Re: OT: Oracle Critical Patch Article

From: Robyn <robyn.sands_at_gmail.com>
Date: Tue, 15 Jan 2008 14:54:54 -0500
Message-ID: <ece8554c0801151154l2ffdcd7agc48e32ae755b68f7@mail.gmail.com>

Our approach was to evaluate each CPU release, determine the specific vulnerability of our systems to the patches included and decide if the patch was necessary. After the first few rounds of really scary looking issues, CPU's ended up being applied about twice a year at most. If a patch was applied, it was applied across all databases unless testing showed a conflict with the app.

The review of the CPU release occurred within the first week of the release and the go/no go decision was documented with an explanation. That satisfied the auditors - we got very high scores on security and patching.

As for SarbOx, not every database in a publicly held company is subject to the requirements, just the ones that contain the financial data. (which admittedly is a lot of them)

Robyn

On Jan 15, 2008 12:59 PM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:
> Yes, that would be the 'real good reason why we are not'.
>
>
>
> On Jan 15, 2008 11:58 AM, Jared Still <jkstill_at_gmail.com> wrote:
> >
> > On Jan 15, 2008 8:47 AM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:
> >
> >
> > > I have seen something along those lines before. Having spent more time
> than I like to think about patching, and then unpatching when the errors
> show up, I can sympathize with those who have not done it. On the other
> hand, with Sox compliance being such a big issue these days, I feel like we
> either need to be up to the current CPU set , or have a real good reason why
> we are not.
> > >
> > >
> > >
> > >
> >
> > The application can affect the patch level.
> >
> > We are on SAP 4.6, and just patched to April 2007 CPU, as that was all
> that was
> > certified by SAP at the time.
> >
> >
> > --
> > Jared Still
> > Certifiable Oracle DBA and Part Time Perl Evangelist
> >
>
>
>
>
> --
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'

-- 
I may not have gone where I intended to go, but I think I have ended
up where I needed to be.
Douglas Adams
--
http://www.freelists.org/webpage/oracle-l

Received on Tue Jan 15 2008 - 13:54:54 CST

This message: [ Message body ]
Next message: Andrew Kerber: "Re: remote DBA job - pros and cons."
Previous message: David Miller: "Re: Using Direct I/O Filesystem for Oracle Database"
In reply to: Andrew Kerber: "Re: OT: Oracle Critical Patch Article"
Next in thread: Robyn: "Re: OT: Oracle Critical Patch Article"
Reply: Robyn: "Re: OT: Oracle Critical Patch Article"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message