Satisfying compliance regulations and reducing the risk of security breaches are among the top security challenges businesses face today. Examination of numerous security incidents has shown that timely examination of audit data could have helped detect unauthorized activity early and reduced the resulting impact. Well-known regulations, such as the Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA), combined with industry driven initiatives, such as the Payment Card Industry Data Security Standard (PCI-DSS), and the proliferation of Breach Notification laws, have resulted in information protection becoming a top-level issue for the enterprise. As security threats become more sophisticated, monitoring is becoming an increasingly important component of the defense-in-depth architecture.
Unauthorized access, use, or disclosure of sensitive and critical information can seriously impact both individuals, by contributing to identity theft, and the organization, by reducing public trust in the organization. It is not enough to simply secure such data, but companies must also provide auditing as a means of ensuring compliance.
Oracle E-Business Suite and its associated technology stack provide a variety of auditing mechanisms to address different requirements. This document is intended to introduce and describe the various auditing mechanisms available, what tasks they should be leveraged for, and recommendations for how to configure them in the context of Oracle E-Business Suite.
There are many different reasons for configuring an Oracle E-Business Suite environment for auditing and logging. The most common reasons that administrators are required to configure auditing and logging include the following:
Monitor system and database activity
Detect suspicious activity and attacks
Investigate incidents after an attack
Monitor for compliance reasons, including SOX, HIPPA, PCI-DSS
Perform business process monitoring to implement business controls
Monitor performance of the environment
Similarly, there are a variety of roles that may be interested in auditing different aspects of Oracle E-Business Suite:
External/internal audit teams
Security teams
Technical system administrators (Apps DBAs/UNIX DBAs)
Functional system administrators and users
While the mechanisms described in this document will be useful for any of the reasons and roles mentioned above, we will be focusing on monitoring the Oracle E-Business Suite application and technology stack to monitor current usage, how to detect attacks and suspicious activity, and auditing and logging configuration that will allow for a more comprehensive incident investigation after an attack.