Re: Sarbanes Oxley reporting

  • From: rjamya <rjamya@xxxxxxxxx>
  • To: jkstill@xxxxxxxxx
  • Date: Tue, 13 Feb 2007 20:05:50 -0500

Having received first email for the quarterly review today, this is normally
what we monitor.

1. Annual list of authorized database users. These entries are _diff'ed_
from previous years list and at random they pull 25 accounts. Then we have
to prove that those were legit accounts requested through our internal work
flow and appropriately approved by VPs etc. Everything is in Oracle, so it
is easy to generate those reports.

2. List of DB Roles and for a critical role list, they require a list of
valid users. This is also validated by the user's job roles etc.

3. All code that got moved to production databases. Since the buck stops
with the dbas, we provide a list of service request numbers for a specified
date range. Then they audit random entries. The audit information then
included the original request, development of code (from pvcs they cross
check modules and request number and version numbers), User signoff emails,
sanity check emails from DBAs and emails that prove that code was released
and modules were appropriately promoted to production status in PVCS.

4. Our developers do not get production access. Sometimes though they need
to take a look at something, so managers approve access for a time slice
(usually 2 hours). This happens through an app that I wrote, so they need
logs for that. Some times they request an audit (list of sqls) run by
developers during that timeframe. We run a tkprof on the session trace file
and provide it. Any developer's access is enabled for 10046^12 through a
logon trigger.

5. Our application support has full time read-only db access to assist end
users. Their activity is tracked and a report is made available to auditors.

6. A weekly list of PVCS activity report is captured. This is to prove that
one person cannot develop, test and push code to production.

7. my manager submits a signed document which contains a list of DBAs and
accounts they use as a reference.

Other than this, there are some sundry reports, but these are the critical
ones as far as oracle db is concerned. We have automated most of these, so
most annoying thing is the "find" feature of outlook. Searching through
30000+ e mails practically sucks.

Oh well ....
rjamya

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 02-2007