Database Reference
In-Depth Information
A problem can arise in which the DBA will want to deny everything and basically keep the auditor out. The key
to avoiding this situation is long, gradual run-ups to the audit process so that the expectations are signposted well in
advance and preparations can be made.
Potential pitfalls can occur when the internal audit team is incentivized more to find problems than to solve
them. Additionally, understanding the architectural dependencies is important when interpreting audit results.
For instance, non-compliant application accounts on the DB are probably not the DBA's fault. It will most probably
be the application owner who has the power to change that password.
The key tool that compliance auditors need to use in order to secure both large estates and all layers of the
architecture is EM12c. If you are auditing an Oracle estate and they won't give you EM access for visibility then
consider failing the audit on that basis. EM12c access is specifically designed to be customizable to a compliance
auditor's requirements, so let's have a tour of EM12c in the next chapter.
