my reaction depends on at least 3 things. was it a problem or risk? its certainly a risk. how many people know the password?is use of the privilege recorded?
I'll agree with you for the most part. However, when an auditor comes in and reports a discrepancy in that the DBA's have the SYS password as a problem, I have to say that's "putting a stamp". How else do you create the database if you don't know and give it the sys password.
Yes, this was a real life audit example. The auditor who was clueless about what a DBA was or did, had this checklist of items and just lumped DBA's in as users and since we knew how to get at the base level of the DB we were considered an audit risk. We all volunteered to give up the password and go home. Our boss wasn't impressed.
Niall Litchfield wrote: > On 8/7/06, Rodd Holman <Rodd.Holman@xxxxxxxxx> wrote: >> >> Also remember, auditors are hired to find things wrong. If everything >> they find comes up good, then their supervisors question their diligence >> in their jobs. So every auditor needs to find something they can report >> just to show that they were doing their job. No auditor wants to be >> found eligible for the Enron audit team. > > > Not true. Auditors are hired to verify and evidence that things are as > people say they are. This is different from being hired to find things > wrong. Or to use another analogy, this statement is equivalent to saying > that DBAs are hired to prevent people from accessing data or code from > being > put into production. If a DBA allows people access or puts code into > production without finding it lacking then their supervisors question their > diligence. > > For sure Auditors are picky, beauracratic and irritating. This is a good > thing given their role. They aren't out to find mistakes though. They are > out to verify and evidence. >
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-l