Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Sorbanes Oxley for dummies? -- more questions

Re: Sorbanes Oxley for dummies? -- more questions

From: Jared Still <>
Date: Fri, 14 Jan 2005 11:30:04 -0800
Message-ID: <>

Comments inline

On Fri, 14 Jan 2005 22:49:20 +0800, Hemant K Chitale <> wrote:
> 1. How do you handle Password Controls for "root" and "oracle" accounts ?
> If you have 200 servers and 80 databases, how do you ensure that you do NOT
> write down the passwords somewhere [other than the on the sheet of paper
> in the IT Security department's safe] and yet remember the passwords ?
> Some [un-named] persons I know use the *same* password on all the 20 or 50
> odd servers.
> Would that be acceptable ?

The same password on all databases was never a good idea, even without SOX.

You really need some type of password safe that allows you to track the passwords
for each account on each database.

A good free one can be found at

I use this personnally for both work and home accounts.

There are others ( you will need to search, don't recall the names ) that are more
enterprise and security oriented. At least one I checked works from the web and audits password usage, sending an email to the password admin each time a password is checked out.

> 2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the
> Database ? If you have 3 alternate DBAs supporting multiple databases, should
> each DBA have a named account in each database ?

Using generic accounts is strictly forbidden under SOX. Sure you could consider that as open to interpretation, but there is no way that auditors will sign off on
DBA's doing there work as SYS or SYSTEM, unless it is an operation that is required by that account.

Auditors require personal accountability, which requires personal accounts.  

> 3. Should all your SOX controls implemented as part of IT General Controls
> [COBIT Framework]
> apply to *all* your Servers and Databases, even those that are not Critical
> or Key systems
> [ie those with no financial impact] {assuming that a SOX Compliance Team
> identifies
> only a certain set of 8 or 10 systems as Key Systems} ?
> Can you selectively apply controls to non-Key Systems ?

This may depend on your auditors. Ours identified critical systems, and those are the systems that are audited. We apply most of our security controls unilaterally, but do not test them, or remediate them.


Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Received on Fri Jan 14 2005 - 13:29:31 CST

Original text of this message