Most Oracle (as well as DB2, MySQL and MS SQL Server) DBA’s are aware of the existence of Oracle database and application security benchmarks, but tend to treat the benchmarks, which are a type of best practice lists, with somewhat of a benignly neglectful attitude. This attitude is attributable to the lack of time on behalf of the harried DBAs, who are tasked with numerous critical functions, including the ensuring of high performance and continuous availability of their systems.
Despite the demands on their time, all database administrators will be doing themselves and their organizations an immense service by checking out the recommended benchmarks by a recognized authority such as the Center of Internet Security (CIS). CIS is a nonprofit organization that provides 52 entirely free benchmarks for databases, operating systems, web servers and applications. For its members, CIS also offers its Benchmark Audit Tool, designed to test your compliance with the various benchmarks.
While there are several database security best practice lists out there, the following are what makes the CIS benchmarks remarkable: the best practices are not handed down in an authoritarian fashion– they’re the result of a consensus among numerous database security professionals. The benchmarks are downloaded in large numbers and many organizations use them as informal standards for database configuration. CIS benchmarks are also widely accepted in government, business, industry and academic circles. Most commercial database security and vulnerability scanners use the CIS benchmarks to assess the vulnerability of databases. You can acquire the various benchmarks by from the CIS website at www.cis.org.