Oracle E-Business Logging and Auditing: PCI, SOX, HIPAA, 27001 and FISMA
Continuing this blog series on Oracle E-Business logging and auditing, Integrigy’s log and audit framework is based on our consulting experience. We have also based it on compliance and security standards such as Payment Card Industry (PCI-DSS), Sarbanes-Oxley (SOX), IT Security (ISO 27001), FISMA (NIST 800-53), and HIPAA.
The foundation of the framework is the set of security events and actions that should be audited and logged in all Oracle E-Business Suite implementations. These security events and actions are derived from and mapped back to key compliance and security standards most organizations have to comply with. We view these security events and actions as the core set and most organizations will need to expand these events and actions to address specific compliance and security requirements, such as functional or change management requirements.
Figure 1 - Integrigy's Framework for Auditing and Logging in Oracle E-Business Suite
Table 1 presents the core set of audits that, if implemented, will serve as a foundation for more advanced security analytics. Implementing these audits will go a long way toward meeting logging and auditing requirements for most compliance and security standards like PCI requirement 10.2. The numbering scheme used in Table 1 will be referenced throughout the framework.
|
Table 1 – Foundation Events for Logging and Security Framework |
|||||
|---|---|---|---|---|---|
|
Security Events and Actions |
PCI DSS 10.2 |
SOX (COBIT) |
HIPAA (NIST 800-66) |
IT Security (ISO 27001) |
FISMA (NIST 800-53) |
|
E1 - Login |
10.2.5 |
A12.3 DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E2 - Logoff |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E3 - Unsuccessful login |
10.2.4 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 A.11.5.1 |
AC-7 |
|
E4 - Modify authentication mechanisms |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E5 – Create user account |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E6 - Modify user account |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E7 - Create role |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E8 - Modify role |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E9 - Grant/revoke user privileges |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E10 - Grant/revoke role privileges |
10.2.5 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E11 - Privileged commands |
10.2.2 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
|
E12 - Modify audit and logging |
10.2.6 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 AU-9 |
|
E13 - Objects: Create object Modify object Delete object |
10.2.7 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 AU-14 |
|
E14 - Modify configuration settings |
10.2.2 |
DS5.5 DS5.6 DS9.2 |
164.312(c)(2) |
A 10.10.1 |
AU-2 |
Integrigy’s Framework for Oracle E-Business Suite logging and auditing is fully documented in our whitepaper. The whitepaper is available for download in the link referenced below.
If you have questions, please contact us at info@integrigy.com
-Michael Miller, CISSP-ISSMP
