Re: Minimizing downtime for 9i to 10g upgrade

From: DA Morgan <>
Date: Sat, 13 Sep 2008 08:40:07 -0700
Message-ID: <>

Fernando Nunes wrote:

> DA Morgan wrote:

>> Fernando Nunes wrote:
>>> Michael Austin wrote:
>>>> And if your data contains SOX or PCI (credit-card) information, you
>>>> are probably in violation of their security update rules and when
>>>> next audited, you will be fined very heavily for not being in
>>>> compliance. They require security patches (OS, Application, Network
>>>> and Database) to be applied within 30-60 days after it is released.
>>> Don't take me wrong, this is an honest question.
>>> Do you have any resource publicly available where I can check your
>>> statement?
>> Sarbanes-Oxley is federal law in the US. You can find a complete copy
>> by visiting the US Securities and Exchange Commission website.
>> PCI is Payment Card Industry compliance regulations enforced by American
>> Express, Visa, Mastercard, etc. and you should be able to find it on the
>> web but your CFO had to have signed an agreement containing it when you
>> agreed to accept credit cards.
>> But it is far worse than just these two.
>> Do medical in the US and you are subject to HIPAA
>> Handle brokerage records and you are subject to additional compliance
>> regulations from the SEC.
>> Collect any information related to consumer credit reports and you
>> are subject to the US Federal Trade Commissions FACTA regs.
>> Also need to make sure you comply with the US law known as
>> Gramm-Leach-Bliley (GLB) administered by the FTC.
>> Do business in Oregon state and you'd best have your eye on the law
>> known as Senate Bill 579. And just about every other regulatory
>> authority in the US, Canada, Europe, and Asia has regulatory
>> requirements too so one must be knowledgeable about many rules and
>> regs such as: FDA CFR 21 Part 11, OMB Circular A-123, USA Patriot Act,
>> J-SOX, CLERP 9, Basel II, ....
>> Thus what most do is comply with what is called the COSO Cube. You
>> can find it with google.
> Thank you, but for example SOX doesn't mention what was stated.
> And IIRC PCI  (which is also publicly available) also doesn't... I may 
> be wrong...
> Thanks anyway.
> Regards.

The relevant SOX sections are:

Section 302

Requires the Management to:
Disclose all controls
Certify that the controls are designed and implemented in management’s supervision
Disclose all changes to controls in quarterly statements Disclose the purpose of change – if the change was due to a material weakness

Section 404

Requires the Management to annually:
State the framework used to conduct assessment of the effectiveness of the company’s internal controls
Conduct an assessment of the effectiveness of the company’s internal controls and procedures for financial reporting

Requires the independent external Auditor to provide two opinions: An assessment of management’s evaluation of the company’s internal control over financial reporting
Its own independent evaluation based on its review and testing of the company’s internal control over financial reporting

What matters is not the specific wording of the law. But rather the two opinions by the independent auditors. You must do as they ask no matter your opinion of their recommendations. The law is generally interpreted as "what is reasonable" and "reasonable" is defined by two factors. One being what the industry is doing. The other being the latest court decisions at the federal level.

The relevant PCI sections are:

Requirement 2.2.4 - Remove all unnecessary functionality Requirement 2.3 - Encrypt all non-console administrative access Requirement 4 - Encrypt transmission of cardholder data across open, public networks
Requirement 6 - Develop and maintain secure systems and applications

Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

Again what matters is not your interpretation but rather the industry standard interpretation. Thus COSO.

Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington (replace x with u to respond)
Puget Sound Oracle Users Group
Received on Sat Sep 13 2008 - 10:40:07 CDT

Original text of this message