Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment Presented by: Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the chat dialog Questions will be reviewed and answered at the end of the presentation; I ll open the lines for interactive Q&A During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable CPE will only be give to those that answer at least 3 of the 4 polls

Presentation Agenda Overview: Introduction Sensitive Data Legislative Requirements Massachusetts Privacy Law example Typical Sensitive Data Identifying and Classifying Sensitive Data Impact on Application Security Impact on Database Security Ways to Secure Data Application and Database Technologies Impact on Change Management Process and SDLC Other Topics Wrap Up / Q&A

Introduction Jeffrey T. Hare, CPA CISA CIA Founder of ERP Risk Advisors / ERP Seminars and Oracle User Best Practices Board Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository Author Oracle E-Business Suite Controls: Application Security Best Practices Contributing author Best Practices in Financial Risk Management Published in ISACA s Control Journal (twice) and ACFE s Fraud Magazine

Poll 1: How confident are you that your organization s sensitive data is well protected?

Sensitive Data Legislative Requirements

Legislative Requirements Consider the Impact of the following legislatives requirements: Sarbanes-Oxley PCI HIPAA GLBA State breech notification laws (45 states have some form of legislation: http://www.ncsl.org/issuesresearch/telecommunicationsinformationtechnolo gy/securitybreachnotificationlaws/tabid/13489/default.aspx) EU Data Protection Directive Other countries? Industry-specific compliance requirements

Legislative Requirements Recommendation: Work with your legal department, auditors, management, corporate governance group, etc to understand all the legislative requirements to which your organization is subject

Massachusetts Privacy Law example

Massachusetts Privacy Law Language: Let s look at some legislative language in recent Massachusetts legislation 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (http://www.mass.gov/eoca/docs/idtheft/201cmr170 0reg.pdf)

Massachusetts Privacy Law Language: Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

Massachusetts Privacy Law Language: Unauthorized acquisition management needs to define who is authorized to access such data Unauthorized use management needs to define what is authorized use Creates a substantial risk of identity theft or fraud subject to interpretation

Massachusetts Privacy Law Language: What is personal information? Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number,

Massachusetts Privacy Law Language: Who is responsible for compliance? Every person that owns or licenses personal information about a resident of the Commonwealth

Massachusetts Privacy Law Language: What is a responsible entity required to do? shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Massachusetts Privacy Law Language: Security plan shall include: (2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to: (a) Designating one or more employees to maintain the comprehensive information security program; (b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: 1. ongoing employee (including temporary and contract employee) training; 2. employee compliance with policies and procedures; and 3. means for detecting and preventing security system failures.

Massachusetts Privacy Law Language: Security plan shall include (continued): (c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises. (d) Imposing disciplinary measures for violations of the comprehensive information security program rules. (e) Preventing terminated employees from accessing records containing personal information.

Massachusetts Privacy Law Language: Security plan shall include (continued): (f) Oversee service providers, by: 1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and 2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later than March 1, 2010.

Massachusetts Privacy Law Language: Security plan shall include (continued): (g) Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers. (h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. (i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information. (j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information

Massachusetts Privacy Law Recap of requirements: Written Information Security program Designate responsible employees Identify internal & external risks and evaluate effectiveness of current safeguards PII related employee policies Disciplinary measures Prevent unauthorized access Verify third-party compliance, include specifics in contract Limit collection, retention and use of PII Identify locations of PII Restrict access to those authorized to use the data Conduct regular monitoring & annual reviews Document corrective actions

Typical Sensitive Data

Typical Sensitive Data IT Security: Personally Identifiable Information such as Name, Address, Marital Status, Salary, Review Information, Children s Names and Related Information, Phone Number, National Identifier / Social Security Number, Payroll Deductions, Direct Deposit Bank Account Information, Password Reset Questions, Mother s Maiden Name, Credit Card, Account Number Credit Card for Customers, Employees, Suppliers Bank Account for Customers, Employees, Suppliers

Poll 2: Which statement best represents my organization s maturity related to sensitive data:

Identifying and Classifying Sensitive Data

Identifying and Classifying Sensitive Data Questions to ask: Where is it stored? Who can access it? What objects can access it? Concurrent programs, forms, packages, stored procedures? Who is the data owner that approves access to such data?

Poll 3: How confident are you that your organization knows all the places where sensitive data is stored?

Sensitive Data and Application Security

Sensitive Data and Application Security Questions to ask: Access through functions? Access through concurrent programs? Reports? Through generic / seeded logins? SQL forms risks monitored?

Sensitive Data and Database Security

Sensitive Data and Database Security Questions to ask: Through stored procedures Through triggers Through database logins / schema logins How is each custom database login protected / used? Who owns active generic database logins? Password encryption risk in 11i handled? Are database logins hardened and re-hardened on a regular basis (i.e. after patches are applied)? 2009 ERPS

Securing Data

Securing Data Consider: Intra forms issues that need to be handled via Forms Personalization / custom.pll for E-Business Suite? Use of *Public in JDE to lock down back door access? Third party tools that handle security at both apps and database levels? 2008 ERPS

Securing Data in Non-Production Environments Considered: Define security by instance Scramble scripts Risk: Integrity of the data Risk: May not identify all places data is stored Risk: Compromise testing process Third party tools that handle security at both apps and database levels? 2008 ERPS

Impact on Change Management and SDLC

Impact on Change Management and SDLC Considered: Application and Database Security changes need to take into account where this data is stored and how it can be accessed Object changes need close peer review process Peer reviewer must understand what is sensitive data and where it is stored Third party tools can review this as well 2008 ERPS