Files
skill-oracle-db-security/references/compliance-map.md

2.6 KiB

Compliance Mapping

Use this language to map technical controls to audit objectives. Do not claim that a product alone makes an environment compliant.

GDPR and LGPD

  • Data minimization: Data Masking and Subsetting reduces personal data exposure in non-production and analytics environments.
  • Security of processing: TDE, OKV, Database Vault, AVDF, Data Safe, and least privilege support confidentiality, integrity, monitoring, and accountability.
  • Access governance: Database Vault separation of duties, user assessment, privilege review, and audit evidence support accountability.
  • Breach investigation: AVDF/Data Safe audit trails, alerting, and SQL activity records support forensic review.

PCI-DSS

  • Protect stored cardholder data: TDE plus strong key management with OKV supports encryption at rest and key lifecycle requirements.
  • Restrict access by need to know: Database Vault, least privilege, and optional Label Security or VPD patterns support access restriction.
  • Track and monitor access: Unified Audit, AVDF, Data Safe auditing, Database Firewall, reports, and SIEM forwarding support monitoring requirements.
  • Test security systems: PoC acceptance tests, firewall policy validation, key rotation tests, and audit report review provide evidence.

HIPAA

  • Access control: least privilege, Database Vault, and user assessment support access control safeguards.
  • Audit controls: AVDF, Data Safe activity auditing, and unified audit policies support auditability.
  • Integrity and transmission controls: pair database controls with application, network, and platform controls; database security does not replace TLS or application safeguards.
  • Encryption: TDE and OKV support addressable encryption safeguards for data at rest.

SOX

  • Change and privileged access controls: Database Vault command rules, realms, AVDF monitoring, and audit reports support segregation of duties and privileged activity oversight.
  • Evidence: scheduled reports, immutable audit storage practices, SIEM forwarding, and documented review workflows support control attestation.
  • Data integrity: use database auditing, access controls, and controlled administrative procedures around financial reporting systems.

Evidence Artifacts

  • Architecture diagram with control ownership.
  • List of protected schemas/tables/columns and data classification.
  • TDE wallet or OKV key management policy.
  • Database Vault realm, rule set, command rule, and factor inventory.
  • Audit policies, retention settings, reports, and sample alerts.
  • Masking definitions, subsetting criteria, and refresh procedure.
  • Exceptions, residual risks, and compensating controls.