Call: +44 (0)1904 557620 Call
GDPR

GDPR Oracle Services to help with Compliance

PeteFinnigan.com Limited are the founders of some of the techniques and ideas and experience in securing Oracle databases. Pete Finnigan was there at the beginning of Oracle security as a service; he wrote the book on it. Pete was doing Oracle security when litterly very few else took it seriously. So we have experience here to help in many aspects of securing data including personal data in an Oracle database.

Introduction

General Data Protection Regulation (GDPR) was announced some time ago and became law across the EU on May 25th 2018. We have specific services that can help companies and organisations that use Oracle databases to store personal details to be secure and help with compliance with GDPR. The GDPR is a complex law and is split into what are known as Articles. The GDPR has 99 Articles and 173 Recitals and the whole document spans over 250 pages in length. This is a compex law and complex to interpret. An Oracle database is often just one part of a companies IT infrastructure but usually an important part in terms of GDPR as its usually one of the places that personal details are held.

There is no simple one size fits all plan that companies can follow to simply be compliant and there is no single product that you can purchase for use in a database that protects your personal data and ensures that it is compliant with the GDPR. In fact there is no simple mapping from each GDPR Article to a single peice of advice to secure Oracle and conversely there is not a single Oracle security technique that can be applied to secure all of GDPR; GDPR spans multiple elements of how data is managed and secured in your Oracle database and single security techniques or tools in Oracle can span multiple GDPR articles.

Our Oracle Security Services Relevant to GDPR

We can offer you help in a number of areas of securing your data in your Oracle database using some of our Oracle Security services aimed at helping towards GDPR compliance. These are overviewed here:

Data Impact Assessment

Article 35 of the GDPR states that you must know where you hold personal data; in particular for the Oracle database where in the database is that data; is it duplicated; how was it obtained, does it have end dates. We can help locate personal data and provide a documented personal data assessment to aid in compliance with article 35 of GDPR. As part of this assessment we will also assess and document the security and access to the personal data that is located using our own custom tools

Help Securing personal Data

Article 25 of GDPR is Data Protection by design and by default. This calls for appropriate measures to be designed and implemented within your Oracle database to secure all personal data. This can include security controls at the database level; it can include techniques such as pseudoanonymization, masking, obfuscation and encryption; it can include context based security or the use of Oracle products such as redaction, virtual private database or Database Vault. We can help with any aspect of designing suitable and approproiate controls to secure your data in your database. We have extensive experience with Oracle options such as Virtual Private Database or custom native solutions that do not involve additonal license costs. We have the abilities to design and specify suitable solutions for all budgets to acheive data security by design and by default.

Security Audit and vulnerability scanning

Article 32 of GDPR covers security of processing of personal data. This can involve techniques and designs discussed in the section above but also involves the need to perform regular security audits of an Oracle database to test and evaluate the effectivness of the security controls that have been designed and deployed to protect data. PeteFinnigan.com Limited are leaders in performing detailed security assessments of Oracle databases. Pete Finnigan wrote the SANS Oracle Security Step-by-Step guide which was used as the basis for the first Center for Internet (CIS) Oracle benchmark.

We use our own custom methodolgies and we are expert in auditing Oracle databases. We can also provide regular vulnerability assessments of your databases using our database vulnerability scanner for Oracle databases - PFCLScan. We can run this for you on a regular basis via a VPN connection to your network or you can license and execute it yourself. We can assess and anotate and advise on the output for you as well, whether we run the scans or you do. Finally we can also design and build custom reports for PFCLScan that map exactly to your own internal Oracle database security policy. The audit service is expert level and can be customised to your needs and budget; Please talk to us for details; the contact details are at the bottom of this page.

Audit Trail Design

Article 30 calls for recording of processing of personal data and Articles 33 and 34 also call for breach and incident notification. You must now be aware if personal data that you hold has been breached, stolen or changed or destroyed and dependant on the circumstances you should report this to the ICO quickly and not later than 72 hours and you may; dependant on what was stolen also have to inform the data subjects. None of this is possible if all that happens is that you know you have been breached because personal data shows up on public websites.

A detailed audit trail should be designed to include all elements; central storage, management of space and size, purging and archiving; suitable security controls; escalation and alerting and much more. PeteFinnigan.com Limited have helped many customers design and implement detailed audit trails for their databases quickly and efficiently. We use an audit trail toolkit that we have created called PFCLATK. This toolkit has been created to allow quick and simple deployment and configuration based on the audit trail policy that we help you design. Any audit trail policy should be based on "I want to know"; in other words the events and alerts should be based on risk to the data. This design approach is tailored to this to ensure that we can detect and react to database attacks.

Incident Response Process

Pete Finnigan recently wrote the book on how to react to an incident in an Oracle database and how to create an incident process, team and toolkit. PeteFinnigan.com Limited are experts in helping customers deal with the aftermath of a breach of their Oracle database with indepth knowledge of how to react and how to gather artefacts from the Oracle database and how to perform a forensic analysis of a breached database.

We can also help companies prior to any breach by helping design and define an incident response policy, team and toolkit. We can also help companies by training their staff in how to deal with an incident in an Oracle database and also how to do forensic analysis of a breached database. We have a one day class Oracle Incident Response and Forensics and you can have us teach your Oracle and security staff internally or send them to one of our public training events.

Data Subjects Rights

Articles 16 to 21 cover the rights of data subjects including the two of most interest to Oracle databases; the right to be forgotten and the right to have their data in a portable format so that the data subject can take it and pass it to another company to process instead. These two can cause issues in an Oracle environment. To enable data to be deleted it must be located and documented and secured in advance and we can help with this. Deletion of data from an Oracle database is not as easy as it first sounds; firstly Oracle does not actually delete data, it simply marks the records as deleted. What about other copies, backups and more. We can assist in helping define processes and policies to delete and to extract data in a portable format to aid compliance with these GDPR articles.

Data Security Policy Definitions

Article 32 calls for appropriate technical and organisational measures to be implemented to secure personal data. This calls for a suitable Oracle database security policy to be created so that it can be implemented in all databases. PeteFinnigan.com limited have extensive experience helping customers to create specific Oracle database security policies for their own companies. A policy designed be us is pragmatic and we make sure that it fullfils two criteria; The first that its possible to implement all of it; We think policies that are designed that cannot be implemented are not useful. The second is that it is budget conscious; so you spend your budget wisely so that the security measures give the best improvement in security for least cost.

The policy can be designed initially as a document that can be implemented within each database. We can also assist in creating custom reports to match the policy in our scanner PFCLScan. Please talk to us cfor details

Training

GDPR calls for training of staff in the rules and meaning of GDPR. We can assist with this where GDPR is directly related to the Oracle database with our one day training class Oracle Security for GDPR. We also have training classes that can help with GDPR in the areas of how to perform a security audit, designing practical audit trails for the Oracle database; Oracle incident response and forensics. All of our classes includng the GDPR class can be delivered at your site or you can send you staff to our public traiing classes. Details of all of our classes are included here and all of our current public training dates are here.

Booking, More Details?, Want To Partner?

Please email info@petefinnigan.com to book us to perform any of these services. Also contact us to deliver our Oracle Security for GDPR one day training course on your site or to book a place on a public training event when dates are available. Also contact us to discuss your individual requirements or to discuss partnering with PeteFinnigan.com Limited to offer our services or training through your own company. We will be happy to discuss details if you are interested in partnering with PeteFinnigan.com Limited.