RE: Pre-Approved database changes

• From: Michael Thomas <mhthomas@xxxxxxxxx>
• To: oracle-l@xxxxxxxxxxxxx
• Date: Thu, 17 Jun 2004 20:36:35 -0700 (PDT)

Hi,

Does anyone have web reference to a Sarbanes-Oxley law
requiring change control of pre-aproved database
changes? 

--- Fuad Arshad <fuadar@xxxxxxxxx> wrote:
> Sarbaines-oxley is  a law which pretty much every
> unit in an organization
> has to deal with .
> This includes dba's as  this law makes it tough for
> every company  without
> a proper change control can be audited and fined.
> Most of US companies are
> dealing with this.

Thanks, I was hoping for more specifics, even
generally. ;-) 

Change control sounds a lot like Capability Maturity
Model (CMM) software engineering. Change control does
not include an 'operational task-oriented' DBA admin
process, nor does change control imply 'pre-approved
database changes' as we are heading in this thread.
The service support agreement describes DBA admin
processes. Change control might specify a process for
code and data changes post development. The subject
term is confusing.

FYI: My 'legislated' change control process experience
is soley 21 CFR Part 11 working with Oracle databases
doing clinical trials at a large international pharma
company for about 5 years. But, not the HIPAA part of
clinical, and Sarbanes-Oxley is too new for me. I also
got some CMM process experience as an Oracle software
developer in a US government organization when we got
CMM level three certification back around 1996. 

<off topic> Has anyone here ever heard of the CMM
impedience mismatch? I have the magazine article, but
may be able to find an internet reference if desired.
Basically, its about wasting money on outsourcing to
CMM level 5 when an organization only
needs/uses/capable of a lower level. </off topic>

I'm sure the same lawyers that wrote every known
operating system license agreement (e.g. not suitable
for any implied purpose...yada, yada) are the same
Sarbanes-Oxley lawyers auditing and fining US
companies. Is it a trial-lawyer conspiracy? ;-) Has
anyone been fined for Sarbanes Oxley yet, or is it
still a FUD exercise in big US government? 

Its easier to deal with any business process if we
*prioritize*, like the bottleneck performance
theories. What is important w.r.t. this thead's
subject of 'pre-approved database changes'? Obviously,
the priority is the data, and/or processes that might
change the data. Stop. Other priority suggestions? 

If the operations of the DBA, excluding the data are
important, then I'm still confused. "All database
changes" is meaningless to me. Further, if the
operations of the DBA on the database do not change
the business data then why is legislated pre-approval
required? (I'd like more understanding of
Sarbanes-Oxley). And, what is business data? 

My primitive attempt to contrast data: Meta-data data
is part of the Oracle database and not business data. 
Content-data data is DML'd by any user and owned by
business. Therefore, prioritize what content-data data
may/may not change by everyone, but do not include
DBA's meta-data, nor make a 'operational task-list'
for the DBA and call it change control for
'pre-approved database changes'. 

I'm all for having a prioritized process for things
that change the business' content-data data, including
what the DBA, user, and everyone changes. But, after
the DBA operational task-list for database changes is
generated, I can show you why this type of
'task-specific' list is worthless for change control
of data content. (Okay, I said worthless. Where is my
tact thesaurus? Sorry). 

Prioritize the content-data changes. Okay. Prioritize
the code effecting content-data changes. Okay.
Prioritize any user's process DML'ing content-data
changes. Okay. Any database changes that are not on
those three lists are not relevant for change control
as 'pre-approved database changes'.

Again, these opinions are solely mine and not suitable
for any implied purpose... yada, yada. :-)

HTH

Regards,

Mike Thomas



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

• References:
  • RE: Pre-Approved database changes
    • From: Fuad Arshad

Other related posts:

• » Pre-Approved database changes
• » RE: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » Re: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes
• » RE: Pre-Approved database changes

1. Home
2. oracle-l
3. Archive
4. 06-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---