Funny you should mention this...
About 2 years ago, I was having a discussion with the CFO of an energy company located here in Denver. We were talking about Sarbanes-Oxley. Since the law provides for the CEO and CFO to be imprisoned and/or fined for violations, she declared, "I am *NOT* going to go to jail because of some crooked IT person." There were about 15-18 people around to hear this, mostly academic types, all looking grave.
I was a little incensed by this trash talk, and when that happens I tend to speak more quietly than normal. I asked her, "In all of the news stories about companies like Enron, MCI, Qwest, and similar, did you ever see a single IT person led out of the building in handcuffs? Did you ever read about a single IT person involved in any way in any of those scandals? Nope. Because IT people are the most trustworthy people anywhere. It's people from accounting and the financial side of the house who are being caught, indicted, convicted, and sentenced. But with all this Sarbanes-Oxley nonsense, IT is first to be forced to fix what isn't broken."
She was taken aback, and then parried, "Well, what about white-hat hackers? You can't say that they're trustworthy-- they're felons!"
I had to laugh, "They were hired for their dishonesty. They are doing exactly what they were hired to do, which still makes them far more trustworthy than any typical financial executive scheming another shell game to rip off investors."
She was pretty upset. It's interesting how people have gotten entrenched into their ideas. She remains absolutely convinced that her biggest risk of going to jail under SOX is not from the people with whom she works every day, but the "nameless, faceless" IT drones who "control everything" and "have their fingers in everything".
Having said all that, it makes good sense to tighten up file permissions on Oracle database files so that "world" has no read, write, execute permissions at all. Then, you can read papers about BBED and "dd" and write nefarious "C" programs to your heart's content, but without an account with DBA privileges, you ain't going nowhere...
Just my US$0.02...
Mark W. Farnham wrote: