In this article, we’ll cover the following subjects:
- What is sensitive data?
- Tracking the sensitive data audit access | Know about the feature 21B on Oracle HCM cloud business.
- Steps for Sensitive Data Access Auditing
In this article, we delve into the complex landscape of sensitive Oracle data and the critical need for robust security measures, especially in the context of GDPR compliance. We’ll also focus on how Oracle has creatively addressed this issue by introducing the Sensitive Data Access Audit feature and the integration of Oracle GDPR Security Profile. We’ll provide a detailed breakdown of these new features, walking you through both their technical aspects and practical implementation. As you read on, you’ll gain insights into how to effectively use these features to enhance your organization’s data security and maintain compliance with GDPR regulations.
So, what is sensitive data?
Sensitive data is the information that is considered to be more confidential, and kept more secure, protecting from outsiders unless they have permission to access it.
Access to any sensitive data must be finite via adequate information security practices, which are designed to control the leakage of data and breaches, in alignment with Oracle GDPR Security Profile.
Know About Oracle HCM Cloud Feature 21B and Oracle GDPR Security Profile:
A Feature that was released in 21B, but not much explored, is that one can track the viewing of sensitive data Audit oracle in the HCM Responsive pages.
This is particularly significant when considering GDPR compliance. The IT team can keep a record of things like where a user logged in from (like a computer or phone), when they did it, what web browser and system they used, their username, and what page they looked at.
Below is the list of sensitive data that can be audited in line with Oracle GDPR Security Profile:
- National Identifier Number
- Passport Number
- Driver License Number
- Personal Home Address
- Personal Email Address
- Personal Telephone Number
- Account Number
- Citizenship Number
- Visa Number, Residency Number, and Work Permit
Roles/privileges required to access this functionality and Oracle GDPR Security Profile:
Assign the PER_VIEW_SENSITIVE_DATA_ACCESS_AUDIT_PRIV privilege to the user and this privilege is granted to the Predefined IT Auditor role.
To enable the “Sensitive Data Access Audit” functionality and initiate the audit process, follow these steps in conjunction with configuring Oracle GDPR Security Profile:
Step 1: Access the Setup and Maintenance work area.
Step 2: Find and select the “Manage Administrator Profile Values” task.
Step 3: On the “Manage Administrator Profile Values” page, search for the profile option code “ORA_HCM_SENSITIVE_DATA_VIEW_AUDIT_ENABLED”.
Step 4: In the “Profile Values” section, select “Site” as the profile level. Then, input “Y” in the Profile Value field to activate the feature.
Step 5: Save your changes by clicking the “Save and Close” button.
By following these steps, you will configure the default profile value to “Y,” thereby enabling the “Sensitive Data Access Audit” option and Oracle GDPR Security Profile.
Fig 1: Manage Administrator Profile Values
Additionally, IT Auditors can access the new responsive page by navigating to “My client group” and then selecting “Sensitive Data Access Audit” from the “Quick Actions” menu, all in alignment with Oracle GDPR Security Profile. This user-friendly interface empowers auditors to effectively manage and monitor sensitive data access.
Feel free to refer to the visual guide, “Fig 1: Manage Administrator Profile Values,” for further clarity on the process. This comprehensive approach ensures that your organization can actively engage in auditing sensitive data access within Oracle HCM Cloud’s 21B Release while aligning with Oracle GDPR Security Profile.
Fig 2: Home Page
Fig 3: Oracle HCM Sensitive Data Access Audit
Subject Area to get this information and Oracle GDPR Security Profile:
To retrieve information about sensitive data access, users can utilize the “Workforce Management – Sensitive Data Access Audit Real Time” subject area. This subject area is designed to facilitate real-time tracking and reporting of sensitive data accessed through the Oracle HCM Cloud page.
Within this subject area, users can glean the following key information in line with Oracle GDPR Security Profile:
- Viewed Person Details: This entails data about the individual whose information was accessed.
- Viewer Person Details: It pertains to the details of the person who accessed the sensitive data.
- Viewed Page Name: This identifies the specific page that was accessed.
- Viewed Sensitive Data: It provides insights into the sensitive data that was viewed.
- Viewed Date and Time: This records the timestamp when the sensitive data was accessed.
- Viewer IP Address, Browser, Operating System, etc: These details offer additional context, including the viewer’s IP address, browser information, and operating system used during the access.
Fig 4: OTBI Report
By leveraging this subject area, organizations can effectively monitor and report on the details of sensitive data access activities within the Oracle HCM Cloud, contributing to enhanced data security and compliance efforts, including Oracle GDPR Security Profile.
Back-end Table to get this information and Oracle GDPR Security Profile:
For a more customized approach, organizations can create reports and schedule them by querying the back-end table where the sensitive data audit information is stored, while ensuring alignment with Oracle GDPR Security Profile. The table responsible for storing this valuable information is named “PER_SENSITIVE_DATA_AUDIT.”
By querying the “PER_SENSITIVE_DATA_AUDIT” table and considering Oracle GDPR Security Profile, organizations can extract detailed insights into sensitive data access activities. This process enables organizations to tailor their reporting according to specific requirements, fostering a more flexible and detailed analysis of sensitive data access.
In essence, this direct interaction with the back-end table, aligned with Oracle GDPR Security Profile, provides a comprehensive means to delve into the data, derive actionable insights, and gain a deeper understanding of how sensitive information is being accessed within the Oracle HCM Cloud environment.
Sample queries: Query to get records by logged-in username.
select * from per_sensitive_data_audit where viewer_user_name = ” order by creation_date desc
Query to get records by logging in username & IP address of the machine.
select * from per_sensitive_data_audit where viewer_user_name = ” and ip_address=” order by creation_date desc
- It is in read-only mode.
- Need to add Roles, and privileges and include a profile to avail of this service
- Limited to only specific Attributes as mentioned Above
- The audit report is available after the user has signed out /the session timed out/ clicked more than 20 times.
- IT auditors can Easily track the viewing of sensitive data.
- The new responsive interface enhances user experience.
- IT auditors can track the IP Address, Browser, and Operating system as well
Sensitive data access auditing
The sensitive data access auditing, when aligned with Oracle GDPR Security Profile, offers an expensive and difficult wall to regulatory compliance with industry regulations, government regulations, and privacy acts. The requirements for any particular audit will vary based on the regulations, but people will consider data access auditing as the key control which assists to secure the regulated data.
To encounter the required compliance, the data audit trail must represent the below points.
- Make sure to audit all the sensitive data access
- Offer the most detailed event information audit.
- Build and establish the user accountability.
- Assure the trail audit integrity.
- Validate whether all the systems in scope are audited in the right way.
- Customizable compliance reports, alertness, and analytical tools
1. Make sure to audit all the sensitive data access
An audit key must deliver visibility into all the data access events. So, it has to audit
- All the different types of access
- Each and every user
- All the data systems holding regulated data
2. Offer the most detailed event information audit
If you want to reconstruct the data access events more effectively, make an audit trail with a clear picture by answering – Who, Where, What, How, and When. Grabbing both the system response attributes and the raw access query is an essential element for more sufficient forensic investigation and incident response.
3. Build and establish the user accountability
The audit trail that you are performing must associate with each data access event to a particular user. It is hard for most of the applications, as it uses connection pooling, which has the capability to mask the actual identity of the end user.
4. Assure the trail audit integrity
The performing data audit trail should be tamper-proof. Tamper-proof is nothing but, that the audited users cannot alter the audit trail content. Here splitting the duties is more significant to protect the privileged users from manipulating their claims to conceal the irregular movements.
5. Validate whether all the systems in scope are audited in the right way
As we all know, all the file servers and the databases holding the regulated and sensitive data must be audited. Automated discovery and classification abilities allow the rapid identification of regulated systems and minimize compliance maintenance costs.
6. Customizable compliance reports, alertness, and analytical tools
For demonstrating compliance, audit reports are mandatory. The predefined reports will stay as a point to kickstart and assist address to respective audit oracle needs for each regulation, while the customizability supports the unique business and technical requirements. The right audit tools and real-time alerts will allow for exhaustive forensic investigation and incident response.
The Bottom Line:
The latest Oracle HCM Cloud’s 21B Release brings a major improvement: the capability to monitor access to sensitive data through audit logs. By grasping the significance of protecting sensitive data and effectively putting this feature into action using the steps given, organizations can raise their data security and meet regulatory rules. Given the ongoing high importance of data security, adopting this feature can strengthen a company’s capacity to keep important information safe and ensure data remains trustworthy.
Author: Narendar Rao Naineni, Associate Consultant