RE: OT: percent of DBAs that know how to impletement database security measures

If your company is bound by Sarbanes Oxley requirements, you find out in a big hurry where your holes are. We clamped down on all access so that only myself and the other dba have exclusive db and unix rights to the production environment. We have to change all passwords every 90 days, end date all consultants by the length of their contract and report quarterly on user responsibilities, privileges and access.

We monitor for access, and in collaboration with the network guys and windows guys verify users every 3 months.

We have to document every exception for access, limit and restrict developers to only development machines and then make every correction, move
and implementation to the production instances. It is a pain but a necessary evil to comply with SOX. We have had no issues with the federal auditors in the 2 years that reporting has been mandatory. And we've gotten to understand our environment from most angles. Not perfect but being forced to get there.......  

ciao,
Brian  

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Keith Moore Sent: Tuesday, April 04, 2006 5:51 PM
To: Paula Stankus
Cc: kmoore_at_zephyrus.com; bdbafh_at_gmail.com; Oracle-L_at_Freelists Subject: Re: OT: percent of DBAs that know how to impletement database security measures

No. That was exactly the case in the example I gave. The application required DBA access and the username/password was known by all developers
(UN/PW same on development and production)

The management did not want to take the time to make the necessary application changes. Of course, the effort required increased as time passed.

The general attitude I have seen is:
1. If these is any chance that something bad could happen, don't do it. 2. If it's inside the corporate network, its OK.

Keith

> Guys,
>
> One thing you are not considering. The DBA may know how to
implement
> security measures but let's say that they are working in a "legacy"
> environment where apps where not setup correctly to begin with. The
DBA
> cannot go out and wily-nily change passwords that might be used across
> applications. They simply need the assistance and participation of
the
> apps group. That I found was the biggest issue - getting assistance
> from apps development to change code appropriately. It is not
something
> that could or should be done by a DBA in a vacuum. If the
organization
> has a separate security team - then - the DBA might enlist their help
to
> get everyone on the same page.
>
> :)
>
> Keith Moore <kmoore_at_zephyrus.com> wrote:
> If you take out the part "know how to", as in
>
> ... a full 60 percent of DBAs do not implement database security...
>
> then I would say that based on my experience it's too low.
>
> For example, when I find a shared Oracle account on a production
system
> with DBA privileges AND the username equal to the password, the
response
> by management is "Yeah, we know, but it's too difficult to change it
right
> now. We'll do it later".
>
> Keith
>
>> A little piece of email today told me the following:
>>
>> "... a full 60 percent of DBAs do not know how to implement database
>> security measures, according to Forrester Research".
>>
>> Does that figure seem to be:
>>
>> - too high
>> - too low
>> - just about right
>> - Cowboy Neil
>>
>> Inquring minds want to know.
>> Personally, I think that the phrase lacks the term "properly", as in
>> "properly implement database security measures".
>> "shutdown abort" or "lsnrctl stop" would be examples of "improperly
>> implement database security measures".
>>
>> Paul
>>
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
> rates starting at 1&cent;/min.

--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l