Re: Sarbaynes-Oxley and the Oracle DBA

bdbafh_at_gmail.com (Paul Drake) wrote in message news:<910046b4.0408270929.1f5b5a8d_at_posting.google.com>...
> norwoodthree_at_my-deja.com (NorwoodThree) wrote in message news:<ba03e2c.0408262027.23eed52c_at_posting.google.com>...
> > Hello all,
> >
> > My company is going thru the pain (as many of you probably are) of
> > Sarbaynes-Oxley compliance.
> >
> > I was curious to see if there was any information, discussion, or
> > thoughts anyone could post regarding how this applies to the database
> > administrator position. There are obvious implications to security,
> > process/data flow, and change management.
> >
> > Does anyone think that the role of database administrator (especially
> > Oracle Financials database administrators) will change or elevate as
> > Sarbaynes-Oxley takes hold?
>
> one needs to know more about security in general (truism, tautology).
> An understanding of security at all levels, not just within the
> database, will gain importance.
> one might be working with auditing, fine-grained access, virtual
> private database and user-space triggers to secure audit trails.
> management and reporting of such data will be important to the
> auditors.
> one may need to setup the role of the security admin and work closely
> with that role.
> higher availability may see increased attention.
>
> In general, testing (of backup/restore/recovery), process and
> documentation will be emphasized over acts of performance tuning
> heroism (or heiroinism).
>
>
> There are several new books out there.
> One that I am currently reading is by David Knox, "Effective Oracle
> Database 10g Security by Design" (oracle press) ISBN 0-07-223130-0.
>
> Arup Nanda authored a series for articles for OTN:
> http://www.oracle.com/technology/oramag/webcolumns/2003/techarticles/nanda_fga.html
> and a book named "Oracle Privacy Security Auditing" ISBN 0972751394
> which I have not yet acquired, as I have half a dozen new oracle press
> books (most with "10g" in their title) that are not yet read.
> (the "Oracle Wait Interface" book is awesome).
>
> -bdbafh

I have been working on implementing Sarbanes Oxley controls for my Oracle databases for last 6 months. As pointed by others, one has to look at all aspects of Oracle security, document everything, run periodic tests, get your test results
reviewed by various auditors, etc.

I did read Arup Nanda's book, it is thorough and covers security issues
for various regulations. It has given me ideas on how to implement Oracle database auditing which my auditors definitely want. Only thing which I found missing in the book is discussion on logminer even though book's introduction says log miner is covered but I did not find any details further in the book.

Prem Received on Fri Aug 27 2004 - 20:27:56 CDT