Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle Auditing Recommendations

Re: Oracle Auditing Recommendations

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Tue, 8 Aug 2006 17:28:59 +0100
Message-ID: <7765c8970608080928n19c3468mfa4f6f6512ece9db@mail.gmail.com> 





my reaction depends on at least 3 things. was it a problem or risk?
its certainly a risk. how many people know the password?is use of the
privilege recorded?



On 8/8/06, Rodd Holman <Rodd.Holman_at_gmail.com> wrote:


> I'll agree with you for the most part.  However,

> when an auditor comes in and reports a discrepancy in that

> the DBA's have the SYS password as a problem, I

> have to say that's "putting a stamp".  How else do

> you create the database if you don't know and give it

> the sys password.

>

> Yes, this was a real life audit example.

> The auditor who was clueless about what a DBA was

> or did, had this checklist of items and just lumped

> DBA's in as users and since we knew how to get

> at the base level of the DB we were considered an

> audit risk.  We all volunteered to give up the

> password and go home.  Our boss wasn't impressed.

>

> Niall Litchfield wrote:

> > On 8/7/06, Rodd Holman <Rodd.Holman_at_gmail.com> wrote:

> >>

> >> Also remember, auditors are hired to find things wrong.  If everything

> >> they find comes up good, then their supervisors question their diligence

> >> in their jobs.  So every auditor needs to find something they can report

> >> just to show that they were doing their job.  No auditor wants to be

> >> found eligible for the Enron audit team.

> >

> >

> > Not true. Auditors are hired to verify and evidence that things are as

> > people say they are. This is different from being hired to find things

> > wrong. Or to use another analogy, this statement is equivalent to saying

> > that DBAs are hired to prevent people from accessing data or code from

> > being

> > put into production. If a DBA allows people access or puts code into

> > production without finding it lacking then their supervisors question

> their

> > diligence.

> >

> > For sure Auditors are picky, beauracratic and irritating. This is a good

> > thing given their role. They aren't out to find mistakes though. They are

> > out to verify and evidence.

> >

>




-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info
--
http://www.freelists.org/webpage/oracle-l


Received on Tue Aug 08 2006 - 11:28:59 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US