Re: Sorbanes Oxley for dummies? -- more questions

Not having read the book , but I, too, have a number of questions. My current employer, being NASDAQ listed, is also undergoing preparation for a SOX Audit in 2005.

1. How do you handle Password Controls for "root" and "oracle" accounts ? If you have 200 servers and 80 databases, how do you ensure that you do NOT write down the passwords somewhere [other than the on the sheet of paper in the IT Security department's safe] and yet remember the passwords ? Some [un-named] persons I know use the *same* password on all the 20 or 50 odd servers. Would that be acceptable ?
2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the Database ? If you have 3 alternate DBAs supporting multiple databases, should each DBA have a named account in each database ?
3. Should all your SOX controls implemented as part of IT General Controls [COBIT Framework] apply to *all* your Servers and Databases, even those that are not Critical or Key systems [ie those with no financial impact] {assuming that a SOX Compliance Team identifies only a certain set of 8 or 10 systems as Key Systems} ? Can you selectively apply controls to non-Key Systems ?

At 01:27 AM Friday, Paul Drake wrote:
>Michael,
>
>Arup Nanda wrote a book covering HIPAA, covering auditing, FGA, VPD.
>Arup wrote a series of papers for OTN, here's one:
>http://www.oracle.com/technology/oramag/webcolumns/2003/techarticles/nanda_fga.html
>
>Sarb-Ox is so open to interpretation and implementation, that its best
>to check with your auditors as far as what policies they see as
>appropriate and how to implement them.
>
>audit_trail=true and "audit session" would be a great start, but
>sometimes you're better off doing nothing than a piecemeal and
>incomplete effort.
>
>Paul

Hemant K Chitale
http://web.singnet.com.sg/~hkchital                

--
http://www.freelists.org/webpage/oracle-l