Re: Sorbanes Oxley for dummies? -- more questions

  • From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
  • To: bdbafh@xxxxxxxxx, Michael.Kline@xxxxxxxxxxxx, oracle-l@xxxxxxxxxxxxx
  • Date: Fri, 14 Jan 2005 22:49:20 +0800

Not having read the book , but I, too, have a number of questions.  My current
employer, being NASDAQ listed, is also undergoing preparation for a SOX 
Audit in 2005.

1.  How do you handle Password Controls for "root" and "oracle" accounts ?
If you have 200 servers and 80 databases, how do you ensure that you do NOT
write down the passwords somewhere [other than the on the sheet of paper
in the IT Security department's safe] and yet remember the passwords ?
Some [un-named] persons I know use the *same* password on all the 20 or 50 
odd servers.
Would that be acceptable ?

2.  How do you Audit actions by DBAs ? Create seperate DBA accounts in the
Database ?  If you have 3 alternate DBAs supporting multiple databases, should
each DBA have a named account in each database ?

3.  Should all your SOX controls implemented as part of IT General Controls 
[COBIT Framework]
apply to *all* your Servers and Databases, even those that are not Critical 
or Key systems
[ie those with no financial impact]   {assuming that a SOX Compliance Team 
only a certain set of 8 or 10 systems as Key Systems} ?
Can you selectively apply controls to non-Key Systems ?

At 01:27 AM Friday, Paul Drake wrote:
>Arup Nanda wrote a book covering HIPAA, covering auditing, FGA, VPD.
>Arup wrote a series of papers for OTN, here's one:
>Sarb-Ox is so open to interpretation and implementation, that its best
>to check with your auditors as far as what policies they see as
>appropriate and how to implement them.
>audit_trail=true and "audit session" would be a great start, but
>sometimes you're better off doing nothing than a piecemeal and
>incomplete effort.

Hemant K Chitale


Other related posts: