SYS/SYSTEM account security - newbie Q

I am an auditor -- not a techie. Based upon my research I recommended to better secure the SYS/SYSTEM accounts (e.g. turn over password to IPO and activate only when needed.)in order to prevent intentional or UNintential changes to the database. Auditee responded that:

To shutdown, DBAs connect through Oracle's Server Manager (which connnects as SYS.) Server Mgr is avail to all in DBA group in any DBA (through SM) can do same things as if connected as SYS/SYSTEM.

DBAs use SYS/SYSTEM to view X$ tables. CAN'T THEY ALSO DO AS DBA?

Are we correct in assuming the more secure the SYS/SYSTEM accounts the less risk there is to the database? Are there any reasons why these accounts shouldn't be secured (e.g. give out password only when needed)? Are they other BETTER ways to reach the same end goal (e.g. accountability for actions, limit opportunities to do intential or unintentional damage to database?

Any assistance would be greatly appreciated!! Thanks!

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own Received on Fri Jan 08 1999 - 13:33:02 CST