From oracle-l-bounce@freelists.org Fri Jan 14 13:29:31 2005 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id j0EJTVJ08364 for ; Fri, 14 Jan 2005 13:29:31 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id j0EJTVn08359 for ; Fri, 14 Jan 2005 13:29:31 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id A0C0872C61E; Fri, 14 Jan 2005 14:36:07 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03034-22; Fri, 14 Jan 2005 14:36:07 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id D261172C85C; Fri, 14 Jan 2005 14:33:57 -0500 (EST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=IbSVEg5QUXXF5zFG/PrOXPZ7h7N75JmRB9jmLvoBXSrguuMSrnqP01KIX+X+XliRRiACr7SqOpYMQbw5SPTk+lxq6WkU/Qif7RJOJBWOzfaoKRP2Fh6kimnU/eec79548X9gaQ5ItlKdLED+JMnZLIUBmG5dAvowA9D+Ri6Dhfg= Message-ID: Date: Fri, 14 Jan 2005 11:30:04 -0800 From: Jared Still To: hkchital@singnet.com.sg Subject: Re: Sorbanes Oxley for dummies? -- more questions Cc: bdbafh@gmail.com, Michael.Kline@suntrust.com, oracle-l@freelists.org In-Reply-To: <6.2.0.14.0.20050114224328.027d2048@pop.singnet.com.sg> Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit References: <52C70FF150F49E479DAF59C68A27149DAFC8AC@va016a0e2.corp.suntrust.com> <910046b4050113092743b1675f@mail.gmail.com> <6.2.0.14.0.20050114224328.027d2048@pop.singnet.com.sg> X-archive-position: 14815 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: jkstill@gmail.com Precedence: normal Reply-To: jkstill@gmail.com X-list: oracle-l X-Virus-Scanned: by amavisd-new at freelists.org Comments inline On Fri, 14 Jan 2005 22:49:20 +0800, Hemant K Chitale wrote: > > 1. How do you handle Password Controls for "root" and "oracle" accounts ? > If you have 200 servers and 80 databases, how do you ensure that you do NOT > write down the passwords somewhere [other than the on the sheet of paper > in the IT Security department's safe] and yet remember the passwords ? > Some [un-named] persons I know use the *same* password on all the 20 or 50 > odd servers. > Would that be acceptable ? The same password on all databases was never a good idea, even without SOX. You really need some type of password safe that allows you to track the passwords for each account on each database. A good free one can be found at http://passwordsafe.sourceforge.net/ I use this personnally for both work and home accounts. There are others ( you will need to search, don't recall the names ) that are more enterprise and security oriented. At least one I checked works from the web and audits password usage, sending an email to the password admin each time a password is checked out. > 2. How do you Audit actions by DBAs ? Create seperate DBA accounts in the > Database ? If you have 3 alternate DBAs supporting multiple databases, should > each DBA have a named account in each database ? Using generic accounts is strictly forbidden under SOX. Sure you could consider that as open to interpretation, but there is no way that auditors will sign off on DBA's doing there work as SYS or SYSTEM, unless it is an operation that is required by that account. Auditors require personal accountability, which requires personal accounts. > 3. Should all your SOX controls implemented as part of IT General Controls > [COBIT Framework] > apply to *all* your Servers and Databases, even those that are not Critical > or Key systems > [ie those with no financial impact] {assuming that a SOX Compliance Team > identifies > only a certain set of 8 or 10 systems as Key Systems} ? > Can you selectively apply controls to non-Key Systems ? > This may depend on your auditors. Ours identified critical systems, and those are the systems that are audited. We apply most of our security controls unilaterally, but do not test them, or remediate them. YMMV -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist -- http://www.freelists.org/webpage/oracle-l