RE: Dormant database user accounts

From: Leroy Kemnitz <lkemnitz_at_uwsa.edu>
Date: Mon, 16 Mar 2015 16:56:32 +0000
Message-ID: <BN3PR0701MB1637B19936413F65F803098BB6020_at_BN3PR0701MB1637.namprd07.prod.outlook.com>

Mark and Nail,

Currently, we have no policy concerning this issue. I am attempting to ‘create’ or ‘suggest’ a policy that works from the database security viewpoint. We currently have a need for a lot of various kinds of policies concerning the databases. This is a starting point.

LeRoy

From: MARK BRINSMEAD [mailto:mark.brinsmead_at_gmail.com] Sent: Monday, March 16, 2015 11:48 AM
To: Niall Litchfield; oracle-l_at_freelists.org Cc: Leroy Kemnitz; jithinsarath_at_gmail.com; mcolmenares_at_newtechsistemas.com.ve; mark.powell2_at_hp.com Subject: Re: Dormant database user accounts

Indeed.
Checking your "infosec" policies first would be an excellent idea. An excellent (and not entirely uncommon) policy is that "user accounts may never be deleted" -- or, perhaps more properly "userids may never be reused". They're not the same thing, but in Oracle, probably not too far off. Lots of sites do AUDITING. Those who do feel a perverse need to attribute audited actions to specific individuals. When accounts get deleted, or worse, userids are reused, the attributions in the audit data will probably stop working properly -- you either lose track of to whom to attribute an action, or you attribute it to the wrong person. There's a fair-to-middling chance that your security officer would prefer the you keep dormant accounts locked and expired (and keep them that way indefinitely), rather than deleting them. Even if there aren't already policies like this in place, perhaps there should be. You might be doing people a favour by suggesting it before you start deleting old accounts.

On Mon, Mar 16, 2015 at 10:08 AM, Niall Litchfield <niall.litchfield_at_gmail.com<mailto:niall.litchfield_at_gmail.com>> wrote: You might well already have policies on this, and I'd definitely want to match your infosec requirements rather than present them with a fait accompli. I'd add a couple of things that haven't been touched on so far.

You need to make arrangements to catch the replies to the emails so you'll need to make sure any mail sent to the reply-to address gets to the right people and doesn't, for example, end up in the same place as all your EM notifications.
No-one seems to have remarked that it is really not at all unusual for people to be validly away from work for more than 3 months and that you probably don't want to delete such accounts, though you may well wish to lock them early.

...

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Mar 16 2015 - 17:56:32 CET

This message: [ Message body ]
Next message: MacGregor, Ian A.: "Re: Dormant database user accounts"
Previous message: MARK BRINSMEAD: "Re: Dormant database user accounts"
In reply to: MARK BRINSMEAD: "Re: Dormant database user accounts"
Next in thread: MacGregor, Ian A.: "Re: Dormant database user accounts"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message