Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Pre-Approved database changes

RE: Pre-Approved database changes

From: Michael Thomas <>
Date: Thu, 17 Jun 2004 20:36:35 -0700 (PDT)
Message-ID: <>


Does anyone have web reference to a Sarbanes-Oxley law requiring change control of pre-aproved database changes?

Thanks, I was hoping for more specifics, even generally. ;-)

Change control sounds a lot like Capability Maturity Model (CMM) software engineering. Change control does not include an 'operational task-oriented' DBA admin process, nor does change control imply 'pre-approved database changes' as we are heading in this thread. The service support agreement describes DBA admin processes. Change control might specify a process for code and data changes post development. The subject term is confusing.

FYI: My 'legislated' change control process experience is soley 21 CFR Part 11 working with Oracle databases doing clinical trials at a large international pharma company for about 5 years. But, not the HIPAA part of clinical, and Sarbanes-Oxley is too new for me. I also got some CMM process experience as an Oracle software developer in a US government organization when we got CMM level three certification back around 1996.

<off topic> Has anyone here ever heard of the CMM impedience mismatch? I have the magazine article, but may be able to find an internet reference if desired. Basically, its about wasting money on outsourcing to CMM level 5 when an organization only
needs/uses/capable of a lower level. </off topic>

I'm sure the same lawyers that wrote every known operating system license agreement (e.g. not suitable for any implied purpose...yada, yada) are the same Sarbanes-Oxley lawyers auditing and fining US companies. Is it a trial-lawyer conspiracy? ;-) Has anyone been fined for Sarbanes Oxley yet, or is it still a FUD exercise in big US government?

Its easier to deal with any business process if we *prioritize*, like the bottleneck performance theories. What is important w.r.t. this thead's subject of 'pre-approved database changes'? Obviously, the priority is the data, and/or processes that might change the data. Stop. Other priority suggestions?

If the operations of the DBA, excluding the data are important, then I'm still confused. "All database changes" is meaningless to me. Further, if the operations of the DBA on the database do not change the business data then why is legislated pre-approval required? (I'd like more understanding of Sarbanes-Oxley). And, what is business data?

My primitive attempt to contrast data: Meta-data data is part of the Oracle database and not business data. Content-data data is DML'd by any user and owned by business. Therefore, prioritize what content-data data may/may not change by everyone, but do not include DBA's meta-data, nor make a 'operational task-list' for the DBA and call it change control for 'pre-approved database changes'.

I'm all for having a prioritized process for things that change the business' content-data data, including what the DBA, user, and everyone changes. But, after the DBA operational task-list for database changes is generated, I can show you why this type of 'task-specific' list is worthless for change control of data content. (Okay, I said worthless. Where is my tact thesaurus? Sorry).

Prioritize the content-data changes. Okay. Prioritize the code effecting content-data changes. Okay. Prioritize any user's process DML'ing content-data changes. Okay. Any database changes that are not on those three lists are not relevant for change control as 'pre-approved database changes'.

Again, these opinions are solely mine and not suitable for any implied purpose... yada, yada. :-)

HTH Regards,

Mike Thomas                 

Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.

Please see the official ORACLE-L FAQ:

To unsubscribe send email to: put 'unsubscribe' in the subject line.
Archives are at
FAQ is at
Received on Thu Jun 17 2004 - 22:33:18 CDT

Original text of this message