| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle NULL vs '' revisited
On Aug 22, 12:06 pm, DA Morgan <damor..._at_psoug.org> wrote:
> euan.gar..._at_gmail.com wrote:
> >> And I posted the link to Microsoft's own docs where they say that this
> >> isn't true. So who's correct? You or Microsoft?
>
> > Hmmm, you posted 2 links, one was a write up by an MVP(from 6 years
> > ago) which documented that C2 in SQL Server 2000 would tell you who
> > made a change(update) but not what the change was. The second link you
> > sent was the to C2 summary, in that doc it lists the following;
>
> > "...End User Activity (for example, all SQL commands, logins, and
> > logouts).."
>
> > Which I think is the bucket that selects are going to come under, I
> > agree we could have made this clearer but the doc was not written with
> > HIPAAs more exacting/different requirements in mind. Given that C2 has
> > been superceded as a std and SQL Server is currently undergoing common
> > criteria certification I don't think there is much chance of getting
> > the page updated.
>
> > Now trace was not that well documented in SQL 6.5/7/2000 so I am going
> > to reference SQL2005 docs, most of what I reference also applies on
> > older versions. Here is the list of events that can be audited by
> > trace in 2005;
>
> >http://msdn2.microsoft.com/en-us/library/ms175481.aspx
>
> > To save time, here is the category of events that include all sql
> > statements, hence would include select statements;
>
> >http://msdn2.microsoft.com/en-us/library/ms177488.aspx
>
> >> Perhaps the problem here is that you don't understand what HIPAA means
> >> with respect to auditing SELECT statements. It isn't who issued it. That
> >> is not the issue. It is which records, with which specific values, were
> >> returned to which users?
>
> > Ah ok now that makes sense, as I said I am no HIPAA expert so I was
> > not aware of that requirement.
>
> >> If you believe otherwise then please provide a link to the doc that
> >> demonstrates that this capability exists in any database product other
> >> than Oracle.
>
> > I'm not aware of it existing in SQL Server at this time, I'm not going
> > to comment on other DBs as I don't know them.
>
> > However I have another question about HIPAA at this point, I thought
> > that HIPAA was an end to end requirement, which means while Oracle
> > makes this possible on the back end through built in features(I
> > presume this is done through versioning somehow? How long is the audit
> > trail kept btw) if the app tier does something thats not auditable
> > then from a compliance perspective its a bust?
>
> > -Euan
>
> That is the statement ... but not what was returned. The statement,
> itself, in the context of HIPAA is meaningless because the data changes.
> A month later, during an audit, it is impossible to tell if 0, 1, or
> 1000 records were returned and which ones.
>
> It may make a marketer happy to claim it as auditing but it does not
> comply with the law being discussed.
> --
> Daniel A. Morgan
> University of Washington
> damor..._at_x.washington.edu (replace x with u to respond)
> Puget Sound Oracle Users Groupwww.psoug.org
Funny how items like the original posting in this thread get coerced and turned into flame wars. At least the most popular url in cdos gets posted a few hundred more times.
If you people want to continue this at least start a new thread and leave this one. Received on Wed Aug 22 2007 - 16:02:49 CDT
 |
 |