Analyze Security Risk

The Security Assessment dashboard provides several views about the security risks across all of your target databases.

The Risk Summary shows you how much risk you have across all of your target databases. You can compare the number of high, medium, low, advisory, evaluate, and deferred risk findings across all of your target databases, and view which risk categories have the greatest numbers. From this tab, you can drill down into a risk level to view details about the risks. If you are reviewing a risk and are interested in a particular target database, you can drill down further into it to view how it is contributing to the risks.

The Target Summary shows you a view of the security posture of each of your target databases. You can view the number of high, medium, low, advisory, evaluate, and deferred risks for each database. You can also see, at a glance, if the latest assessment deviates from the baseline and the assessment date. This view also provides a link to the latest assessment for each target database.

Analyze Security Risk for a Target Database

You can access the latest assessment report to analyze the security risk for a target database by going through the Target Summary tab.

Steps

1. From the Security Assessment page, click the Target Summary tab.
2. On the left under Compartment, select the compartment that contains the target database(s) for which you want to view the Security Assessment reports. Select the INCLUDE CHILD COMPARTMENTS check box if you also want to be able to view reports for target databases that reside in child compartments.
3. (Optional) Under Filters, select a target database from the Target databases list to narrow the scope of displayed metrics and charts.

4. On the Target Summary tab, locate the row in the table for your target database, and click View Report.

   The Security Assessment Details page is displayed, showing you the latest assessment report for your target database. At the top of the report, the Assessment Summary tab is displayed by default.

5. On the Assessment Summary tab, view the information in the table to see at a glance how secure your database is. The Top 5 common controls are the five security controls that Oracle considers the most important to the security of your target databases. You can see what risk level your target database was assessed at for each of these controls. Click on any of these controls to see the Assessment Details. The table shows you the number of findings per category per risk level.
6. Click the Security Assessment Information tab to view metadata about the report.
7. To specify OCI tags for the assessment, click the Tags tab and add tags.
8. In the Assessment Details section at the bottom of the page, expand the categories to view all of the information about the risk findings.
9. (Optional) Under Filters on the left, you can filter by risk level or data compliance reference.
   • To filter by Risk Level, click the check boxes for each risk level (High, Medium, Low, Advisory, Evaluate, Deferred, and Pass) to filter the information displayed in the Assessment Details section. Alternatively, you can select the ALL check box to show all risk levels.
   • To filter by Reference, click the check boxes for each reference ( DISA STIG, CIS Benchmark, EU GDPR, and Oracle Best Practices) to filter the information displayed in the Assessment Details section. Alternatively, you can select the ALL check box to show all reference types.

See Also:

For more information about Assessment Details, see Security Assessment Overview.

Analyze Security Risk For All Target Databases

By analyzing the security risk across all your target databases you can identify risks and recommendations across your database fleet.

Steps

1. From the Data Safe home page in Oracle Cloud Infrastructure, under Security Center on the left, click Security Assessment.
2. Select the compartment that contains the target database(s) for which you want to aggregate the findings.
   • (Optional) Deselect INCLUDE CHILD COMPARTMENTS to not include findings for target databases that reside in all of the child compartments.
   • To view all findings available to you in the tenancy/region, select the root compartment and leave INCLUDE CHILD COMPARTMENTS selected. This presents the findings from all compartments that you have the privileges to access.
3. Analyze how much risk you have across all of your target databases:
   1. View the Risk level, Risks by category, Top 5 common controls charts.
   2. On the Risk Summary tab, examine the number of findings discovered across the target databases and for each risk category.
   3. To view more details about the risks, including explanations and recommendations, click a risk level link in the Risk Level column. The Risk Details page is displayed. It consists of a Risks by category chart and a Risk Details section. The Risk Details section shows the risks and how many target databases have this risk. Expand the risks in each category to view remarks and affected target databases. The remarks explain the risk and recommend actions for remediation.
   4. To view details for a particular target database, click the target database link in a risk category. Details about the risk finding for the target database are displayed.
   5. Click Close.

Note:

You can set the scope of your view of Security Assessment to the root compartment alone or root with all of its child compartments or to any compartment under root with or without that compartment's child compartments.

When you look at risk findings and target database users in Security Assessment, you can set the scope to root with its child compartments to review the overall security posture of your tenancy. You can also set the scope to focus on a specific compartment of interest.

It's important to remember that within the selected scope, your view within Security Assessment is determined by the privileges your account has been granted in OCI.

Adjust the Risk Level of a Risk Finding

Once you have taken appropriate actions to mitigate security risks on a target database based on the results of a security assessment, you can adjust the risk level of a finding. Adjustments of risk levels can be indefinite or have an expiration date. Upon expiry, the next assessment resumes evaluating the finding and displays as found.

Following the initial identification of risks, the next step usually involves validating the identified risk levels before taking remediation actions. Occasionally, the identified risk is not applicable as there might be some other mitigating control in place, or it might not be necessary to fulfill your business or auditor requirements. If this is the case, you might want to have Data Safe adjust the reported findings to match your organization’s specific needs. Having the ability to change the risk level will also help you to streamline and govern the assessment process.

Based on your circumstances it may be appropriate to adjust the risk level of a risk finding. You can set the risk level of a finding to be any of the risk levels automatically generated by Oracle (high, medium, low, evaluate, or pass), or can you set the risk level to deferred. A risk level of deferred allows you to indicate that after evaluation, it has been acknowledged but not immediately addressed. You are delaying taking action on a particular identified risk for a specified period of time or indefinitely so that it doesn’t show up again as a risk in subsequent reports.

For example, if a risk finding has been designated by Oracle at the evaluate risk level, you should first read the details provided in the Security Assessment. Once you have read the details you may decide that there is no security risk to your target database and set the risk level to pass. When the security assessment is next refreshed, either manually or based on its schedule, the risk level will remain pass.

Alternatively, you may be in a situation in which your organization is planning to make adjustments to its password requirements in a few months. However, the current security assessment is designating "Case-Sensitive Passwords" as a high risk level. You may wish to adjust the risk level of this finding to deferred until your organization has implemented the new password requirements. You can do this by specifying an expiration date for the adjusted risk level. Upon expiry, the next security assessment for that target will resume evaluating the finding. At that time, the risk identified on the target database will start displaying as it is found in the target database.

To adjust the risk level of a risk finding:

1. Under Security center, click Security assessment.
2. From the Security Assessment page, click the Target Summary tab.
3. (Optional) On the left under List Scope, select the compartment that contains the target database(s) for which you want to view the Security Assessment reports. Select the INCLUDE CHILD COMPARTMENTS check box if you also want to be able to view reports for target databases that reside in child compartments too.

   Note:

   The schedule that generates the latest assessment for a target database is available in the same compartment as the target database.
4. (Optional) Under Filters, select a target database from the Target databases list to narrow the scope of displayed metrics and charts.
5. On the Target Summary tab, locate the line in the table for your target database, and click View Report. The Security Assessment Details page is displayed, showing you the latest assessment report for your target database.
6. In the Assessment details section, click on the pencil icon for the risk finding that you would like to adjust.
7. Select either Defer risk or Change risk.
8. If you're changing the risk, select the new risk level.
9. Optionally, provide a justification for adjusting the risk.
10. Optionally, provide an expiration date for the risk adjustment.
11. Click Save.

    Once the risk level finishes updating you will see an indicator that the risk level for this finding has been modified.