- Authors:
- Arup Nanda,
- Donald K. Burleson
From the Publisher: Sharing secrets for the effective creation of auditing mechanisms for HealthInsurance Portability and Accountability Act of 1996 (HIPAA) compliant Oracle systems, this book demonstrates how the HIPAA framework provides complete security access and auditing for Oracle database information. Complete details for using Oracle auditing features, including auditing from Oracle redo logs, using system-level triggers, and using Oracle9i fine-grained auditing (FGA) for auditing of the retrieval of sensitive information, are provided. Examples from all areas of auditing are covered and include working scripts and code snippets. Also discussed are the use of the Oracle9i LogMiner to retrieve audits of database updates and how to implement all Oracle system-level triggers for auditing, including DDL triggers, server error triggers, and login and logoff triggers. About the Author:Arup Nanda has been an Oracle DBA in areas such as design, modeling, performance tuning, and backup and recovery. Currently he is working on the HIPAA database design for a large U.S. national insurance company. He is a frequent speaker at Oracle-related conferences such as IOUG Live, has written several Oracle-related articles, and is on the editorial board for SELECT Journal, the publication of the International Oracle Users Group. He is the founder of Proligence, Inc., a company that provides specialized solutions on Oracle technologies such as replication, standby databases, security evaluations, and HIPAA implementations. He lives in Norwalk, Connecticut. Donald K. Burleson is the author of 16 Oracle database books and is the editor-in-chief of Oracle Internals. He is an Oracle consultant with extensive experience designing and implementing Oracle8 databases, including systems architecture, project management, data warehouse design, implementation and tuning, tuning massively parallel Oracle databases, Oracle SQL tuning, using Oracle with SAP, and tuning very large Oracle databases. He lives in Kittrell, North Carolina.
Index Terms
- HIPAA Auditing for Oracle Database Security: Database Security Audits and Hipaa Audit Trails
Reviews
Jean-Pierre Kuilboer
With compliance emerging as an important topic in information systems, Nanda and Burleson's book is timely. In this engaging book, the authors address in depth some implementation aspects of Oracle privacy and security that are not easily found elsewhere. The book is divided into three sections. In the first, the authors provide an introduction to the concepts discussed: the Health Insurance Portability and Accountability Act (HIPAA), Oracle security, and Oracle auditing. In chapter 1, HIPAA is introduced via a short story, providing context for the discussion in the rest of the book. In chapter 2, security is presented in the context of the Oracle environment, but still in rather nontechnical terms. The follow-up in chapter 3 begins a discussion of auditing in the form of the continuing short story from chapter 1. Sections 2 and 3 are rather technical, presenting a detailed discussion of Oracle's security and auditing features. Most of the material is relevant to version 9i of the Oracle software, with some mention of previous versions and their associated limitations. Chapter 4, a long chapter, starts Section 2. It addresses general Oracle security, and provides some helpful tips and scripts that are worth the price of the book. Chapter 5 continues with the special topic of virtual private databases (VPDs). The authors explore the concepts of VPDs and how they are used to secure a database, instantly partitioning existing tables into tables that appear differently to different people. Scripts and tips are offered that avoid the need to invoke Oracle's advanced security option, which is not available in all installations. Chapter 6 closes the section with coverage of encryption, making use of the built-in Oracle toolset without the need for additional products. Network security in the context of Oracle is demonstrated with a well-written set of examples. Section 3 covers auditing, and is divided into four chapters. These start with a general introduction to Oracle auditing, continuing on to more esoteric topics such as trigger auditing, auditing of grant security, and advanced newly introduced fine grained auditing. In chapter 8, the authors walk the reader through features that can be used to implement a variety of mandated accountability requirements. In chapters 9 and 10, Oracle system events trigger auditing and Oracle grants auditing are explored, with a number of scripts providing a helpful framework for solid auditing. In chapter 11, the often misunderstood fine-grained auditing (FGA) is addressed. Introduced with Oracle 9i, this capability extends the traditional auditing tool to cases where the database user is not relevant, such as in the case of application-authenticated users. Auditing of select statements is also used as an illustration, and complementary tools such as flashback queries are explained to complete the section on auditing. The remainder of book includes a chapter on HIPAA compliance and the role of Oracle in its deployment, and a short chapter introducing some of the new features of Oracle 10g. The introduction of some 10g features prior to its official release is qualified, but adds little to the usefulness of the book. The book is well organized, and covers some constructive ground in this specialized topic. Both authors know the material, and the few typographical errors do not detract from the impression that this book should be on the bookshelves of Oracle developers involved in securing or auditing a system subject to legal requirements. The subtitle of the book is somewhat misleading, in that it does not cover, in any level of detail, material related to Sarbanes-Oxley or the Gramm-Leach-Bliley Act (GLB). The terms seem to have been included only for indexing purposes. However, most readers will probably not regret reading this work from cover to cover. Similarly, the list of key features at the back of the book includes coverage of the requirements of the Visa USA Cardholder Information Security Program (CISP), and the European Safe Harbor Act. After reading the 13 chapters, the reader will wonder if these topics were ever there, have succumbed to the editing hatchet, or if they are altogether missing in action. To conclude, this work should provide a valuable reference on a topic that often lacks coverage in general database literature. At the border of data management and the newly found interest in compliance, this timely book has a place in any collection of Oracle texts. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.