| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Tough question for oracle DBAs/Solaris Admins. Log shipping.
Stefaan A Eeckels wrote:
> On Sat, 02 Sep 2006 00:35:13 GMT
> Ningi <ningi_at_EGGSANDSPAMblueyonder.co.uk> wrote:
>
>> Frank Cusack wrote: >> <snip> >> >> m UNTRUSTED employees, not eliminating trust from the system. >>> No auditor will balk at not having immutable files as long as only >>> trusted employees are in the position to undetectably alter data. >> Yes they will. You stand no chance of meeting SEC 17a-4 if ANYBODY >> can alter the data.
I should have been clearer. The point I was trying to make is that SEC rules assume untrusted employees. You have to demonstrate to the satisfaction of the SEC that your data is stored on WORM media that can't be tampered with by employees - for example on the order of the CFO.
>
> But wait - how do you(*) know that the program that writes the data to
> the write-once medium doesn't alter it whilst writing?
By auditing the software. That will have to include the whole software stack from application to OS to storage. This is one of the reasons there's such a big consultancy industry around SOX compliance.
>
> As usual, the law is an ass.
>
> (*) you = an auditor who cannot read program source code and compile it
> himself, and execute on a system he has built from the ground up so
> that he knows it's trusted. And even if the auditor could do all this,
> why trust the auditor?
>
The SEC don't approve & test technology. It is up to the financial institution to demonstrate that they've made reasonable endeavours to comply.
The real motivation is the massive fines the SEC will levy if you can't retrieve data quickly and demonstrate it hasn't been tampered with in the event of an investigation. This has happened a number of times.
Pete Received on Sat Sep 02 2006 - 06:51:01 CDT
 |
 |