Re: Auditing DBA activities

  • From: stephen booth <>
  • To: Margareth.Crawford@xxxxxxx
  • Date: Wed, 23 Mar 2005 21:25:25 +0000

On Wed, 23 Mar 2005 12:48:41 -0800, Crawford, Margareth (HQP)
<Margareth.Crawford@xxxxxxx> wrote:
> We are interested in industry practices concerning auditing Oracle DBA
> activities in production environments.  We are aware that there are
> ever-increasing internal and external security regulations governing
> access to corporate financial data. This may result in companies that
> require audits of Oracle DBA and SYS/SYSTEM accounts.

Search the archives of the list for "SarBox paranoia prevention".

There are ways to audit Oracle databases which the DBA cannot change
(or at least not change in an undetectable manner) but that still
leaves you at the mercy of your system admins.  Something that
auditors seem to have a real problem understanding is that to run your
systems you have to have people who, if they went bad, could do
serious damage to your company and even place it in a legally
difficult situation.

There is, however, a really simple yet effective solution.  It's so
simple and effective that it's been in use for about 550-600 years at
least (i.e. since the Tudor monarchy in England).

* Be very selective in your selection and actually do background
checks (it amazes me how many companies simply don't bother to do
something as simple as a criminal records check).

* Pay them a lot and give them nice workplace faccilities.  The more
they have to lose, the more profitable any wrong doing has to be
before they'll get tempted.

* Put them fairly high up in the political structure and make sure
that the board back them to the hilt.  If they can, figuratively
speaking, 'flip the bird' to anyone who tries to put them under
pressure to do something unethical and have no fear of being sacked if
they blow the whistle then they will be less likely to fall prey to
political machinations in the organisations.  Sometime make a list of
all the companies, in say the last 35 years, that have gone under,
suffered a major loss or been prosecuted due to some wrongdoing, then
divide the list according to whether the person responsible was a
business/finance person or a technical person.  It'll be a very much
one-sided list.

* Make it clear from the get go that anyone found acting unethically
will be publicly sacked and their wrong doing will be publicised so
they'll be lucky if McDonalds hires them to clean the grease traps. 
Then actully do it.  I believe that in the first use of this system
the punishment was public beheading (it was in the 1500s) but you
don't need to go that far.


It's better to ask a silly question than to make a silly assumption.

Other related posts: