Re: Minimizing downtime for 9i to 10g upgrade
Date: Sat, 13 Sep 2008 08:40:07 -0700
Fernando Nunes wrote:
> DA Morgan wrote:
>> Fernando Nunes wrote:
>>> Michael Austin wrote:
>>>> And if your data contains SOX or PCI (credit-card) information, you
>>>> are probably in violation of their security update rules and when
>>>> next audited, you will be fined very heavily for not being in
>>>> compliance. They require security patches (OS, Application, Network
>>>> and Database) to be applied within 30-60 days after it is released.
>>> Don't take me wrong, this is an honest question.
>>> Do you have any resource publicly available where I can check your
>> Sarbanes-Oxley is federal law in the US. You can find a complete copy
>> by visiting the US Securities and Exchange Commission website.
>> PCI is Payment Card Industry compliance regulations enforced by American
>> Express, Visa, Mastercard, etc. and you should be able to find it on the
>> web but your CFO had to have signed an agreement containing it when you
>> agreed to accept credit cards.
>> But it is far worse than just these two.
>> Do medical in the US and you are subject to HIPAA
>> Handle brokerage records and you are subject to additional compliance
>> regulations from the SEC.
>> Collect any information related to consumer credit reports and you
>> are subject to the US Federal Trade Commissions FACTA regs.
>> Also need to make sure you comply with the US law known as
>> Gramm-Leach-Bliley (GLB) administered by the FTC.
>> Do business in Oregon state and you'd best have your eye on the law
>> known as Senate Bill 579. And just about every other regulatory
>> authority in the US, Canada, Europe, and Asia has regulatory
>> requirements too so one must be knowledgeable about many rules and
>> regs such as: FDA CFR 21 Part 11, OMB Circular A-123, USA Patriot Act,
>> J-SOX, CLERP 9, Basel II, ....
>> Thus what most do is comply with what is called the COSO Cube. You
>> can find it with google.
> > Thank you, but for example SOX doesn't mention what was stated. > And IIRC PCI (which is also publicly available) also doesn't... I may > be wrong... > > Thanks anyway. > Regards.
The relevant SOX sections are:
Requires the Management to:
Disclose all controls
Certify that the controls are designed and implemented in management’s supervision
Disclose all changes to controls in quarterly statements Disclose the purpose of change – if the change was due to a material weakness
Requires the Management to annually:
State the framework used to conduct assessment of the effectiveness of the company’s internal controls
Conduct an assessment of the effectiveness of the company’s internal controls and procedures for financial reporting
Requires the independent external Auditor to provide two opinions:
An assessment of management’s evaluation of the company’s internal
control over financial reporting
Its own independent evaluation based on its review and testing of the company’s internal control over financial reporting
What matters is not the specific wording of the law. But rather the two opinions by the independent auditors. You must do as they ask no matter your opinion of their recommendations. The law is generally interpreted as "what is reasonable" and "reasonable" is defined by two factors. One being what the industry is doing. The other being the latest court decisions at the federal level.
The relevant PCI sections are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input Requirement 6.5.2 - Broken Access Control Requirement 6.5.3 - Broken Authentication and Session Management Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws Requirement 6.5.5 - Buffer Overflows Requirement 6.5.6 - Injection Flaws Requirement 6.5.7 - Improper Error Handling Requirement 6.5.8 - Insecure Storage Requirement 6.5.9 - Denial of Service Requirement 6.5.10 - Insecure Configuration Management
Again what matters is not your interpretation but rather the industry standard interpretation. Thus COSO.
-- Daniel A. Morgan Oracle Ace Director & Instructor University of Washington damorgan_at_x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.orgReceived on Sat Sep 13 2008 - 10:40:07 CDT