Success Stories

Partnership with:

Requirements

An USA Enterprise Bank needs to address data security weakness for mission critical databases to be compliant with USA banking regulation.

Background:

After an Audit in 2012 on Server Infrastructure, they want to prepare all the Databases infrastructure for an External Audit Process.

 

They need to be compliant with:

• SOX Sarbanes Oxley - Act designed to enhance corporate responsibility as it relates to financial reporting issue
• PCI/DSS Payment Card Industry - guidelines for organization that store, transmit or process customer credit card data.
• GLB Gramm-Leach-Bliley Act - mandate that every financial institution should have polices and processes in place to protect "non-public personal information" from threats.

They want to apply Oracle Security Best Practices for all Production and non Production databases.

Methodology

The tools used to conduct this Database Security Assessment were:

• Workshops to collect questionnaires on DB Security domains involving the following stakeholders:
  • Application or System Owner, Manager
  • DBA
  • System Administrator
  • CISO
• Automatic tools to discover OS vulnerabilities
• List and analysis of all the vulnerabilities grouped by Confidentiality, Integrity and Availability domains
• Discussion with the stakeholders about results and countermeasures
• Document the results and propose to the Customer a roadmap to the solution

 

 

Results

All the deliverables collected and prepared during the discovering phase, were released during the database assessment.

 

List of deliverables:

1. Questionnaires of Access Control (QAC), Integrity and Confidentiality (QIC), Audit (QAU), Compliance (QCO).

2. Assessment results (ASSVULN) with list of vulnerabilities, risk, recommandations and actions from the point of view of:
• Confidentiality
• Integrity
• Availability
• Compliance

1. Presentation of results, risks and recommandations.
Examples

Questionnaire for Access Control (QAC) and Assessment Results: