1
Source:
Siebel/Oracle Information Security Work Program
Project Team (list members):
Project Timing: Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
Siebel / Oracle Information Security
Control Objective Procedures
1. Ensure that overall
security policies and
administration
procedures are
documented and
communicated to
personnel.
Obtain and review the information security policy. Verify existence of:
• The organization’s information security objectives
• Responsibilities of employees with respect to protecting
corporate information
• Restrictions on access to sensitive data
• Access rights to MIS resources
• Reporting on security violations
• Password administration procedures
2. Ensure that new user
set-up follows a
specific procedure
and is documented
adequately.
Obtain and review the new user set-up policy and compare with actual
procedures to verify consistency. Review the notification process in
which Siebel administrator(s) and Oracle database administrator(s) are
made aware of the new user access request.
Identify all methods for accessing the application and confirm access
requires authentication, authorization, and is auditable.
Obtain and review the visibility granting policy (assignment of
position(s) and responsibility(s)) and verify appropriate management
approval.
Verify that new users are granted access to the Siebel / Oracle
application within a reasonable time frame after approval from
appropriate management is granted.
Verify that Siebel application user IDs and passwords are created to be
the same as Oracle database user IDs and passwords and that user ID
and password format follows a company standard.
Verify that encrypted passwords are implemented by checking that the
EncryptPassword in the Siebel configuration file () is set to
TRUE.
Verify that users are instructed to change their password after initial log-
on to Siebel application and are given specific standards to ensure
adequate strength (. minimum password length, inclusion of symbol,
characters, numbers, non-dictionary words).
Verify separate distribution of user IDs and passwords to users via a
secure mechanism such as encrypted e-mail and/or direct phone call.
2
Source:
Siebel / Oracle Information Security
Control Objective Procedures
3. Ensure that visibility
has been granted to
users based on their
job responsibilities
and adequate
segregation of duties
exists.
Obtain and review user listings and associated
position(s)/responsibility(s) to confirm that visibility levels are
appropriately restricted to those who require it for their job functions
with specific attention to contractors, power users, developers, and
those with administrative access.
Additionally, review how Oracle roles and profiles have been set-up,
and determine appropriateness.
Verify separation between those individuals responsible for new user
set-up, visibility approval and visibility auditing.
Verify that user access is periodically reviewed by user management to
ensure that assignment is on a business-need-only basis.
Verify that generic and shared IDs and accounts are not utilized in the
Siebel application and Oracle database.
4. Ensure regular
maintenance of user
access and
notification of
personnel changes.
Obtain and review policies in place to update the access for users who
have been terminated or changed job functions and either no longer
require an enabled account or require a change in level of access to the
application. Compare with actual procedures to verify consistency.
Obtain and review user listing to confirm that users are current
personnel that require access to the system. Review list of terminated
and transferred users and verify access has been removed from the
system.
Verify prompt notification to Siebel administrator(s) and Oracle
database administrator(s) of personnel and contractor termination and
changes of responsibilities.
Verify that users are removed from the Oracle database and not the
Siebel application itself to insure that any data assigned to the user and
the audit trail remains intact and is not lost.
5. Ensure logical access
to the application is
monitored to detect
and respond to
unauthorized activity.
Obtain and review policies in place to monitor and respond to
unauthorized activity. Compare with actual procedures to verify
consistency.
Verify that unsuccessful login attempts are reviewed regularly and that
an account lock-out process is in place to prevent excessive
unsuccessful attempts.
Verify that every user transaction is kept in an audit log and that the
audit log is accessible in the event of unauthorized activity.
Verify that a centralized problem reporting structure exists to minimize
the duplication of monitoring the Siebel application.
Verify a formal change management policy exists to prevent
unauthorized changes to the Siebel application and to provide quality
assurance controls.
3
Source:
Siebel / Oracle Information Security
Control Objective Procedures
Determine if systems are adequately updated with the latest security
patches released by the vendor.
6. Ensure adequate
controls exist for data
input and output.
Verify critical fields have controls that force users to enter data in the
correct format and are consistent with underlying logic.
Interfaces
Monitoring over interface
is in place to ensure
successful transfer of
data.
Incoming data should be
checked to ensure that it
syntactically conforms to
the requirements of the
interface.
The application program
should ensure that the
proper data is conserved
in an audit log.
A process to identify and
resolve interface data
errors is in place.
Siebel/Oracle Information Security Work Program
Date
Comments
