2 General Principles of Security

Follow these general principles of security when configuring and maintaining the EnterpriseOne system.

2.1 Apply Latest Patch

One of the principles of good security practices is to keep all software versions and patches up-to-date. Establish a policy to keep track of all the vendors-including Oracle-that have supplied software for the production environment. Also, identify the latest software patches and apply them regularly. Refer to the minimum technical requirements (MTR) and any restrictions for the software you are using when applying patches. For JD Edwards EnterpriseOne minimum technical requirements information, see document 745831.1 (JD Edwards EnterpriseOne Minimum Technical Requirements Reference) on My Oracle Support:

https://support.oracle.com/rs?type=doc&id=745831.1

2.2 Apply Oracle Critical Patch Update

Oracle releases information (and patches) for security issues for most products through quarterly, bundled, integrated Critical Patch Updates (CPU). JD Edwards EnterpriseOne Tools security patches are also released with the quarterly Oracle CPU; these patches are normal tools one-off service packs.

Patches can include fixes for the operating system, database, web application server, as well as any EnterpriseOne server. Refer to the Certifications tab on My Oracle Support and search for the EnterpriseOne components:

https://support.oracle.com/epmos/faces/CertifyHome?_adf.ctrl-state=eyjh3ekv3_9&_afrLoop=303034385433646

CPUs include fixes for the most critical security issues, fixes to avoid patch conflict, or prerequisites for security fixes. The release dates for CPUs are announced a year in advance and are selected based on most customers' financial calendars. Oracle tries to avoid the blackout dates during which customers generally do not touch their financial systems.

Refer to the Oracle Critical Patch Updates and Security Alert website for more information:

http://www.oracle.com/technology/deploy/security/alerts.htm

2.3 Monitor System Activity

One of the main requirements of system security is monitoring. Auditing and reviewing audit records address this requirement. Each component within a system has some degree of monitoring capability. Establish a policy to check and monitor activities in your system regularly. Refer to the database and operating system documentation for audit functionality. For JD Edwards EnterpriseOne, follow the advice in this document and regularly monitor audit records.

2.4 Configure Accounts Securely

Good security requires secure accounts. Establish a policy to set up strict password controls for all accounts including the database, operating system, and JD Edwards EnterpriseOne so that passwords are not compromised. Often, people use passwords associated with them, such as license plate numbers, children's names or a hobby. In addition, establish a policy to periodically change passwords.

2.5 Follow the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, and permissions, especially when people are few and work needs to be done quickly, often leaves a system wide open for abuse. You should initially establish a policy to determine and assign least privileges to users. Periodically review user privileges to determine relevance to current job responsibilities.

2.6 Enable Minimum Level of Logging

Always run the JD Edwards EnterpriseOne and other systems with a minimum level of logging in the production environment. Running JD Edwards EnterpriseOne with a debug level of logging in the production environment adversely impacts system performance as well as it logs unnecessary sensitive information about the environment. Furthermore, the logs can be used to exploit the system if a malicious user obtains access to the log files.

2.7 Set Up Change Management Process

Establish a policy to set up a change management process to keep track of all the changes in your software systems. All changes should be approved and audited.