Re: Oracle Auditing Recommendations

  • From: "Niall Litchfield" <niall.litchfield@xxxxxxxxx>
  • To: Rodd.Holman@xxxxxxxxx
  • Date: Tue, 8 Aug 2006 17:28:59 +0100

my reaction depends on at least 3 things. was it a problem or risk?
its certainly a risk. how many people know the password?is use of the
privilege recorded?

On 8/8/06, Rodd Holman <Rodd.Holman@xxxxxxxxx> wrote:
I'll agree with you for the most part.  However,
when an auditor comes in and reports a discrepancy in that
the DBA's have the SYS password as a problem, I
have to say that's "putting a stamp".  How else do
you create the database if you don't know and give it
the sys password.

Yes, this was a real life audit example.
The auditor who was clueless about what a DBA was
or did, had this checklist of items and just lumped
DBA's in as users and since we knew how to get
at the base level of the DB we were considered an
audit risk.  We all volunteered to give up the
password and go home.  Our boss wasn't impressed.

Niall Litchfield wrote:
> On 8/7/06, Rodd Holman <Rodd.Holman@xxxxxxxxx> wrote:
>> Also remember, auditors are hired to find things wrong.  If everything
>> they find comes up good, then their supervisors question their diligence
>> in their jobs.  So every auditor needs to find something they can report
>> just to show that they were doing their job.  No auditor wants to be
>> found eligible for the Enron audit team.
> Not true. Auditors are hired to verify and evidence that things are as
> people say they are. This is different from being hired to find things
> wrong. Or to use another analogy, this statement is equivalent to saying
> that DBAs are hired to prevent people from accessing data or code from
> being
> put into production. If a DBA allows people access or puts code into
> production without finding it lacking then their supervisors question
> diligence.
> For sure Auditors are picky, beauracratic and irritating. This is a good
> thing given their role. They aren't out to find mistakes though. They are
> out to verify and evidence.

Niall Litchfield
Oracle DBA

Other related posts: