Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Sorbanes Oxley for dummies? -- more questions

Re: Sorbanes Oxley for dummies? -- more questions

From: Hemant K Chitale <>
Date: Fri, 14 Jan 2005 22:49:20 +0800
Message-Id: <>

Not having read the book , but I, too, have a number of questions. My current employer, being NASDAQ listed, is also undergoing preparation for a SOX Audit in 2005.

  1. How do you handle Password Controls for "root" and "oracle" accounts ? If you have 200 servers and 80 databases, how do you ensure that you do NOT write down the passwords somewhere [other than the on the sheet of paper in the IT Security department's safe] and yet remember the passwords ? Some [un-named] persons I know use the *same* password on all the 20 or 50 odd servers. Would that be acceptable ?
  2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the Database ? If you have 3 alternate DBAs supporting multiple databases, should each DBA have a named account in each database ?
  3. Should all your SOX controls implemented as part of IT General Controls [COBIT Framework] apply to *all* your Servers and Databases, even those that are not Critical or Key systems [ie those with no financial impact] {assuming that a SOX Compliance Team identifies only a certain set of 8 or 10 systems as Key Systems} ? Can you selectively apply controls to non-Key Systems ?

At 01:27 AM Friday, Paul Drake wrote:
>Arup Nanda wrote a book covering HIPAA, covering auditing, FGA, VPD.
>Arup wrote a series of papers for OTN, here's one:
>Sarb-Ox is so open to interpretation and implementation, that its best
>to check with your auditors as far as what policies they see as
>appropriate and how to implement them.
>audit_trail=true and "audit session" would be a great start, but
>sometimes you're better off doing nothing than a piecemeal and
>incomplete effort.

Hemant K Chitale                

Received on Fri Jan 14 2005 - 08:48:20 CST

Original text of this message