DAM Default Audit Policies

Audit Policies Details:

Audit Polices basically used for only monitoring and storing audit data on gateway
appliance. We need to achieve audit data to another storage for long term access to audit
data.
a. SOX Compliance based Policies
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect
shareholders and the general public from accounting errors and fraudulent practices in
enterprises, and to improve the accuracy of corporate disclosures.

1. SOX - New users

Monitors the queries used to create any user or user group.

2. SOX - Table related commands

Monitors the query used to perform any operations on tables like create table, delete table,
alter table, drop table etc.

3. SOX - Changes to Financial Data

Monitors the activities like insert, update, delete on the financial data store in particular
table group.

4. SOX - Database object changes

Monitors the DDL Commands. DDL or Data Definition Language actually consists of the SQL
commands that can be used to define the database schema. It simply deals with descriptions
of the database schema and is used to create and modify the structure of database objects
in database.
 Examples of DDL commands:
 CREATE – is used to create the database or its objects (like table, index, function, views,
store procedure and triggers).
 DROP – is used to delete objects from the database.
 ALTER-is used to alter the structure of the database.
 TRUNCATE–is used to remove all records from a table, including all spaces allocated for the
records are removed.
 COMMENT –is used to add comments to the data dictionary.
 RENAME –is used to rename an object existing in the database.

5. SOX - Database configuration changes

A configuration management database (CMDB) is a database that contains all relevant

information about the hardware and software components used in an organization's IT
services and the relationships between those components.

This policy helps to monitor the CMDB configuration changes.

6. SOX - Database code changes

Source Code in Database is a technique of code manipulation where the code is parsed and
stored in a database
 This Polices audit the changes done on database code.

7. SOX - Users and Privileges Management Commands

Monitors the Users and Privileges Management Commands like creating user, assigning
permission to users, revoking permissions or modifying permissions, altering roles, profiles,
system privileges.

8. SOX - New objects

A database object in a relational database is a data structure used to either store or
reference data. The most common object that people interact with is the table.
Other objects are indexes, stored procedures, sequences, views and many more

This Policy monitors the query which is used to create any new object in database.

9. SOX - Privilege changes over financial data

Monitors the changes on financial data store in particular table group which is modified by
using the query like grant object privilege, grant with grant option, revoke, revoke grant
option.

b. PCI compliance based Policies:

The Payment Card Industry Data Security Standard is an information security standard for
organizations that handle branded credit cards from the major card schemes. The PCI
Standard is mandated by the card brands and administered by the Payment Card Industry
Security Standards Council.

1. PCI - Access to cardholder information

This policy monitors the activity if someone tries to retrieve the card holder information.

2. PCI - Privileged operations on users and privileges management

Monitors the Users and Privileges Management Commands like creating user, assigning
permission to users, revoking permissions or modifying permissions, altering roles, profiles,
system privileges.

3. PCI - Modification audit of system-level objects

Malicious software, such as malware, often creates or replaces system level objects on the
target system in order to control a particular function or operation on that system. By
logging when system-level objects, such as database tables or stored procedures, are
created or deleted, it will be easier to determine whether such modifications were
authorized.
This Policy helps to monitor the modification of system level objects.

4. PCI - Login audit

This Policy monitors the all login activities.

5. PCI - Audit of newly created objects under system schema

 A database schema is the skeleton structure that represents the logical view of the
entire database. It defines how the data is organized and how the relations among them
are associated. It formulates all the constraints that are to be applied on the data.
This policy helps to identify if someone tries to create new object under system schema.

6. PCI - Login and logout audit

This Policy monitors the all login and logout activities.

7. PCI - Unknown Web application user audit

DAM solution initially learn all Web application users those are accessing the database.
This polices helps to monitor the unknown web application users those are accessing the
database which are not learn in profile.

c. GDPR compliance based policy:

The General Data Protection Regulation 2016/679 is a regulation in EU law on data
protection and privacy for all individuals within the European Union and the European
Economic Area. It also addresses the export of personal data outside the EU and EEA areas.

1. GDPR - access to sensitive data

Audit the all activities when there is access to sensitive data like account number, phone
number, address, email id etc.

d. HIPPA compliance based policy:

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for
sensitive patient data protection. Companies that deal with protected health information
(PHI) must have physical, network, and process security measures in place and follow them
to ensure HIPAA Compliance.

1. HIPAA - Access to PHI:

This policy audits the activity if someone retrieves the private information related to health
care.

e. FISMA compliance based Policies:

The Federal Information Security Management Act (FISMA) is United States legislation that
defines a comprehensive framework to protect government information, operations and
assets against natural or man-made threats. FISMA was signed into law part of the Electronic
Government Act of 2002.

1. Access to Classified Data:

Monitors the activity when someone tries to perform select operation on classified data
or sensitive data stored in specific table group.

2. Access to Financial Data

Monitors the activity when someone tries to perform select operation on Financial data
stored in specific table group.

3. Access to PII (Personal Identifiable Information)

Monitors the activity when someone tries to perform select operation on Personal
identifiable information stored in specific table group like Aadhar card number.
 4. Privileged Operations:
Monitors all the privilege Operations like assign permission, modifying permission,
accessing database, table operation, DDL commands, DML commands, DCL commands.

f. Other ADC Based Policies:

Imperva Application Defense Center (ADC) is a world-class security research organization.
Provides Continuous Security/Audit Lifecycle Management, Pre-built Reporting which
contains reports that clearly identify risks and measure compliance against regulations
and/or security policy.

1. Privilege manipulation
Monitors the Privilege Operations like grant default permissions on system tables, grant
object privilege, grant admin privilege.

2. Table related commands

Monitors the query used to perform any operations on tables like create table, delete table,
alter table, drop table etc.

3. Users and Privileges Management Commands

Monitors the Users and Privileges Management Commands like creating user, assigning
permission to users, revoking permissions or modifying permissions, altering roles, profiles,
system privileges.

4. Default Rule - All Events

Audit all event which including login, logout and any query.
Note: Not to enable this policy as it creates large amount of audit data

5. New Users Account:

Monitors the queries used to create any user or user group.

6. Database connections
Audit all Database login activities.

7. DDL commands:
Monitors the DDL Commands. DDL or Data Definition Language actually consists of the SQL
commands that can be used to define the database schema. It simply deals with descriptions
of the database schema and is used to create and modify the structure of database objects
in database.
 Examples of DDL commands:
 CREATE – is used to create the database or its objects (like table, index, function, views,
store procedure and triggers).
 DROP – is used to delete objects from the database.
 ALTER-is used to alter the structure of the database.
 TRUNCATE–is used to remove all records from a table, including all spaces allocated for the
records are removed.
 COMMENT –is used to add comments to the data dictionary.
 RENAME –is used to rename an object existing in the database.
8. New Databases
Monitors the queries used to create any new databases.

9. Database configuration changes

A configuration management database (CMDB) is a database that contains all relevant
information about the hardware and software components used in an organization's IT
services and the relationships between those components.
This policy helps to monitor the CMDB configuration changes.

10. SharePoint - Local Access to Database by Non-Default Applications

Monitors the activity if there is access to sensitive data through unauthorized application.

Source Application excludes all [microsoft sharepoint foundation, osearch14 query

processor, internet information services, .net sqlclient data provider, windows sharepoint
services, spsearch4 query processor] where 'Match Unknown Value' is false
Source of Activity is at least one of [LOCAL, UNKNOWN]