Oracle Security By William Heney, Marlene Theriault
Table of Contents
Part II: Implementing Security
Chapter 7. Developing a Database Security Plan
There are many steps to securing your system and its data. But one of the firstand one that too few organizations takeis the development of a security policy that outlines and maps out the enforcement of a security plan. We've included this chapter as the first one in the "Implementing Security" part of this book because we believe that the creation of security policies and the implementation of a security plan must precede the more operational steps of securing your system and database.
What's the difference between a security plan and a security policy? A security policy identifies the rules that will be followed to maintain security in a system, while a security plan details how those rules will be implemented. A security policy is generally included within a security plan. A security plan might be as simple as a verbal statement from the highest-level management that all accounts on a system must be protected by the use of a password. Or a security plan might be a thick document spelling out in great detail exactly how security will be implemented within the company's systems. Just as there are many individual needs and many different approaches to security, there are many types of database security policies. We'll present many aspects of these policies in this chapter; some may or may not apply to your specific organization. A checklist at the end of this chapter provides a resource you'll be able to use to evaluate which features of a security plan are important for your own particular environment. Also, bear in mind that, no matter how thorough a plan appears to be, changing environments can lead to holes in a security system. Therefore, you will need to re-examine your security plan on a regular basis to ensure its currency.