The Federal Information Security Management Act (FISMA) of 2002 requires all government agencies to submit to the Office of Management and Budget an annual evaluation of IT security across the agency. The overall results of these reports are complied and reported in the annual "Federal Computer Security Report Card", which scored the Federal government a D+.
One aspect of the evaluation process relates to the use of configuration policies for Oracle. We reviewed the publicly available agency reports to compile an Oracle-specific report card to see how agencies are doing with one small slice of FISMA. Of the 24 agencies, 10 have published the entire FISMA report.
The results are not encouraging -- even agencies that achieved high overall scores have not implemented configuration policies for Oracle. The overall Oracle grade is a D- for the Federal government.
FISMA is much maligned as mostly a paperwork exercise and does little in reality to improve overall information security. However, most Oracle security experts agree that applying a well-defined configuration policy or security checklist can dramatically improve database security. A key factor to the success of such a configuration policy is that it can handle application-specific exceptions. There are a number of very good security checklists available including the Center for Internet Security Oracle Benchmark and the DoD Database STIG.
We looked at the FISMA and Oracle compliance because we believe using standard configuration policies can benefit most, if not all, Oracle implementations.