RE: Auditing Oracle business processes? - slightly OT
- From: "Johnson, George" <GJohnson@xxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Wed, 10 Aug 2005 14:29:15 +0100
"just something that came out of the mouth of a clueless auditor",
heh heh!
Sorry to drag it slightly off track, but I once had an auditor ask a
manager of mine, with a serious face, a) why the DBAs needed the DBA or
equivalent roles b) why they needed access to login the database at all?
After explaining exactly what a DBA does that an application admin doesn't,
we eventually had to create another role, identical to DBA, called
something_DBA, then grant that to the DBA team members. Then we needed to
audit all actions any user did on the server at command prompt and certain
accounts in the DB.
Auditor's don't always understand the many products they have to
deal with and quite often they need guidance in showing them the boundaries
the software has and how much of what they require is feasible. It's not a
crime to question an auditor, they are not almighty beings from on high,
they are usually more than willing to compromise if they are satisfied and
understand that no harm can be done by what is agreed.
It can be good fun, as they ask you questions that can get you
thinking about the way you do things, especially if you have been doing
things the same way for years, but never questioned it.
I guess, you don't just accept they want this "process auditing"
from you, ask why they feel they need it? What does it prove in terms of
security and accountability?
Rgds
-----Original Message-----
From: David Wendelken [mailto:davewendelken@xxxxxxxxxxxxx]
Sent: 10 Aug 2005 14:17
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Auditing Oracle business processes?
I was going to guess that this had something to do with the Sarbanes-Oxley
law in the USA, but then I noticed the country code on your email address.
Your management has to have a reason why they are asking this. What is it?
Fear of the technology?
Some external auditing "requirement"? ("Requirement" is in quotes, as it's
probably not a real requirement, just something that came out of the mouth
of a clueless auditor.)
Is this for a home-grown system or a third-party system? Both?
>I have had an unusual request (at least it is for me).
>I have been asked if there is some way to audit the Oracle
>Processes within the Database. Some thing along the line of,
>how can I prove that when the user enters data into the
>database that all the relevant triggers kick off and all the
>relevant procedures/packages etc are accessed, also the
>application is operating correctly at db level.
The answer is, "Yes, if you spend enough money and wait long enough for it
to be implemented. How much is this knowledge worth to the business? That
is because I suspect it will be way less than it will cost to prove it."
--
//www.freelists.org/webpage/oracle-l
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
--
//www.freelists.org/webpage/oracle-l
Other related posts:
- » RE: Auditing Oracle business processes? - slightly OT
