http://www.checklist20.com/bestpractices.htmlOracle Database provides the foundation for IT to successfully deliver more information with higher quality of service, reduce the risk of change within IT, and make more efficient use of their IT budgets. By deploying Oracle Database as their data management foundation, organizations can utilize the full power of the world's leading databasehttp://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=117&tn=Restrict administrative privileges/roles granted to usersDo not provide database users more privileges than necessary. Enable only those privileges actually required to perform necessary jobs efficiently:1) Restrict the number of system and object privileges granted to database users.2) Restrict the num ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=161&tn=Set default_tablespace to non-SYSTEM tablespace for user accountsSystem tablespace contains the data dictionary information that needs to maintain the Oracle database. Any user should not have SYSTEM tablespace as his/her default tablespace.  Change the value of default tablespace by following the steps be ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=160&tn=Document database incident response and escalation procedureAre you prepared to make the best decisions and responses to database security incidents in your business? Prevention is always best, in other words: cheapest. Prevention is generally more economical, less stressful, and incurs less downtime ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=47&tn=Lock and expire default user accountsOracle database installs with a number of default database user accounts. Upon successful installation of the database, the Database Configuration Assistant automatically locks and expires most default database user accounts. If you perform a ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=126&tn=Manage Oracle Software License AgreementIt is a key business imperative to have robust and flexible procedures in place to monitor and control Oracle software assets. Failure to do so may lead to legal lawsuits impacting corporate governance. But, effective license agreement helps compa ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=134&tn=Control access to Oracle data dictionary objectsCheck for any user accounts that have access to the following objects and revoke where possible: ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=124&tn=Limit OS level access to Oracle software accountOracle software comes with several powerful OS utilities like export, import and trace. Restrict administrative access to OS account that owns Oracle software. In addition, review the membership of the DBA group on the host to ensure that only aut ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=132&tn=Configure LogMiner to analyze and identify transactionsAll changes made to user data or to the database dictionary are recorded in the Oracle redo log files so that database recovery operations can be performed. Redo log files contain information about the history of activity on a database. Oracle Log ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=128&tn=Harden init.ora configurationThe init.ora file stores the initialization parameters of Oracle. The values that are currently in effect can be viewed through v$parameter. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=129&tn=Harden listener.ora configurationListener configuration, stored in the listener.ora file, consists of the following elements:2) Protocol addresses that the listener is accepting connection requests on3) Dynamic service registrationControl parameters ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=162&tn=Encrypt critical dataCritical data must be encrypted to prevent the DBAs and other users who have access to production system  from accessing it. Alternately, You can audit key tables. This does not prevent the DBA from viewing the data, but would create a record ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=131&tn=Implement change control managementThe objective of Change management is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to controlled database infrastructure, in order to minimize the number and impact of any related inc ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=135&tn=Backup DatabaseBackup and recovery of your Oracle database is important to protecting data from corruptions, hardware failures, and data failures. While Oracle provides many features to protect your data, nothing can replace a backup. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=139&tn=Secure backup mediaBackup data on secondary systems is at a much greater risk than primary data, which is protected by stringent data center policies and procedures. There are several incidents of data theft because the backup media was not protected well.  ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=155&tn=Restrict developer access to production databasesDevelopers and testers must not have direct access to production databases. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=154&tn=Implement data retention and archiving policyData retention practice is truly protecting corporate data for long periods of time in order to meet regulatory requirements. For example, HIPAA requires that medical records be retained up to two years after a persons death. Sarbanes-Oxley requir ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=170&tn=New User Creation Policy and Procedure ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=271&tn=Provide periodic security training to DBA usersDBAs have escalted privileges to the system data. DBA users need to receive additional security training specific to their duties and role. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=121&tn=Restrict access to system audit logsGiven the central role of audit logs in performing auditing of interactions with the data (modification, exposure) as well as of the base data itself, it is critical that audit logs be correct and inalterable. The integrity of the audit log itself ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=113&tn=Manage database linksProtecting production data is vital to any company. Database (DB) links, which allows users to connect from one database to another, pose a risk to production data that needed to be addressed.Following factors need to be considered when managing d ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=111&tn=Set _TRACE_FILES_PUBLIC=false in init.oraBy default only the Oracle user can read trace files. This parameter allows other users to read the trace files by modifying the file permissions. This particularly applies to Unix operating systems.The default value is FALSE.The parameter can be ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=109&tn=Manage terminated or transferred employee's database user accountTo mitigate the risk of unauthorized access of information, establish control in place for managing terminated or transferred employees' Oracle user accounts and rules for access.When a user is transferred or terminated, the user's access to datab ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=108&tn=Enable idle_time parameter for user profilesTypically, malicious users target the inactive sessions to gain access into the database. By reducing the period of time an inactive session stays connected, the probability of that session being a victim of abuse is reduced. Also, setting up idle ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=107&tn=Enable failed_login_attempts parameter in init.oraSetting up failed_login_attempts in init.ora configuration file helps to limits the number of failed attempts to log in to the user account before the account is locked. It's recommended to set the failed_login_attempts to 5. Frequently monit ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=106&tn=Manage shared or generic database uer accountsShared database accounts with high-level access rights can pose significant risks to organizations. Also, the use of a generic account represents a security risk in terms of both access control and auditing. From an access control perspective ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=100&tn=Implement strong password verify function is assigned to critical database accountsEstablishing and enforcing limitations on password complexity, expiration, lockout, and reuse will reduce the risk that threat agents may gain access by exploiting a weakness in these settings. Create a strong password verify function and attach t ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=125&tn=Apply latest CPU patches provided by OracleOracle issues a Cumulative Patch Update (CPU) or Patch Set Update (PSU) every quarter that fixes number of security vulnerabilities. It is imperative to keep the Oracle database instance at the latest patch level. While creating a new Oracle datab ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=133&tn=Review log files periodicallyOracle generates several log files and many of them can provide useful information to assist in auditing and securing the database. Automated or manual review of these log files on a daily/weekly basis should be one of the key responsibilities of ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=48&tn=Disable REMOTE_OS_ROLES init.ora parameter to falseSetting REMOTE_OS_ROLES to TRUE in inti.ora allows operating system groups to control Oracle roles. The default value of FALSE causes roles to be identified and managed only by the database. If REMOTE_OS_ROLES is set to TRUE, a remote user could i ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=97&tn=Change OS_AUTHENT_PREFIX init.ora parameterBy default OS_AUTHENT_PREFIX  is set to the value of OPS$, it removes the Oracle security restriction that requires users to be IDENTIFIED EXTERNALLY in order to logon via OS authentication.  This removes an important control and present ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=118&tn=Restrict permissions on run-time facilities ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=163&tn=Maintain disaster recovery and standby databaseOracle Data Guard: It enables you to use either a physical standby database (Redo Apply) or a logical standby database (SQL Apply), or both, depending on the business requirements. A physical standby database provides a physically identical copy o ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=127&tn=Harden sqlnet.ora configurationThe sqlnet.ora contains the configuration files for the communication between the user and the server including the level of required encryption. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=123&tn=Control operating system access for Oracle directories and filesIn addition to the security Oracle maintains on tables and other database objects, the operating system controls access to Oracle files. Access to these files should be restricted on a need only basis and preferable restricted to the operatin ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=112&tn=Revoke privileges and roles from the database server user group PUBLICIf unnecessary privileges and roles are not revoked from PUBLIC, this default role, granted to every user in an Oracle database, enables unrestricted use of its privileges, such as EXECUTE on various PL/SQL packages. ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=110&tn=Eliminate the practice of storing plaintext passwordsCompromise of a database user password is one of the most difficult intrusions to detect. The best strategy is to eliminate storing of plaintext passwords in the first place. This can be done in several ways:1) Do not store database user passwords ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=130&tn=Audit privileged users activities in the databaseFull access credentials accorded to DBAs and system administrators creates a significant vulnerability for an enterprises data simply because these privileged users have access to all or a significant fraction of data.Auditing of the users authent ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=120&tn=Protect copy of sensitive production data in non-production environmentsData which is sensitive in nature, which is protected in the Production Environment, is less protected and is at risk of exposure when it is cloned for use in non-production environments such as Development, Test and Training instances.  This ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=122&tn=Disable REMOTE_OS_AUTHENT init.ora parameter to falseThe REMOTE_OS_AUTHENT parameter in the init parameter file of the database specifies whether remote clients will be authenticated with the value of the OS_AUTHENT_PREFIX parameter or not. The type of the REMOTE_OS_AUTHENT parameter is Boolean, the ...  View More]]>http://www.checklist20.com/bestpractices.html#cid=70&cn=Oracle Database&tid=136&tn=Test backup and restore procedures regularlyBackups should be verified by performing recoveries to ensure backups function properly. Failure to ensure this could cause inability to recover data, leading to data loss. ...  View More]]>