RE: Auditing Oracle business processes? - slightly OT

        "just something that came out of the mouth of a clueless auditor", heh heh!

        Sorry to drag it slightly off track, but I once had an auditor ask a manager of mine, with a serious face, a) why the DBAs needed the DBA or equivalent roles b) why they needed access to login the database at all? After explaining exactly what a DBA does that an application admin doesn't, we eventually had to create another role, identical to DBA, called something_DBA, then grant that to the DBA team members. Then we needed to audit all actions any user did on the server at command prompt and certain accounts in the DB.

        Auditor's don't always understand the many products they have to deal with and quite often they need guidance in showing them the boundaries the software has and how much of what they require is feasible. It's not a crime to question an auditor, they are not almighty beings from on high, they are usually more than willing to compromise if they are satisfied and understand that no harm can be done by what is agreed.

        It can be good fun, as they ask you questions that can get you thinking about the way you do things, especially if you have been doing things the same way for years, but never questioned it.

        I guess, you don't just accept they want this "process auditing" from you, ask why they feel they need it? What does it prove in terms of security and accountability?

        Rgds

-----Original Message-----
From: David Wendelken [mailto:davewendelken_at_earthlink.net] Sent: 10 Aug 2005 14:17
To: oracle-l_at_freelists.org
Subject: RE: Auditing Oracle business processes?

I was going to guess that this had something to do with the Sarbanes-Oxley law in the USA, but then I noticed the country code on your email address.

Your management has to have a reason why they are asking this. What is it?

Fear of the technology?

Some external auditing "requirement"? ("Requirement" is in quotes, as it's probably not a real requirement, just something that came out of the mouth of a clueless auditor.)

Is this for a home-grown system or a third-party system? Both?

>I have had an unusual request (at least it is for me).
>I have been asked if there is some way to audit the Oracle
>Processes within the Database. Some thing along the line of,
>how can I prove that when the user enters data into the
>database that all the relevant triggers kick off and all the
>relevant procedures/packages etc are accessed, also the
>application is operating correctly at db level.

The answer is, "Yes, if you spend enough money and wait long enough for it to be implemented. How much is this knowledge worth to the business? That is because I suspect it will be way less than it will cost to prove it."

--
http://www.freelists.org/webpage/oracle-l


****************************************************************************
This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.
****************************************************************************

--
http://www.freelists.org/webpage/oracle-l