Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Sarbanes Oxley reporting

Re: Sarbanes Oxley reporting

From: rjamya <rjamya_at_gmail.com>
Date: Tue, 13 Feb 2007 20:05:50 -0500
Message-ID: <9177895d0702131705g3debf256k9b9b9d40e1d5e9ba@mail.gmail.com>


Having received first email for the quarterly review today, this is normally what we monitor.

  1. Annual list of authorized database users. These entries are _diff'ed_ from previous years list and at random they pull 25 accounts. Then we have to prove that those were legit accounts requested through our internal work flow and appropriately approved by VPs etc. Everything is in Oracle, so it is easy to generate those reports.
  2. List of DB Roles and for a critical role list, they require a list of valid users. This is also validated by the user's job roles etc.
  3. All code that got moved to production databases. Since the buck stops with the dbas, we provide a list of service request numbers for a specified date range. Then they audit random entries. The audit information then included the original request, development of code (from pvcs they cross check modules and request number and version numbers), User signoff emails, sanity check emails from DBAs and emails that prove that code was released and modules were appropriately promoted to production status in PVCS.
  4. Our developers do not get production access. Sometimes though they need to take a look at something, so managers approve access for a time slice (usually 2 hours). This happens through an app that I wrote, so they need logs for that. Some times they request an audit (list of sqls) run by developers during that timeframe. We run a tkprof on the session trace file and provide it. Any developer's access is enabled for 10046^12 through a logon trigger.
  5. Our application support has full time read-only db access to assist end users. Their activity is tracked and a report is made available to auditors.
  6. A weekly list of PVCS activity report is captured. This is to prove that one person cannot develop, test and push code to production.
  7. my manager submits a signed document which contains a list of DBAs and accounts they use as a reference.

Other than this, there are some sundry reports, but these are the critical ones as far as oracle db is concerned. We have automated most of these, so most annoying thing is the "find" feature of outlook. Searching through 30000+ e mails practically sucks.

Oh well ....
rjamya

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Feb 13 2007 - 19:05:50 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US