Re: Auditing DBA activities

From: stephen booth <stephenbooth.uk_at_gmail.com>
Date: Wed, 23 Mar 2005 21:25:25 +0000
Message-ID: <687bf9c405032313254df96f63@mail.gmail.com>

On Wed, 23 Mar 2005 12:48:41 -0800, Crawford, Margareth (HQP) <Margareth.Crawford_at_rhi.com> wrote:
>
> We are interested in industry practices concerning auditing Oracle DBA
> activities in production environments. We are aware that there are
> ever-increasing internal and external security regulations governing
> access to corporate financial data. This may result in companies that
> require audits of Oracle DBA and SYS/SYSTEM accounts.

Search the archives of the list for "SarBox paranoia prevention".

There are ways to audit Oracle databases which the DBA cannot change (or at least not change in an undetectable manner) but that still leaves you at the mercy of your system admins. Something that auditors seem to have a real problem understanding is that to run your systems you have to have people who, if they went bad, could do serious damage to your company and even place it in a legally difficult situation.

There is, however, a really simple yet effective solution. It's so simple and effective that it's been in use for about 550-600 years at least (i.e. since the Tudor monarchy in England).

Be very selective in your selection and actually do background checks (it amazes me how many companies simply don't bother to do something as simple as a criminal records check).
Pay them a lot and give them nice workplace faccilities. The more they have to lose, the more profitable any wrong doing has to be before they'll get tempted.
Put them fairly high up in the political structure and make sure that the board back them to the hilt. If they can, figuratively speaking, 'flip the bird' to anyone who tries to put them under pressure to do something unethical and have no fear of being sacked if they blow the whistle then they will be less likely to fall prey to political machinations in the organisations. Sometime make a list of all the companies, in say the last 35 years, that have gone under, suffered a major loss or been prosecuted due to some wrongdoing, then divide the list according to whether the person responsible was a business/finance person or a technical person. It'll be a very much one-sided list.
Make it clear from the get go that anyone found acting unethically will be publicly sacked and their wrong doing will be publicised so they'll be lucky if McDonalds hires them to clean the grease traps. Then actully do it. I believe that in the first use of this system the punishment was public beheading (it was in the 1500s) but you don't need to go that far.

Stephen

-- 
It's better to ask a silly question than to make a silly assumption.
--
http://www.freelists.org/webpage/oracle-l

Received on Wed Mar 23 2005 - 16:29:03 CST