Re: OT - SarBox paranoia prevention ?

On Sat, 19 Feb 2005 13:21:03 -0700, Chip Briggs <chip.briggs_at_gmail.com> wrote:
> Any ideas how to prevent execution of non-production code
> against production data, whether the data resides in a
> database or operating system files (unix and windows) ?

None that I'm aware of. Even if you could then the sysadmins could still do block level edits on the datafiles.

Perhaps the auditors need an education with a clue-by-four that, by the nature of how IT (and indeed paper) systems work, there has to be people who have top level access. If you are hiring people to those positions who you don't trust then you have a much more serious problem than people possibly, maybe, perhaps changing procedures in the database.

If they need a sop to make them feel more comfortable then turn on auditing to the OS audit trail, only let your most senior DBAs have the 'oracle' user account password but give all DBAs accounts that can access the database as SYSDBA (allow application DBAs to run SQL*Plus but not as SYSDBA) and make the auditors read the audit trail to check for wrong doing. Their brains will most likely melt within a month.

Whilst they're at it, given that Enron-style problems more usually result from business type rather than techie types, they can get HR to write a 'whilstle blowing' clause into all the DBAs contracts of employment that guarentees them indemnity if they spot any shady dealings and report it to the authorities.

I remember reading somewhere a statement to the effect of: "The only truly secure system is one disconnected from all power and network, encased in several feet of concrete then dropped into the deepest ocean waters. The utility of such a system, however, is low."

Stephen

-- 
It's better to ask a silly question than to make a silly assumption.
--
http://www.freelists.org/webpage/oracle-l