10 Understanding Compliance Standards

The Oracle Enterprise Manager Compliance Management solution provides the capability to define, customize, and manage Compliance Frameworks and Compliance Standards. It also provides the tools to evaluate targets and systems for compliance with business best practices in terms of configuration, security, storage, and so on.

This chapter contains the following sections:

For a detailed explanation of compliance, refer to the Managing Compliance chapter in the Oracle Enterprise Manager Lifecycle Management Administrator's Guide.

To view a visual demonstration about the Compliance Management framework, access the following URL and click Begin Video.


10.1 About the Compliance Management Solution

The Oracle Enterprise Manager Compliance Management solution:

  • Determines if targets and systems have valid configuration settings automatically.

  • Determines if targets and systems are exposed to configuration-related vulnerabilities automatically.

  • Advises on how to change configuration to bring targets and systems into compliance with respect to best practices.

  • Provides real-time monitoring of a target's files, processes, users, Windows registry entries, and more to let Enterprise Manager users know where a configuration change is taking place in their environment.

  • Determines if real-time detected configuration changes are authorized by open change management requests. It creates violations when an action is determined to be unauthorized.

  • Provides Oracle provided compliance standards to map to Compliance Standard rules. This mapping enables you to visualize how noncompliant settings and actions will affect any compliance framework that an organization follows.

  • Provides a compliance-focused view of the IT configuration and change that is suitable for Line of Business owners, IT managers, and compliance managers to refer to regularly, enabling them to check on their organization's compliance coverage.

10.2 Overview of Compliance Management

The following sections provide an overview of the features of compliance management:

10.2.1 About Compliance Framework

A compliance framework is an industry-specified best practices guideline that deals with the underlying IT infrastructure, applications, business services and processes, and how they are organized, managed, and monitored. Compliance frameworks are hierarchical to allow for direct representation of these industry frameworks.

For information about defining a compliance framework and examples of compliance frameworks, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.2.2 About Compliance Standards

A compliance framework maps to a set of compliance standards that perform a collection of checks following broadly accepted best practices to ensure that IT infrastructure, applications, business services and processes are organized, configured, managed, and monitored correctly. A compliance standard evaluation can provide information related to platform compatibility, known issues affecting other customers with similar configurations, security vulnerabilities, patch recommendations, and more. Customers can run an evaluation of compliance standards in order to learn about how they can bring their systems into compliance with recommended best practices and improve the stability and security of their systems.

A compliance standard is Enterprise Manager's representation of a compliance control that must be tested against a set of IT infrastructure to determine if the control is being followed. A compliance control is a description of the test that an IT organization would perform to ensure a policy, process, or procedure is being followed in a compliant manner. Compliance standards can be mapped to compliance frameworks so that violations can result in a compliance score impact on the compliance framework.

For information about defining compliance standards and examples of compliance standards, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.2.3 About Compliance Standard Rules

Oracle Enterprise Manager Cloud Control 13c has five types of rules:

  • Repository Rule

    Performs a check against any metric collection data in the Enterprise Manager repository

  • Real-time Monitoring Rule

    Monitors actions to files, processes, and more. Also captures user login and logout activities

  • WebLogic Server (WLS) Signature Rule

    Checks a WebLogic target for support best practice configurations.

  • Agent-side Rule

    Detects configuration problems on the Management Agent. This enables the implementation of the Security Technical Implementation Guide (STIG) security specifications.

  • Manual Rule

    There are checks that must be performed but cannot be automated. For example, a common security check is "to ensure secure access to the data center". These types of checks can be accounted for in a compliance framework.

Compliance standard rules specify the actual check that is going to happen. These rules are mapped to one or more compliance standards.

For information about defining compliance standard rules and examples of compliance standard rules, see the Oracle Enterprise Manager Cloud Control Extensibility Programmer's Reference.

10.2.4 Some Considerations for Creating Compliance Standards

A compliance standard refers to one or more compliance standard rules. When creating a compliance standard, the standard should be granular enough so that it can map appropriately to one or more related compliance frameworks. For example, consider this compliance framework structure that exists in the Oracle Generic Compliance Framework:

  • Change and Configuration Management (compliance framework subgroup)

    • Database Change (compliance framework subgroup)

      • Configuration Best Practices for Oracle Database (compliance standard)

      • Configuration Best Practices for Oracle RAC Database (compliance standard)

      • Configuration Best Practices for Oracle Pluggable Database (compliance standard)

    Many compliance standards will exist that should be mapped to this part of the Compliance Framework structure, each with their own rules to address this specific requirement. One may check that configuration settings are set properly. Another may be used to check in real-time if anyone changes a configuration setting.

    In this example, the "Database Change compliance framework subgroup" can relate to many different types of targets. Oracle Database, Oracle RAC Database, and Oracle Pluggable Database all have their own types of configurations that all need to be secured. Any Standards created to monitor these target-specific configurations would map to the same "Database Changes subgroup".

    If compliance standards are structured in a granular way so that they can map to existing and future compliance frameworks, then violations in a rule can be rolled up to impact the score of the compliance framework properly.

10.2.5 About Compliance Evaluation

Compliance standards are evaluated on targets. Evaluation results of the compliance framework, compliance standards and target levels are available to the end user from the Enterprise Manager UI.

Compliance evaluation is a process of validating requirements and regulations imposed by a compliance standard against a target. To measure this, the compliance standard rules perform single health or real-time monitor checks that are grouped into compliance standards, which together are one test of compliance. Then these compliance standards are grouped into respective compliance frameworks so that the results of the test can be associated with the relevant areas of the customer's framework.

Compliance evaluation generates a score for a target, that is how much the target is compliant with the standard. A 100% Compliance Score means that the target follows all requirements and regulations imposed by the compliance standard.

Because Target Compliance must be monitored regularly, you must associate a compliance standard with targets. Evaluation is performed automatically for any associated targets when their state refreshes.