In this article, we’ll cover the following subjects:
In this article, we delve into the complex landscape of sensitive Oracle data and the critical need for robust security measures, especially in the context of GDPR compliance. We’ll also focus on how Oracle has creatively addressed this issue by introducing the Sensitive Data Access Audit feature and the integration of Oracle GDPR Security Profile. We’ll provide a detailed breakdown of these new features, walking you through both their technical aspects and practical implementation. As you read on, you’ll gain insights into how to effectively use these features to enhance your organization’s data security and maintain compliance with GDPR regulations.
Sensitive data is the information that is considered to be more confidential, and kept more secure, protecting from outsiders unless they have permission to access it.
Access to any sensitive data must be finite via adequate information security practices, which are designed to control the leakage of data and breaches, in alignment with Oracle GDPR Security Profile.
A Feature that was released in 21B, but not much explored, is that one can track the viewing of sensitive data Audit oracle in the HCM Responsive pages.
This is particularly significant when considering GDPR compliance. The IT team can keep a record of things like where a user logged in from (like a computer or phone), when they did it, what web browser and system they used, their username, and what page they looked at.
Below is the list of sensitive data that can be audited in line with Oracle GDPR Security Profile:
Assign the PER_VIEW_SENSITIVE_DATA_ACCESS_AUDIT_PRIV privilege to the user and this privilege is granted to the Predefined IT Auditor role.
To enable the “Sensitive Data Access Audit” functionality and initiate the audit process, follow these steps in conjunction with configuring Oracle GDPR Security Profile:
Step 1: Access the Setup and Maintenance work area.
Step 2: Find and select the “Manage Administrator Profile Values” task.
Step 3: On the “Manage Administrator Profile Values” page, search for the profile option code “ORA_HCM_SENSITIVE_DATA_VIEW_AUDIT_ENABLED”.
Step 4: In the “Profile Values” section, select “Site” as the profile level. Then, input “Y” in the Profile Value field to activate the feature.
Step 5: Save your changes by clicking the “Save and Close” button.
By following these steps, you will configure the default profile value to “Y,” thereby enabling the “Sensitive Data Access Audit” option and Oracle GDPR Security Profile.
Fig 1: Manage Administrator Profile Values
Additionally, IT Auditors can access the new responsive page by navigating to “My client group” and then selecting “Sensitive Data Access Audit” from the “Quick Actions” menu, all in alignment with Oracle GDPR Security Profile. This user-friendly interface empowers auditors to effectively manage and monitor sensitive data access.
Feel free to refer to the visual guide, “Fig 1: Manage Administrator Profile Values,” for further clarity on the process. This comprehensive approach ensures that your organization can actively engage in auditing sensitive data access within Oracle HCM Cloud’s 21B Release while aligning with Oracle GDPR Security Profile.
Fig 2: Home Page
Fig 3: Oracle HCM Sensitive Data Access Audit
To retrieve information about sensitive data access, users can utilize the “Workforce Management – Sensitive Data Access Audit Real Time” subject area. This subject area is designed to facilitate real-time tracking and reporting of sensitive data accessed through the Oracle HCM Cloud page.
Within this subject area, users can glean the following key information in line with Oracle GDPR Security Profile:
Fig 4: OTBI Report
By leveraging this subject area, organizations can effectively monitor and report on the details of sensitive data access activities within the Oracle HCM Cloud, contributing to enhanced data security and compliance efforts, including Oracle GDPR Security Profile.
For a more customized approach, organizations can create reports and schedule them by querying the back-end table where the sensitive data audit information is stored, while ensuring alignment with Oracle GDPR Security Profile. The table responsible for storing this valuable information is named “PER_SENSITIVE_DATA_AUDIT.”
By querying the “PER_SENSITIVE_DATA_AUDIT” table and considering Oracle GDPR Security Profile, organizations can extract detailed insights into sensitive data access activities. This process enables organizations to tailor their reporting according to specific requirements, fostering a more flexible and detailed analysis of sensitive data access.
In essence, this direct interaction with the back-end table, aligned with Oracle GDPR Security Profile, provides a comprehensive means to delve into the data, derive actionable insights, and gain a deeper understanding of how sensitive information is being accessed within the Oracle HCM Cloud environment.
select * from per_sensitive_data_audit where viewer_user_name = ” order by creation_date desc
select * from per_sensitive_data_audit where viewer_user_name = ” and ip_address=” order by creation_date desc
The sensitive data access auditing, when aligned with Oracle GDPR Security Profile, offers an expensive and difficult wall to regulatory compliance with industry regulations, government regulations, and privacy acts. The requirements for any particular audit will vary based on the regulations, but people will consider data access auditing as the key control which assists to secure the regulated data.
To encounter the required compliance, the data audit trail must represent the below points.
An audit key must deliver visibility into all the data access events. So, it has to audit
If you want to reconstruct the data access events more effectively, make an audit trail with a clear picture by answering – Who, Where, What, How, and When. Grabbing both the system response attributes and the raw access query is an essential element for more sufficient forensic investigation and incident response.
The audit trail that you are performing must associate with each data access event to a particular user. It is hard for most of the applications, as it uses connection pooling, which has the capability to mask the actual identity of the end user.
The performing data audit trail should be tamper-proof. Tamper-proof is nothing but, that the audited users cannot alter the audit trail content. Here splitting the duties is more significant to protect the privileged users from manipulating their claims to conceal the irregular movements.
As we all know, all the file servers and the databases holding the regulated and sensitive data must be audited. Automated discovery and classification abilities allow the rapid identification of regulated systems and minimize compliance maintenance costs.
For demonstrating compliance, audit reports are mandatory. The predefined reports will stay as a point to kickstart and assist address to respective audit oracle needs for each regulation, while the customizability supports the unique business and technical requirements. The right audit tools and real-time alerts will allow for exhaustive forensic investigation and incident response.
The latest Oracle HCM Cloud’s 21B Release brings a major improvement: the capability to monitor access to sensitive data through audit logs. By grasping the significance of protecting sensitive data and effectively putting this feature into action using the steps given, organizations can raise their data security and meet regulatory rules. Given the ongoing high importance of data security, adopting this feature can strengthen a company’s capacity to keep important information safe and ensure data remains trustworthy.
Author: Narendar Rao Naineni, Associate Consultant
