Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Back and a Question

RE: Back and a Question

From: Reidy, Ron <>
Date: Tue, 15 Aug 2006 18:24:16 -0600
Message-ID: <>


Section 404 does not specify this at all. It does specify:  

A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company

A statement identifying the framework used by management to evaluate the effectiveness of internal control

Management's assessment of the effectiveness of internal control as of the end of the company's most recent fiscal year

Disclosure of material weaknesses (A material weakness is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement will not be prevented or detected.)

A statement that its auditor has issued an attestation report on management's assessment

There is nothing about access restrictions in section 404. SOX is about accountability (and full employment for the Big 4/5 accounting firms) and controls. The controls are evaluated and assessed by both the internal auditors (if any) and external auditing firm. When they are satisfied your have defined controls to ensure SOX compliance and that you are monitoring actions to ensure these controls are followed, then you are in compliance.  

My company uses the COBIT Guidelines and the COSO Guidelines as the blueprints for our controls. I personally use COBIT for my internal auditing assessments (yes, I do these annually; yes, it is like the fox watching the hen house).  

I also spend great amounts of time applying the CPU patches and keeping my DB instances as up to date as possible. I do this because, in my opinion, if your DB is not as secure as possible, there is no way you can be in compliance. This is because if you are hacked, you cannot meet the 440 requirements cited above. Again, this is just my opinion and not intended to start a flame war.  

It is a valid point to try and restrict access to prevent IP theft, but you might find this an even harder task to implement than the 404 remediations. I have implemented resource limits on the developers at my company to try and prevent this, but the risk still exists. Management knows this and also knows that completely eliminating the risk is almost impossible from this standpoint. So, we use other methods to secure our IP (digital signatures etc.).  


Ron Reidy

Lead DBA

Array BioPharma, Inc.  

[] On Behalf Of
Sent: Tuesday, August 15, 2006 4:51 PM
To:; Cc: Jared Still; oracle-l
Subject: Re: Back and a Question  

I was told by management that SOX states developers can't have access to production. Might be a misinterpretation of some agreement with auditors. Even with read only access you open the door to people downloading data and putting it up for sale on ebay which is where this comes from. The only way I know to mitigate that is limit who has access, audit the access, and tell people with access how many ways they will be raped in prison if they break the law.    

        On 15 Aug 2006 13:03:01 -0700, David Aldridge <> wrote:

        Tsh, is there any lie that those operations people won't tell in order

        to keep us out of their sandbox?         

        Seriously though, I don't think that SOX is that detailed, and I don't

        believe any STIG is either. It sounds like that rule is more along the

        lines of an _interpretation_ of the regulations, or a quoting of the

        regulations to justify a rule (depending on your degree of cynicism).                  

        SOX is not that detailed.         

        The details are agreed upon by your company and your auditing company of choice.         

        There are no rules that state "developers cannot have access to production data"         

        It is highly unlikely that a developer, or anyone else for that matter, will get an

        account that is anything other than read only.         

        DBAs are an exception to that. There should be safeguards to ensure that

        DBAs cannot muck around with that data. I believe Oracle Data Vault will do that.         

	Jared Still
	Certifiable Oracle DBA and Part Time Perl Evangelist 

This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

-- Received on Tue Aug 15 2006 - 19:24:16 CDT

Original text of this message