Re: Sorbanes Oxley for dummies? -- more questions

• From: Hemant K Chitale <hkchital@xxxxxxxxxxxxxx>
• To: bdbafh@xxxxxxxxx, Michael.Kline@xxxxxxxxxxxx, oracle-l@xxxxxxxxxxxxx
• Date: Fri, 14 Jan 2005 22:49:20 +0800

Not having read the book , but I, too, have a number of questions.  My current
employer, being NASDAQ listed, is also undergoing preparation for a SOX 
Audit in 2005.

1.  How do you handle Password Controls for "root" and "oracle" accounts ?
If you have 200 servers and 80 databases, how do you ensure that you do NOT
write down the passwords somewhere [other than the on the sheet of paper
in the IT Security department's safe] and yet remember the passwords ?
Some [un-named] persons I know use the *same* password on all the 20 or 50 
odd servers.
Would that be acceptable ?

2.  How do you Audit actions by DBAs ? Create seperate DBA accounts in the
Database ?  If you have 3 alternate DBAs supporting multiple databases, should
each DBA have a named account in each database ?

3.  Should all your SOX controls implemented as part of IT General Controls 
[COBIT Framework]
apply to *all* your Servers and Databases, even those that are not Critical 
or Key systems
[ie those with no financial impact]   {assuming that a SOX Compliance Team 
identifies
only a certain set of 8 or 10 systems as Key Systems} ?
Can you selectively apply controls to non-Key Systems ?

At 01:27 AM Friday, Paul Drake wrote:
>Michael,
>
>Arup Nanda wrote a book covering HIPAA, covering auditing, FGA, VPD.
>Arup wrote a series of papers for OTN, here's one:
>http://www.oracle.com/technology/oramag/webcolumns/2003/techarticles/nanda_fga.html
>
>Sarb-Ox is so open to interpretation and implementation, that its best
>to check with your auditors as far as what policies they see as
>appropriate and how to implement them.
>
>audit_trail=true and "audit session" would be a great start, but
>sometimes you're better off doing nothing than a piecemeal and
>incomplete effort.
>
>Paul


Hemant K Chitale
http://web.singnet.com.sg/~hkchital



               
--
//www.freelists.org/webpage/oracle-l

• Follow-Ups:
  • Re: Sorbanes Oxley for dummies? -- more questions
    • From: Jared Still

• References:
  • Sorbanes Oxley for dummies?
    • From: Kline.Michael
  • Re: Sorbanes Oxley for dummies?
    • From: Paul Drake

Other related posts:

• » Re: Sorbanes Oxley for dummies? -- more questions
• » RE: Sorbanes Oxley for dummies? -- more questions
• » Re: Sorbanes Oxley for dummies? -- more questions
• » Re: Sorbanes Oxley for dummies? -- more questions
• » RE: Sorbanes Oxley for dummies? -- more questions
• » Re: Sorbanes Oxley for dummies? -- more questions
• » Re: Sorbanes Oxley for dummies? -- more questions

1. Home
2. oracle-l
3. Archive
4. 01-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---