RE: "Oracle Risk Assessment"

• From: "Mark W. Farnham" <mwf@xxxxxxxx>
• To: <srcdco@xxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
• Date: Thu, 9 Apr 2015 21:19:49 -0400

Job informed me offline that normally the customer runs the scripts and no
requirement for outsiders to access your systems takes place.



That sounds better, but I'm still concerned about the contents of the
reports you then apparently give back to Oracle for analysis. Of course if
they too are just for your own review the only concern is what the scripts
actually do on your system.



mwf



From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Mark W. Farnham
Sent: Thursday, April 09, 2015 5:53 PM
To: srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: "Oracle Risk Assessment"



I'd say you fail the basic risk assessment if you give them access to your
production databases.



Rule 1: Don't tell people your passwords.

.



If you're at risk of a break in I'm supposing a memo that you won't
prosecute them for trying to break in as long as they don't actually damage
anything should suffice.

If you're only vulnerable if you give them assistance, then do not give them
assistance.



Now as for dealing with the presumably higher up the administrative org.
charts folks who have "informed" you an "Oracle Risk Assessment" will be
performed, I suggest your mention the above to them and insist that someone
at their level or higher be the deliverer of access rather than you.



mwf



From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Scott Canaan
Sent: Thursday, April 09, 2015 2:38 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: "Oracle Risk Assessment"



So, we were just informed that we are going to be having an "Oracle Risk
Assessment" performed on our databases. We did limit it to five databases,
not all. My questions are: Has anyone been through one of these before? If
so, what did they do?



Oracle indicated that they'd prefer to do production databases, but that
there may be a performance hit. It was hinted that we'd get to see the
scripts in advance, but I'm not convinced that Oracle will really do that.



My expectation is that the reason Oracle has offered to do this (for free)
is: 1) to make sure we are not in license violations; and 2) to try to sell
us some security applications.



Scott Canaan '88 (srcdco@xxxxxxx)

(585) 475-7886 - work (585) 339-8659 - cell

"Life is like a sewer, what you get out of it depends on what you put into
it." - Tom Lehrer

• References:
  • "Oracle Risk Assessment"
    • From: Scott Canaan
  • RE: "Oracle Risk Assessment"
    • From: Mark W. Farnham

Other related posts:

• » "Oracle Risk Assessment"- Scott Canaan
• » Re: "Oracle Risk Assessment"- Brent Day
• » RE: "Oracle Risk Assessment"- Mark W. Farnham
• » RE: "Oracle Risk Assessment" - Mark W. Farnham

1. Home
2. oracle-l
3. Archive
4. 04-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---