<< 1 >>
Rating: 
Summary: Excellent and comprehensive read for DBAs and CIOs alike
Review: Agreeing with other reviewers on the astounding attention to the details, the depth of coverage, and extremely useful examples, I would like to add another perspective: this book is also an excellent read for those IT Management types who wants to get familiar with the concepts but not get buried in the details. The book introduces the topics gradually, making it available for CIOs, Security Officers, IT Managers (who can stop reading before the detailed examples) and to Senior DBAs (who can but won't skip the introductory chapters because the text is so well written and so engaging). Excellent and comprehensive read for the entire spectrum of IT professionals! A must read for those in Healthcare or for any public corporation.
Rating: 
Summary: Misleading and worthless
Review: I bought this book for understanding how to handle compliance in Oracle. No where in the book can you find details about HIPAA, SOX or GLBA complaince!!!! It was totally, completely, worthless for me!
Rating:
Summary: Simply Superb!
Review: I bought this book to learn more about Virtual Private Database which I am implementing now - and it was a pleasant surprise see that not only that but all other areas are detailed as well. The chapter on VPD goes much beyond the Oracle common references and explains concepts like application contexts, in such clarity and relative to to real life examples that the chapter alone may be worth the price of the book.Other things that make the book must read - the material on listener security, a simple firewall settings, fine grained auditing, and the 10g features. SQL Injection and Application User models described in the book were exactly what we were missing and we got it in this. Hmmm..why the large fonts?!!
Rating:
Summary: So Well Written!
Review: I haven't finished reading my copy yet, but I had to chime in to concur with the previous reviews: this book is terribly well laid out. The writing is clear and descriptive, but almost as important, it's rather engaging. That helps when trying to dig to the bottom of these often daunting security concepts. Another reviewer covered this, but I have to say that my favorite parts are also the chapter summaries. They do a great job of recapping the details that were covered. Having all that information covered in such depth is great, but I'd probably have forgotten each chapter's contents had there not been that nice, succinct conclusion at each one's end.
Rating:
Summary: Major Problems with this Book
Review: The title of this book is quite misleading. The title should stop with HIPAA. HIPAA is the sole focus; there is no mention of SO or GLB. True, the overall goals of SO and GLB are similar to those of HIPAA (control, accountability, confidentiality) but I would expect a book that has SO and GLB in the title to mention those laws and perhaps (as I was hoping) provide some specific insights. If you want to learn something about HIPAA, this is the book. If you want to learn something about SO or GLB, you have to learn it elsewhere and then apply the legalistic knowledge into this book on Oracle.
The second gripe is with the index. Personally, I don't have the time to read a book cover-to-cover. I need a competent index to be able to look up specifics. This index is woefully short (4 large type pages). Further, I sincerely believe the index is for some other version of the book or other book entirely. The page references do not match the pages. Hence index is useless.
I was in the process of returning this book (first time I would have done so) when I came over to the reviews and started reading them. My gripes are legitimate but I have decided to keep the book for its security aspects rather than its integration of HIPAA, SO or GLB requirements into Oracle security. After all, the Oracle Security Handbook (Theriault and Newman) is out of date.
Rating:
Summary: Landmark book for Oracle shops
Review: This remarkable book covers how to use Oracle 9i security and auditing facilities to achieve compliance with three major laws. While the book emphasizes HIPAA, it also addresses, either directly or indirectly, privacy security and auditing with respect to the Gramm-Leach-Bliley Act (Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. 6801-6810 and Subtitle B: Fraudulent Access to Financial Information 15 U.S.C. 6821-6827), HIPAA requirements for protecting data and enforcing security and privacy, and Sarbanes-Oxley Act Section 404 requirements related to integration of transactional systems, logs and auditing trails, and data security. Structure of this book is in three sections: Section I gives an introductions to HIPAA, Oracle security and Oracle auditing. Among the topics covered are grant, role-based, and profile based security, as well as virtual private databases (row-level security, fine-grained access control), and application server security. Section II goes deeper into general Oracle security, covering relational grant security as it relates specifically to HIPAA (but can be also used for Gramm-Leach-Bliley and Sarbanes-Oxley compliance because the requirements are similar regarding these mechanisms and techniques). Also covered are encryption and network security. Section III deals with auditing using Oracle facilities, tables, DDL and DML, and covers the spectrum from grants auditing to fine-grained audits. Again, the focus is on HIPAA requirements (Chapter 11, for example, contains the following topics: Auditing select access as per the HIPAA mandated auditing of Patient Health Information, and Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.) This section ends with HIPAA security and auditing checklists, which can be also applied to Sarbanes-Oxley and Gramm-Leach-Bliley security and auditing. This book is an outstanding addition to bodies of knowledge spanning three disciplines - internal auditing, DBA, and IT security & privacy. A copy should be provided to managers and subject matter experts in each of those domains.
Rating:
Summary: Landmark book for Oracle shops
Review: This remarkable book covers how to use Oracle 9i security and auditing facilities to achieve compliance with three major laws. While the book emphasizes HIPAA, it also addresses, either directly or indirectly, privacy security and auditing with respect to the Gramm-Leach-Bliley Act (Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. 6801-6810 and Subtitle B: Fraudulent Access to Financial Information 15 U.S.C. 6821-6827), HIPAA requirements for protecting data and enforcing security and privacy, and Sarbanes-Oxley Act Section 404 requirements related to integration of transactional systems, logs and auditing trails, and data security. Structure of this book is in three sections: Section I gives an introductions to HIPAA, Oracle security and Oracle auditing. Among the topics covered are grant, role-based, and profile based security, as well as virtual private databases (row-level security, fine-grained access control), and application server security. Section II goes deeper into general Oracle security, covering relational grant security as it relates specifically to HIPAA (but can be also used for Gramm-Leach-Bliley and Sarbanes-Oxley compliance because the requirements are similar regarding these mechanisms and techniques). Also covered are encryption and network security. Section III deals with auditing using Oracle facilities, tables, DDL and DML, and covers the spectrum from grants auditing to fine-grained audits. Again, the focus is on HIPAA requirements (Chapter 11, for example, contains the following topics: Auditing select access as per the HIPAA mandated auditing of Patient Health Information, and Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.) This section ends with HIPAA security and auditing checklists, which can be also applied to Sarbanes-Oxley and Gramm-Leach-Bliley security and auditing. This book is an outstanding addition to bodies of knowledge spanning three disciplines - internal auditing, DBA, and IT security & privacy. A copy should be provided to managers and subject matter experts in each of those domains.
Rating:
Summary: Great Content and Organization; Must have for Security Folks
Review: What makes a good book? Topic and coverage count less than half of it; the key is the presentation. In this book the contents have been presented in a very logical manner - you would go from simple security concepts to larger and more complex issues. The best parts are perhaps the neat summaries at the end of the chapters, a bulleted list of points covered. The most valuable part of the book, in my opinion, is the practical advice it imparts in building an Oracle database with security in mind. Take for example the section on building a virtual private database where the database users are not relevant, such as in a web interface. The chapter explains not only how to do it, but comes complete with the code to implement in action! Just loved it! Little snippets of information such as alter session privilege is not required for any session altering commands like sort area size, etc., are pure gems. Debunking these fallacies is nothing new in books of similar kind; but this book has more of these and also in a caterigical manner which makes it easy to comprehend. Other non- or little-documented tidbits like the way a listener password is set, are also very useful. The chapter on Oracle 10g is good; but not useful at this time. Most likely the authors wanted to bullet-proof the book for the new version of Oracle. I had downloaded the chapter from OTN earlier. My only complaint - the book is too thick to lie flat, required for a book of this nature, i.e. reference.
<< 1 >>
| 
