Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Security ethics in vulnerability disclosure"] [Next entry: "Searching metalink from the MS search bar"]

Sarbanes Oxley and Oracle



There is an interesting thread today on the Oracle-l list about Sarbanes Oxley and Oracle and the issues and expense caused by adhering to Sarbanes Oxley in an Oracle shop. The thread is titled http://www.freelists.org/archives/oracle-l/01-2005/msg00477.html">Sorbanes Oxley for dummies? (broken link) where the poster asks if anyone has any good papers that relate to Sarbanes Oxley and what it means for the DBA. He clearly wants to understand the true position he is in relation to this complex legislation.

A great answer is posted next by Mark who makes some great observations including the fact that the actual requirements seem to be little understood and that auditors themselves are requiring things to be done that are not required as part of the legislation and that the cost of this fact will outweigh that of the true requirements. Mark also gives us a link to a Yahoo Group dedicated to Sarbanes Oxley and Oracle. The link is actually wrong in the Oracle-l thread. Mark also makes a good point about getting the DBA signed up to the "functional Team".

http://www.freelists.org/archives/oracle-l/01-2005/msg00486.html - (broken link) Paul as always makes a good contribution by giving us a link to Arups book about HIPAA and also to a paper by Arup about FGA and he makes a valuable point about SOX being so open to interpretation that its best to get advice from the auditors. Very interesting thread on this legislation.