From the SYSTEM user in SQL*Plus, execute the SQL AUDIT commands that coincide with your requirements. Audit almost any type of db transaction, from a session login to the creation or alteration of any schema object to the execution of a SQL statement. Transactions Captured in the SYS.AUD$ table. Oracle Database – Audit Feature
Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Does not provide before and after values for column changes. b.Audits are at the SQL statement level, they do not reflect the resulting impact to individual records and columns within a table. c.Provides no standard reporting or access to data from a form. d.Resulting data in the SYS.AUD$ table is not “end user” ready. e.Because the table is owned by SYS, cannot provide an event based alert or notification to a user. (Cannot define a trigger on SYS tables.) Oracle Database – Audit Feature
Copyright © 2004 Absolute Technologies, Inc. CREATION_DATE Date and Time row was created CREATED_BY Oracle Applications user ID from FND_USER LAST_UPDATE_LOGIN Login ID from FND_LOGINS LAST_UPDATE_DATE Date and Time row as last updated LAST_UPDATED_BY Oracle Applications user ID from FND_USERS This information can be easily accessed through the application or SQL. Within the applications, select Help > Record History from the main menu to view the information for the current record. E Business Suite – Row Who Columns
Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Only the initial creation, last updated date and user are stored. b.A complete audit trail of changed values is not stored, thus the date or user of any updates occurring between the creation and last update of the record are lost. c.There is no visibility to the before and after values of changed columns. d.The information is not updated if the database record is inserted, updated or deleted by a user or process external to the security of Oracle Applications. e.Information is stored in the subject table itself. There is no standard reporting or centralized table to provide for ease of reporting. E Business Suite – Row Who Columns
Copyright © 2004 Absolute Technologies, Inc. The system profile option “Sign-On: Audit Level” controls the level of end user access auditing. The valid settings are None, User, Responsibility, and Form. This profile option should always be set to “Form” to enable the most auditing. The following are the standard reports for end-user auditing: Signon Audit Users Signon Audit Responsibilities Signon Audit Forms Signon Audit Concurrent Requests Signon Audit Unsuccessful Logins E Business Suite – End User Access
Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Only audits end user usage of specified forms. b.Does not audit changes at the database level. c.Does not audit any form activity or database transaction that may be of interest to ensure compliance. Only user access. E Business Suite – End User Access
Copyright © 2004 Absolute Technologies, Inc. Send email notification of pre-defined high risk transactions. Periodically, or On an Event (Creates a db trigger) E Business Suite – Oracle Alert
Copyright © 2004 Absolute Technologies, Inc. Limitations: a.Periodic Alerts only capture a snapshot of data. b.Don’t provide before and after values of changed columns. c.Too many Alerts can clog up the concurrent manager. d.Alerts do not provide ad hoc reporting, just notification. e.On Event Alerts fire upon any change to a record within a defined table, capturing unwanted transactions and impacting system performance. They do not allow individual column changes to be tracked. f.Don’t provide after delete capabilities. g.Don’t utilize stored procedures in pl/sql body of trigger to optimize performance. Even create multiple triggers. E Business Suite – Oracle Alert
Copyright © 2004 Absolute Technologies, Inc. Set the System Profile Option AuditTrail:Activate to Yes. As System Administrator, select Security -> AuditTrail -> Install. Define applications, groups, tables and columns to audit. Run Audit Trail Update Tables program to activate auditing. The following will be created for each table: Shadow Table Trigger Views: One view containing all audited columns and one view for each column audited. E Business Suite – Audit Trail
Copyright © 2004 Absolute Technologies, Inc. Limitations: a.No single audit table for ease of reporting. b.Can’t apply a condition to the trigger. c.Audit Trail Update Tables program has no parameters – must modify group’s “state” to disable, then run program. d.Can’t toggle an audit on/off for a single table. e.Can’t capture data outside the scope of the audited table, like foreign table column values for ease of reporting. f.No revision control mechanism. g.No mechanism to support migration across database instances. h.No standard reporting. i.No single record holds the before and after detail of changed column values. j.No error handling visibility to end user. E Business Suite – Audit Trail
Copyright © 2004 Absolute Technologies, Inc. Provides a single mechanism to audit changes to any database table/column. Change tracking can be configured, activated or deactivated within minutes for a single table. Configuration reports provide a record of all Audit setups. Single or multiple audit table(s) store defined change details across audited tables. Some examples are: Before and After column values When, Who & Where details Additional reference column values from within the same table Additional column values from related tables Absolute Technologies - Application Auditor
Copyright © 2004 Absolute Technologies, Inc. Shares the E Business Suite database instance. Audit tables on any Oracle database in the environment. Uses standard Oracle Developer tools. Stored Procedure used in triggers for optimized performance. Audits the Auditor – Tracks changes to DB Objects in the AA schema. (If AA user disables an audit trigger, etc…) Revision control. Migrate/copy audit configurations within or across DB instances. Forms provide visibility to: Audit Configurations Compiled Objects Compilation and Object Errors Audit Transactions Absolute Technologies - Application Auditor
Copyright © 2004 Absolute Technologies, Inc. Application End User Access Standard “Sign on” reports for end-user auditing. (Only really used for failed login attempts.) Discoverer reports for current users and responsibilities granted. Not using Oracle Audit Trail. (Too many issues.) Absolute Application Auditor 9 Setup tables FND_USER FND_RESPONSIBILITY, etc… 13 Financial impacting tables AP_INVOICES_ALL AP_CHECKS_ALL GL_JE_LINES, etc… Audit the Auditor (Changes AA Schema Objects) Audit to determine if DML executed via SQL Audit Business Analyst activity against high risk tables The Silicon Image Approach
Copyright © 2004 Absolute Technologies, Inc. Standard Database Auditing (SQL Audit Command) Changes to db user accounts Changes to db links Changes to system audit commands/parameters Periodic Alert on sys.aud$ to notify audit manager of issues The Silicon Image Approach - Continued
Copyright © 2004 Absolute Technologies, Inc. Current Status PWC was satisfied with Audit tracking results. A big key to this was we heavily involved them in the discussions about what columns in what tables would be tracked. Complete implementation and setup of all table was achieved in under a week. Because all audit records are going to one table Audit reporting was very simple. Feedback from Silicon Image
Copyright © 2004 Absolute Technologies, Inc. Feedback from Silicon Image - Continued Challenges Solutions Challenges Solutions 1.nvl(userenv('TERMINAL'), 'unknown') not in ( 'unknown' ) or new.LAST_UPDATED_BY IN (1040, 1041, 1042, 1080, 0)TERMINAL 2.Complete implementation and setup of all table was achieved in under a week. 3.Because all audit records are going to one table Audit reporting was very simple.Audit reporting was very simple 1.Needed to be able to tell when an update was done from SQL or applications. 2.We needed this implemented very fast 3.Needed flexible reporting
Copyright © 2004 Absolute Technologies, Inc. Manage carefully what you audit because the auditors will always want more. Make sure you have a way to track comments on your audit records so they can be reportable for when your audit firm comes back. comments Lessons Learned
Copyright © 2004 Absolute Technologies, Inc. Table: WF_ROUTING_RULES Purpose: To identify unauthorized changes to signing authority. Event: A user with Sysadmin assigned the CFO’s signing authority to another employee. A record was inserted into the audit table. Step one: Audit triggered email to be sent to Director of IS and Change control help desk. Step two: Director of IS researched issue, entered explanation of transaction into the help desk and awaited approval from the director of Finance. Step three: After receiving approval, the audit record is updated to reflect the status of the issue. The example above occurred in production. Afterwards, we decided to change the audit so that it would only execute when the re-assignment was to one of the IS business analysts. Example of Financial Impacting Audit #1
Copyright © 2004 Absolute Technologies, Inc. Table: HZ_PARTIES Purpose: Identify unauthorized update or creation of a customer. Event: In the form, an analyst updated 15 customer records to modify the territory column, but also mistakenly updated the the customer name on one of the records. An audit record was generated. Step one: Audit triggered email to be sent to Director of IS and Change control help desk. Step two: Director of IS researched issue and entered explanation and resolution of transaction into the help desk and awaited approval from the director of Finance. Step three: After the review and approval, the audit record is updated to reflect the status of the issue. Needless to say this was embarrassing to explain, but it was very helpful that we had everything we needed, before and after values, to change it back. Example of Financial Impacting Audit #2
Copyright © 2004 Absolute Technologies, Inc. Table: OE_ORDER_LINES_ALL Purpose: Audit schedule, request and promise date changes. Event: The GOP module auto schedules sales orders. We also have a program that auto updates promise dates. Step one: Customer service called IS to complain that the promise date or schedule ship date on a sales order was not correct. Step two: Analyst reviewed audit history for the sales order to see the entire history of date changes. Step three: Analyst informed customer service that the date in question had originally been provided correctly by GOP, but had been subsequently modified several times by her user. Example of Operational Audit - GOP
Copyright © 2004 Absolute Technologies, Inc. SOX Separation of Duties Compliance Prepared by Whitepaper available at http://www.absolute-tech.com
Copyright © 2004 Absolute Technologies, Inc. Back Tools Examine Example
Copyright © 2004 Absolute Technologies, Inc. Alert example Back
Copyright © 2004 Absolute Technologies, Inc. Audit Transaction Example Back
Copyright © 2004 Absolute Technologies, Inc. Report Examples Back
Copyright © 2004 Absolute Technologies, Inc. Comments Examples Back
SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.
SOX Compliance with Application Auditor Presented By Sunita Sarathy Sunita Sarathy Product Manager Product Manager Absolute Technologies, Inc. At SROAUG,
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
PL/SQLPL/SQL Oracle11g: PL/SQL Programming Chapter 9 Database Triggers.
DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,
PL/SQLPL/SQL Oracle10g Developer: PL/SQL Programming Chapter 9 Database Triggers.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
Triggers A Quick Reference and Summary BIT 275. Triggers SQL code permits you to access only one table for an INSERT, UPDATE, or DELETE statement. The.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
What is a Package? A package is an Oracle object, which holds other objects within it. Objects commonly held within a package are procedures, functions,
Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives Identify and manage system and object privileges Grant and revoke privileges to.
Oracle10g Developer: PL/SQL Programming1 Objectives Database triggers and syntax How to create and test a DML trigger in SQL*Plus How to create and test.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Module 15 Monitoring SQL Server 2008 R2 with Alerts and Notifications.
Network security policy: best practices Ref: document ID
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Management System Prepared by Dr. Ahmed El-Ragal Reviewed & Presented By Mr. Mahmoud Rafeek Alfarra College Of Science & Technology Khan younis.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Oracle 11g: SQL Chapter 7 User Creation and Management.
By Lecturer / Aisha Dawood 1. Administering Users Create and manage database user accounts. Create and manage roles. Grant and revoke privileges.
Module 12 Auditing SQL Server Environments. Module Overview Options for Auditing Data Access in SQL Server Implementing SQL Server Audit Managing SQL.
Managing users and security Akhtar Ali. Aims Understand and manage profiles Understand and manage users Understand and manage privileges Understand and.
SQL Triggers, Functions & Stored Procedures Programming Operations.
Chapter 8-1 The Islamic University of Gaza Accounting Information Systems Information Technology Auditing Dr. Hisham madi.
System Administration Accounts privileges, users and roles.
Administrator – Employee Overview September, 2011.
7 Copyright © 2005, Oracle. All rights reserved. Managing Undo Data.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Module 5: Managing Content. Overview Publishing Content Executing Reports Creating Cached Instances Creating Snapshots and Report History Creating Subscriptions.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Oracle 11g DATABASE DEVELOPMENT LAB1. Introduction Oracle 11g Database:- Oracle 11g database is designed for some features, which helps to the organizations.
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
ISetup – A Guide/Benefit for the Functional User! Mohan Iyer January 17 th, 2008.
3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. PeopleSoft General Ledger 9.2 New Features 9.2 Release New Features.
© 2017 SlidePlayer.com Inc. All rights reserved.