Manualshelf

Wireless Office Headset User Manual

ManualsBrandsEmbarcadero Technologies ManualsHeadphone4.5
11121314151617181920
DASHBOARD CHARTS > CHART DESCRIPTIONS
EMBARCADERO TECHNOLOGIES > DSAUDITOR 4.5 USER GUIDE 12
In the case of privileged users this represents a likely download of the data, possibly to use for testing purposes. In the
case of sensitive data, communicate with the user to ensure they have a legitimate need for the data and understand
the protection requirements for that data. Use of “live” customer names, addresses, and account IDs or Social
Security numbers by development and test personnel may be a violation of privacy law or your organization's privacy
policy and should be avoided if possible.
Select Activity by Privileged Users: Privileged Users should be administering access to the database, making
necessary changes to the structure, and performing other maintenance activity. They should not have much need for
direct access to data and thus should issue a very limited number of SELECT statements against production data,
especially sensitive data.
An unusual increase in the amount of activity in this area could indicate a Privileged User that is also functioning as an
end-user. This is likely a breach of Segregation of Duties requirements and at the very least the user should be
performing that activity using an application account, not their privileged database account. This could also be an
indication that a Privileged User is “downloading” the data to a local database in small chunks.
A steady, incremental rise in activity likely indicates an increase in the total number of Privileged Users. If your
organization isn't growing you may want to investigate this. Start by looking at the “Permissions” charts.
Security Charts - Data Changes
Certain regulations such as Sarbanes-Oxley and FDA 21 CFR Part 11 are focused primarily on data integrity. While
data changes are a normal part of business function, it is import to record information about these changes in the
event of an unauthorized change. In particular it is important to monitor data changes made by privileged users and
changes made outside expected applications as these changes circumvent application controls.
References
Sarbanes-Oxley/CobiT §DS 5.5, PCI-DSS 10.2.2, HIPAA §164.312 (b), CMS-ARS 11.7, FDA 21 CFR Part 11
§11.10(e), GLBA/FFIEC Information Security Handbook p. 64, Basel II/ISO 17799 §10.10.4 §12.2.2 §15.1.4,
FISMA/NIST 800-53 §AU-2, NERC CIP-007-1 §R6.3
Data Changes by Privileged Users: Changes to production data should be made via applications, not directly by
privileged users. Sensitive production data should be closely monitored for any updates.
Data Changes by Unauthorized Applications: Inserts, Updates, and Deletes made month-to-date by
unauthorized applications. Changes to production data should be made only via authorized applications via corporate
policy.
Security Charts - Logins
Login activity, both successful and unsuccessful, provides an organization with critical information for monitoring and
investigating security events. Other access control requirements include assigning unique user IDs, strong passwords,
and a good user account management process.
References
·Failed Logon Attempts: Sarbanes-Oxley/CobiT 4 §DS5.5, PCI-DSS §10.2.4, HIPAA §164.308 (a)(5)(ii)(C),
CMS-ARS §11.1, FDA 21 CFR Part 11 §11.1, GLBA/FFIEC Information Security Handbook p. 65, Basel II/ISO
17799 §10.10.1, FISMA/NIST 800-53 §AC-6, NERC CIP-007-1 §R6.3
·Unique User IDs: Sarbanes-Oxley/CobiT 4 §DS5.3, PCI-DSS §8.1, HIPAA §164.312(a)(2)(i), CMS-ARS §3.12
and 7.7, FDA 21 CFR Part 11 §11.300(a), GLBA/FFIEC Information Security Handbook p. 65, Basel II/ISO 17799
§11.2.1, FISMA/NIST 800-53 §IA-2 and IA-4, NERC CIP-007-1 §R6.3