Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Sorbanes Oxley for dummies? -- more questions

Re: Sorbanes Oxley for dummies? -- more questions

From: Jared Still <jkstill_at_gmail.com>
Date: Fri, 14 Jan 2005 11:30:04 -0800
Message-ID: <bf463805011411302818168@mail.gmail.com> 





Comments inline



On Fri, 14 Jan 2005 22:49:20 +0800, Hemant K Chitale
<hkchital_at_singnet.com.sg> wrote:


> 

> 1.  How do you handle Password Controls for "root" and "oracle" accounts ?

> If you have 200 servers and 80 databases, how do you ensure that you do NOT

> write down the passwords somewhere [other than the on the sheet of paper

> in the IT Security department's safe] and yet remember the passwords ?

> Some [un-named] persons I know use the *same* password on all the 20 or 50

> odd servers.

> Would that be acceptable ?




The same password on all databases was never a good idea, even
without SOX.



You really need some type of password safe that allows you to track
the passwords


for each account on each database.



A good free one can be found at http://passwordsafe.sourceforge.net/



I use this personnally for both work and home accounts.



There are others ( you will need to search, don't recall the names )
that are more


enterprise and security oriented.  At least one I checked works from the web and
audits password usage, sending an email to the password admin each time a 
password is checked out. 




> 2.  How do you Audit actions by DBAs ? Create seperate DBA accounts in the

> Database ?  If you have 3 alternate DBAs supporting multiple databases, should

> each DBA have a named account in each database ?




Using generic accounts is strictly forbidden under SOX.  Sure you could consider
that as open to interpretation,  but there is no way that auditors
will sign off on


DBA's doing there work as SYS or SYSTEM, unless it is an operation that is
required by that account.



Auditors require personal accountability, which requires personal accounts.
 


> 3.  Should all your SOX controls implemented as part of IT General Controls

> [COBIT Framework]

> apply to *all* your Servers and Databases, even those that are not Critical

> or Key systems

> [ie those with no financial impact]   {assuming that a SOX Compliance Team

> identifies

> only a certain set of 8 or 10 systems as Key Systems} ?

> Can you selectively apply controls to non-Key Systems ?

>




This may depend on your auditors.  Ours identified critical systems, and those
are the systems that are audited.  We apply most of our security controls
unilaterally, but do not test them, or remediate them.




YMMV



-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
--
http://www.freelists.org/webpage/oracle-l


Received on Fri Jan 14 2005 - 13:29:31 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US