How about how many companies have a clue when some auditor tells them XXX is not secure and you need to do XXX to secure it. I just lost a client becaust they are getting PCI certified and they decided that as a third party working on their system I must be certified also or not touch it. A quick review of the PCI standards I found out on the web had no such restriction... I've won several usability battles with the nice auditors, for some reason they won't take the oncall pager along with the sys, system and oracle passwords... So they hand the whole thing back and go away. John former security team member... Paul Drake <bdbafh@xxxxxxxxx> wrote: A little piece of email today told me the following: "... a full 60 percent of DBAs do not know how to implement database security measures, according to Forrester Research". Does that figure seem to be: - too high - too low - just about right - Cowboy Neil Inquring minds want to know. Personally, I think that the phrase lacks the term "properly", as in "properly implement database security measures". "shutdown abort" or "lsnrctl stop" would be examples of "improperly implement database security measures". Paul --------------------------------- Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.