About Audit Policies

An audit policy defines the account limits for users of one or more resources. Audit scans evaluate the criteria defined in audit policies to determine whether violations have occurred in your organization.

Audit policies consist of the following components:

• Audit Policy rules that define conditions that constitute a policy violation. The audit policy can restrict which resources are available to the rule.

• Remediation workflows (optionally) that launch remediation tasks that process policy rule violations when they occur.

• Designated administrators or remediators who are authorized to view and respond to policy violations. Remediators can be individual users or groups of users.

Defining Audit Policy Rules

One audit policy can contain hundreds of rules that reference a wide range of resources. These rules define potential conflicts on an attribute basis within an audit policy. In Waveset, you can define rules that check only a single attribute on a single resource or that check multiple attributes on multiple resources. During evaluation, the rule has access to user account data from one or more resources.

You can use Waveset's Audit Policy Wizard to create simple rules. If you need to create more powerful rules, you can use the Identity Manager IDE or an XML editor.

When defining rules for an audit policy, remember the following:

• Rules can contain functions written in the XPRESS, XML Object, or JavaScript languages.

• Rules must be of subType SUBTYPE_AUDIT_POLICY_RULE.

• Rules must be of authType AuditPolicyRule.

Rules generated by the Audit Policy Wizard are automatically assigned the appropriate subType and authType.

Rules created using the Audit Policy Wizard return a true or false value. Any policy rule that returns a truevalue results in a policy violation.

However, if you use the Identity Manager IDE, you can create rules that skip a user during an audit scan or an access review. An audit policy rule that returns a value of ignore stops rule processing for that user and skips to the next target user.

For more information about creating audit policy rules, see Chapter 4, Working with Rules, in Oracle Waveset 8.1.1 Deployment Reference.

Addressing Policy Violations with Remediation Workflows

After creating rules to define policy violations, you select the workflow to launch when Waveset detects a violation during an audit scan. Waveset provides the default Standard Remediation workflow, which provides default remediation processing for audit policy scans. Among other actions, this default remediation workflow generates notification email to each designated Level 1 remediator (and subsequent levels of remediators, if necessary).

Unlike Waveset workflow processes, you must assign the AuthType=AuditorAdminTask and the SUBTYPE_REMEDIATION_WORKFLOW subtype to remediation workflows. If you are importing a workflow for use in audit scans, you must manually add this attribute. See (Optional) Import Separation of Duty Rules into Waveset for more information.

Designating Remediators

If you assign a remediation workflow, you must designate at least one remediator. You can designate up to three levels of remediators for an audit policy. For more information about remediation, see Compliance Violation Remediation and Mitigation.

You must assign a remediation workflow before you can assign remediators.

A Sample Audit Policy Scenario

Suppose you are responsible for accounts payable and receivable, and you must implement procedures to prevent a potentially risky aggregation of responsibilities for employees working in the accounting department. This policy must ensure that personnel with responsibility for accounts payable do not also have responsibility for accounts receivable.

The audit policy must contain:

• A set of rules, each specifying a condition that constitutes a policy violation.

• A workflow that launches remediation tasks.

• A group of designated administrators, or remediators, with permission to view and respond to policy violations created by the preceding rules.

After the rules identify policy violations (in this scenario, users with too much authority), the associated workflow can launch specific remediation-related tasks, including automatically notifying select remediators.

Level 1 remediators are the first remediators contacted when an audit scan identifies a policy violation. When the escalation period identified in this area is exceeded, Waveset notifies the remediators at the next level (if more than one level is specified for the audit policy).

The Creating an Audit Policy section describes how to use the Audit Policy Wizard to create an audit policy.