Wireless Office Headset User Manual

DASHBOARD CHARTS > CHART DESCRIPTIONS

EMBARCADERO TECHNOLOGIES > DSAUDITOR 4.5 USER GUIDE 13

with a significant number of logins in one day or coming from multiple network users, multiple source IP addresses or

multiple source applications are highly suspicious and should be investigated. It is also highly unlikely that a single

user would log in from multiple domains during a single 24-hour period. Some of this may vary from organization to

organization, but by monitoring this information over time you will gain an understanding of what is “normal” for your

organization and quickly be able to spot anomalies.

Non-Privileged Normal Business Hour Logins: It is important to monitor both failed and successful logins as

part of your arsenal to detect unauthorized access. A significant change in either component, or the ratio between the

two, is a likely indicator of a security incident and should be investigated further.

Non-Privileged Off-Hour Logins: A quick comparison from this graph to the “Non-Privileged Normal Hours

Logins” will tell you if you are seeing the appropriate drop-off in login activity after hours. If not, run a detailed report

and drill down to see if a majority of the off-hours logins are occurring near your cut-off hours - you may need to simply

revise the filter to adjust the hours.

Privileged Normal Business Hour Logins: It is important to monitor both failed and successful logins as part of

your arsenal to detect unauthorized access. A significant change in either component, or the ratio between the two, is

a likely indicator of a security incident and should be investigated further.

Privileged Off-Hour Logins: A quick comparison from this graph to the “Privileged Normal Hours Logins” will tell

you if you are seeing the appropriate drop-off in login activity after hours. If not, run a detailed report and drill down to

see if a majority of the off-hours logins are occurring near your cut-off hours - you may need to simply revise the filter

to adjust the hours.

Security Charts - Permissions

Access Control is fundamental to ensuring both data security and privacy. Monitoring GRANT and REVOKE

statements on your databases provides you with a record of permission changes and enables you to identify unusual

activity including user-defined roles that may be created without proper authorization. It is generally considered best

practice to grant permissions to roles, not directly to users, to provide better controlled permissions management.

References

Sarbanes-Oxley/CobiT §DS 5.5, PCI-DSS 10.2.5, HIPAA §164.312 (b), CMS-ARS 11.1, FDA 21 CFR Part 11

§11.10(e), GLBA/FFIEC Information Security Handbook p. 16, Basel II/ISO 17799 §10.10.1, FISMA/NIST 800-53

§AU-2, NERC CIP-007-1 §R6.3

Grant-Revoke Activity: For a production database, permission changes should be monitored weekly. Grant and

revoke activity should map to application user provisioning. It is important to look for unusual database authorizations

as it could indicate unauthorized access. For example, a common database threat is role-escalation and may be done

during a short time window. Investigate grant-revoke activity to ensure that permission changes were made per an

authorized change request. Also if you see an increasing deviation between Grants and Revokes you may have too

many users with too many privileges, a problem that only gets worse with time. Review your de-provisioning process

to ensure proper notification when users/roles no longer need all the permissions granted to them.

Role and User Account Activity: Per database security best practices, roles and user accounts are instrumental

for ensuring sound security.

Roles should be used when provisioning new database user accounts. Database roles should be fairly static for

production databases and therefore, should track with application changes and upgrades. Create Role, Alter Role,

and Drop Role metrics should be monitored regularly.