A reader, July 25, 2016 - 5:23 pm UTC
Response to Q1.
Thanks, It is for sure the process was broken. We do have process of sharing implementation plan (like change management plan!) but the contract DBA failed to follow that protocol.
setting up DDL trigger will help any accidental deletion of tables or packages. In future, we can plan to consider setting up DDL trigger.
However, my question is about the process adopted to create controlled environment for investigation. Could there be any better way to set up controlled environment especially when the process is broken?
Response to Q2.
My question is even if we change the password of SYS, one can still connected as sysdba on the server. Changing password could create complete blockage to access the system remotely. If the password is not changed, it still leaves the door open to connect to the database remotely via sqlplus or toad etc.
July 25, 2016 - 7:06 pm UTC
Depends on what extremes you want to go to. You could set the database to read only :-)
It is also possible to disable table locks, which means DML is allowed by DDL is not, but obviously if you are still allowing DBA access, they can simply re-enable it.
Another point
J. Laurindo Chiappa, July 25, 2016 - 7:27 pm UTC
Another line of thought, complementing the info already received : first thing if you really want/need a "controlled environment" is to protect the environment (in the possible ways) against non-conforming DBA activities - depending on how serious the need is, it can range from implementating the Database Vault (the most secure but the most complex and costly alternative) until simply separating the DBA and sysadmin roles, starting Auditing on DBA actions (on OS files, external to database) and putting a contractual rule (complete with fines and higher penalties) for the DBA againts non-conforming activities....
After that the DBA position is "secure", you will walk toward for end-users and application control : without all of this, you will Never have a "controlled" environment...
Regards,
J. Laurindo Chiappa
July 27, 2016 - 1:33 pm UTC
nice input