Not having read the book , but I, too, have a number of questions. My current employer, being NASDAQ listed, is also undergoing preparation for a SOX Audit in 2005. 1. How do you handle Password Controls for "root" and "oracle" accounts ? If you have 200 servers and 80 databases, how do you ensure that you do NOT write down the passwords somewhere [other than the on the sheet of paper in the IT Security department's safe] and yet remember the passwords ? Some [un-named] persons I know use the *same* password on all the 20 or 50 odd servers. Would that be acceptable ? 2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the Database ? If you have 3 alternate DBAs supporting multiple databases, should each DBA have a named account in each database ? 3. Should all your SOX controls implemented as part of IT General Controls [COBIT Framework] apply to *all* your Servers and Databases, even those that are not Critical or Key systems [ie those with no financial impact] {assuming that a SOX Compliance Team identifies only a certain set of 8 or 10 systems as Key Systems} ? Can you selectively apply controls to non-Key Systems ? At 01:27 AM Friday, Paul Drake wrote: >Michael, > >Arup Nanda wrote a book covering HIPAA, covering auditing, FGA, VPD. >Arup wrote a series of papers for OTN, here's one: >http://www.oracle.com/technology/oramag/webcolumns/2003/techarticles/nanda_fga.html > >Sarb-Ox is so open to interpretation and implementation, that its best >to check with your auditors as far as what policies they see as >appropriate and how to implement them. > >audit_trail=true and "audit session" would be a great start, but >sometimes you're better off doing nothing than a piecemeal and >incomplete effort. > >Paul Hemant K Chitale http://web.singnet.com.sg/~hkchital -- //www.freelists.org/webpage/oracle-l