View and Analyze Security Assessments and Assessment History

This section shows you how to view and interact with a security assessment for a single target database, multiple target databases, and target database groups. It also walks you through the Assessment History where all saved assessments are stored.

View the Latest Security Assessment for a Target Database

You can access the latest security assessment to analyze the current security risk for a target database.

  1. On the Security assessment landing page, select the Target summary tab.
  2. Next to Applied filters, select the compartment that contains the target database for which you want to view the latest assessment. You can access only compartments and target databases within compartments for which you have privileges.
  3. In the table, select the name of your target database. The latest security assessment opens.
  4. On the Details tab, view general metadata, baseline, and template information about the assessment.
  5. On the Assessment summary tab, view the information in the tables to see at a glance how secure your database is.
    • The Top 5 common security controls table lists the top five security controls that Oracle considers the most important to the security of your target databases. You can see what risk level your target database was assessed at for each of these controls.
    • The Summary table shows you the number of findings per category per risk level.
  6. On the Assessment details tab, view the list of findings for your target database.
  7. In the Search and Filter box, you can filter the list by risk, finding, category, references or documentation.
    • Risk level values include High, Medium, Low, Advisory, Evaluate, Deferred, and Pass.
    • Reference values include DISA STIG, CIS Benchmark, EU GDPR, and Oracle Best Practices.
  8. Expand categories to view all of the information about the risk findings.

View a Security Assessment for Multiple Target Databases

By analyzing the security risk across all your target databases you can identify risks and recommendations across your database fleet.

  1. Access the Security assessment landing page.
  2. Next to Applied filters, select the compartment that contains the target databases for which you want to view an assessment.
    • To include all compartments in your tenancy, set the scope to root with its child compartments.
    • You can access only compartments and target databases within compartments for which you have permissions in Oracle Cloud Infrastructure Identity and Access Management (OIM).
  3. On the Overview tab, view the Risk level, Risks by category, Top 5 common security controls charts.
  4. On the Risk summary tab, examine the number of findings discovered for each risk category. You can also view the number of target databases affected for each risk level.
  5. To view more details about the risks, including explanations and recommendations:
    1. In the Risk Level column, select a risk level. A page opens showing you a list of findings for the selected risk.
    2. For each finding, view the category and the number of target databases.
    3. Expand the risks in each category to view remarks and affected target databases. The remarks explain the risk and recommend actions for remediation.
    4. To view details for a particular target database, select the target database link in the risk.

Adjust the Risk Level of a Risk Finding

Once you have taken appropriate actions to mitigate security risks on a target database based on the results of a security assessment, you can adjust the risk level of a finding. Risk level adjustments can be indefinite or set to expire on a specific date. When the expiration date is reached, the next assessment re-evaluates the finding and displays it as a current finding, if applicable.

Following the initial identification of risks, the next step usually involves validating the identified risk levels before taking remediation actions. Occasionally, the identified risk is not applicable as there might be some other mitigating control in place, or it might not be necessary to fulfill your business or auditor requirements. If this is the case, you might want to have Oracle Data Safe adjust the reported findings to match your organization’s specific needs. Having the ability to change the risk level will also help you to streamline and govern the assessment process.

Based on your circumstances, it may be appropriate to adjust the risk level of a risk finding. You can set the risk level of a finding to be any of the risk levels automatically generated by Oracle (high, medium, low, evaluate, or pass), or you can set the risk level to deferred. A risk level of deferred allows you to indicate that after evaluation, it has been acknowledged but not immediately addressed. You are delaying taking action on a particular identified risk for a specified period of time or indefinitely so that it doesn’t show up again as a risk in subsequent reports.

For example, if a risk finding has been designated by Oracle at the evaluate risk level, you should first read the details provided in the Security Assessment. Once you have read the details you may decide that there is no security risk to your target database and set the risk level to pass. When the security assessment is next refreshed, either manually or based on its schedule, the risk level will remain pass.

Alternatively, you may be in a situation in which your organization is planning to make adjustments to its password requirements in a few months. However, the current security assessment is designating "Case-Sensitive Passwords" as a high risk level. You may wish to adjust the risk level of this finding to deferred until your organization has implemented the new password requirements. You can do this by specifying an expiration date for the adjusted risk level. Upon expiry, the next security assessment for that target will resume evaluating the finding. At that time, the risk identified on the target database will start displaying as it is found in the target database.

To adjust the risk level of a risk finding:

  1. Open the latest security assessment for a target database.
  2. Select the Assessment details tab.
  3. (Optional) Select the Search and Filter box, and then set a filter on risk, finding, category, references, or documentation.
  4. Locate the finding that you want to update, select the three dots at the end of the row, and select Update risk. The Update risk for finding panel opens.
  5. Select Defer risk or Change risk.
  6. If you're changing the risk, select the new risk level.
  7. (Optional) Enter a justification for adjusting the risk.
  8. To set an expiration date, at Would you like to select an expiration date, select Yes, and then use the calendar widget to set a date.
  9. Select Save.

Related Topics

View the Risk Modification Report

You can view a report that details all the findings for a target database where the risk was modified from the risk level designated by Oracle.

  1. Open the latest security assessment for your target database.
  2. Select the Risk modification report tab.
  3. (Optional) Create a filter.
  4. View the results. Each line shows you the following information:
    • Finding
    • Original risk
    • Modified risk (new risk level, if applicable)
    • Deferred risk (if applicable)
    • Justification
    • Expiration date
    • Updated (timestamp)
    • Modified by (user name).

Related Topics

View the Assessment History for a Target Database

The Assessment history in Security Assessment lets you view all the auto-generated and saved security assessments for your target databases. From here, you can also open individual assessments.

  1. In the left navigation pane, under Security assessment, select Assessment history.
  2. Next to Applied filters, select the compartment that contains your target databases.
  3. Next to Applied filters, configure a time period for the assessments (configure a custom time period or select a preconfigured one).
  4. (Optional) Select the Search and Filter box and create a filter on target database, baseline, high risk, medium risk, low risk, or advisory to narrow the list of target databases.
  5. View the results in the table. Each line shows metadata for an assessment and high-level statistics.
    • Target database name
    • Assessment name
    • Whether the assessment is a baseline assessment (yes or no)
    • When the assessment was created (timestamp). For a baseline assessment, the date and time represents when the first baseline was set for any target in the current compartment. It's not necessarily the date and time the target-specific baseline you are viewing was created.
    • Status
    • Number of high risk, medium risk, low risk, advisory, and evaluate findings
  6. To sort the table based on a column, hover over a column heading, and then select the Sort Ascending or Sort Descending button.
  7. To filter the table based on a column, hover over a column heading, and then select the Filter button. A popup window appears. Configure a custom time range or select a preconfigured one.
  8. To open an assessment, select its name.