Skip Headers
Oracle® Enterprise Manager Cloud Control Extensibility Programmer's Guide
12c Release 4 (12.1.0.4)

E25159-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

10 Understanding Compliance Standards

The Oracle Enterprise Manager Compliance Management solution provides the capability to define, customize, and manage Compliance Frameworks and Compliance Standards. It also provides the tools to evaluate targets and systems for compliance with business best practices in terms of configuration, security, storage, and so on.

This chapter contains the following sections:

10.1 About the Compliance Management Solution

The Oracle Enterprise Manager Compliance Management solution:

  • Determines if targets and systems have valid configuration settings automatically

  • Determines if targets and systems are exposed to configuration-related vulnerabilities automatically

  • Advises on how to change configuration to bring targets and systems into compliance with respect to best practices

  • Provides real-time monitoring of a target's files, processes, users, Windows registry entries, and more to let Enterprise Manager users know where a configuration change is taking place in their environment

  • Determines if real-time detected configuration changes are authorized by open change management requests. It creates violations when an action is determined to be unauthorized

  • Provides out-of-the-box compliance standards to map to Compliance Standard rules. This mapping enables you to visualize how noncompliant settings and actions will affect any compliance framework that an organization follows.

  • Provides a compliance-focused view of the IT configuration and change that is suitable for Line of Business owners, IT managers, and Compliance managers to refer to regularly, enabling them to check on their organization's compliance coverage

10.2 What's New in Compliance Management?

This section describes the new features of the Compliance Management solution:

  • Compliance Management and Reporting

    This feature provides the ability to evaluate the compliance of targets and systems as they relate to business best practices for configuration, security and storage. To support this functionality, a framework is provided for defining compliance frameworks, compliance standards and compliance standard rules. The feature also recommends configuration changes that will bring your targets and systems into compliance.

  • Database Configuration Compliance Standards Support

    Oracle database configuration data can now be managed within the new configuration and compliance standards frameworks. Changes for database storage and configuration data collection and compliance area and converting storage and configuration policies to Compliance Standards.

10.3 Overview of Compliance Management

The following sections provide an overview of the features of compliance management:

10.3.1 About Compliance Framework

A compliance framework can be used to represent a framework such as Control Objectives for Information and related Technology (COBIT) or Payment Card Industry (PCI). A compliance framework is an industry-specified best practices guideline that deals with the underlying IT infrastructure, applications, business services and processes, and how they are organized, managed, and monitored. Compliance frameworks are hierarchical to allow for direct representation of these industry frameworks.

For information about defining a compliance framework and examples of compliance frameworks, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.3.2 About Compliance Standards

A compliance framework maps to a set of compliance standards that perform a collection of checks following broadly accepted best practices to ensure that IT infrastructure, applications, business services and processes are organized, configured, managed, and monitored correctly. A compliance standard evaluation can provide information related to platform compatibility, known issues affecting other customers with similar configurations, security vulnerabilities, patch recommendations, and more. Customers can run an evaluation of compliance standards in order to learn about how they can bring their systems into compliance with recommended best practices and improve the stability and security of their systems.

A compliance standard is Enterprise Manager's representation of a compliance control that must be tested against a set of IT infrastructure to determine if the control is being followed. A compliance control, such as for PCI, COBIT, or any other industry framework, is a description of the test that an IT organization would perform to ensure a policy, process, or procedure is being followed in a compliant manner. Compliance standards can be mapped to compliance frameworks so that violations can result in a compliance score impact on the compliance framework.

For information about defining compliance standards and examples of compliance standards, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.3.3 About Compliance Standard Rules

Oracle Enterprise Manager Cloud Control 12c has three types of rules:

  • Repository Rule

    Performs a check against any metric collection data in the Enterprise Manager repository

  • Real-time Monitoring Rule

    Monitors actions to files, processes, and more. Also captures user login and logout activities

  • WebLogic Server (WLS) Signature Rule

    Checks a WebLogic target for support best practice configurations.

Compliance standard rules specify the actual check that is going to happen. These rules are mapped to one or more compliance standards.

For information about defining compliance standard rules and examples of compliance standard rules, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.3.4 Some Considerations for Creating Compliance Standards

A compliance standard refers to one or more compliance standard rules. When creating a compliance standard, the standard should be granular enough so that it can map appropriately to one or more related compliance frameworks. For example, consider this compliance framework structure that exists in Enterprise Manager based on PCI:

PCI – Payment Card Industry Compliance Framework

  • PCI Requirement 10 - Regularly monitor and test networks

    • PCI 10.5 - Secure audit trails

Many compliance standards exist that should be mapped to this part of the compliance framework structure, each with their own rules to address this specific requirement. You can check that audit settings are set properly, or check in real time if anyone changes an auditing configuration. Another standard can check that regular users are not trying to read from an audit trail.

In this example, the audit trail referenced in the compliance framework can relate to many different types of targets. Oracle Database, WebLogic, Enterprise Manager, E-Business Suite, and PeopleSoft have their own types of audit trails that must be secured. Any standards created to monitor these target-specific audit trails map to the same compliance framework (PCI 10.5 – Secure Audit Trails).

If compliance standards are structured in a granular way so that they can map to existing and future compliance frameworks, then violations in a rule can be rolled up to impact the score of the compliance framework correctly.

10.3.5 About Compliance Evaluation

Compliance standards are evaluated on targets. Evaluation results of the compliance framework, compliance standards and target levels are available to the end user from the Enterprise Manager UI.

Compliance evaluation is a process of validating requirements and regulations imposed by a compliance standard against a target. To measure this, the compliance standard rules perform single health or real-time monitor checks that are grouped into compliance standards, which together are one test of compliance. Then these compliance standards are grouped into respective compliance frameworks so that the results of the test can be associated with the relevant areas of the customer's framework.

Compliance evaluation generates a score for a target, that is how much the target is compliant with the standard. A 100% Compliance Score means that the target follows all requirements and regulations imposed by the compliance standard.

Because Target Compliance must be monitored regularly, you must associate a compliance standard with targets. Evaluation is performed automatically for any associated targets when their state refreshes.