Excellent book for general security information with Oracle (VPDs, Roles, Encryption and the rest)
As an another review pointed out, the book is very light on SOX material and focuses instead on the HealthCare sector.
If that's what you want..by all means, buy the book...A.Nanda is one of the very best DBAs out there and knows his material inside and out...
If you need SOX and/or GLB, look elsewhere...

I primarily purchased this book for help on Virtual Private Database (VPD) and Row Level Security (RLS). We use these features at work and need to expand on them. Something I did like about this book is that it is well written and covers many subject areas that are spread out over many different books in Oracle's documentation. The examples are not much more helpful than Oracle's and that is an area that could be improved on the second edition.

The book is 672 pages and if it was formatted a little differently it would probably be closer to 300. The font is large and the pages are narrow.

I bought this book for understanding how to handle compliance in Oracle. No where in the book can you find details about HIPAA, SOX or GLBA complaince!!!! It was totally, completely, worthless for me!

The title of this book is quite misleading. The title should stop with HIPAA. HIPAA is the sole focus; there is no mention of SO or GLB. True, the overall goals of SO and GLB are similar to those of HIPAA (control, accountability, confidentiality) but I would expect a book that has SO and GLB in the title to mention those laws and perhaps (as I was hoping) provide some specific insights. If you want to learn something about HIPAA, this is the book. If you want to learn something about SO or GLB, you have to learn it elsewhere and then apply the legalistic knowledge into this book on Oracle.

The second gripe is with the index. Personally, I don't have the time to read a book cover-to-cover. I need a competent index to be able to look up specifics. This index is woefully short (4 large type pages). Further, I sincerely believe the index is for some other version of the book or other book entirely. The page references do not match the pages. Hence index is useless.

I was in the process of returning this book (first time I would have done so) when I came over to the reviews and started reading them. My gripes are legitimate but I have decided to keep the book for its security aspects rather than its integration of HIPAA, SO or GLB requirements into Oracle security. After all, the Oracle Security Handbook (Theriault and Newman) is out of date.

This remarkable book covers how to use Oracle 9i security and auditing facilities to achieve compliance with three major laws. While the book emphasizes HIPAA, it also addresses, either directly or indirectly, privacy security and auditing with respect to the Gramm-Leach-Bliley Act (Subtitle A: Disclosure of Nonpublic Personal Information 15 U.S.C. 6801-6810 and Subtitle B: Fraudulent Access to Financial Information 15 U.S.C. 6821-6827), HIPAA requirements for protecting data and enforcing security and privacy, and Sarbanes-Oxley Act Section 404 requirements related to integration of transactional systems, logs and auditing trails, and data security.

Structure of this book is in three sections:

Section I gives an introductions to HIPAA, Oracle security and Oracle auditing. Among the topics covered are grant, role-based, and profile based security, as well as virtual private databases (row-level security, fine-grained access control), and application server security.

Section II goes deeper into general Oracle security, covering relational grant security as it relates specifically to HIPAA (but can be also used for Gramm-Leach-Bliley and Sarbanes-Oxley compliance because the requirements are similar regarding these mechanisms and techniques). Also covered are encryption and network security.

Section III deals with auditing using Oracle facilities, tables, DDL and DML, and covers the spectrum from grants auditing to fine-grained audits. Again, the focus is on HIPAA requirements (Chapter 11, for example, contains the following topics: Auditing select access as per the HIPAA mandated auditing of Patient Health Information, and Combining FGA and Flashback queries to answer the most important question in addition to who saw the data, what they saw.) This section ends with HIPAA security and auditing checklists, which can be also applied to Sarbanes-Oxley and Gramm-Leach-Bliley security and auditing.

This book is an outstanding addition to bodies of knowledge spanning three disciplines - internal auditing, DBA, and IT security & privacy. A copy should be provided to managers and subject matter experts in each of those domains.