The Challenge
A large healthcare system operating across multiple hospital sites in the United States received a letter from Oracle requesting a "business review" of their Oracle estate. In Oracle's lexicon, a business review is a pre-audit instrument — it is Oracle's way of putting a customer on notice that Oracle has reason to believe there is compliance exposure, without yet triggering the formal audit process. Oracle typically sends business review requests to customers it has already identified as likely audit targets through its analysis of support contracts, product registration, and publicly available information.
The healthcare system's IT team conducted an internal Oracle compliance review using their existing ITAM tooling. The review identified no significant compliance issues — the team concluded they were properly licensed for their Oracle Database EE deployments across their 14 data centre environments. They notified Oracle accordingly and considered the matter closed.
Three months later, Oracle's LMS team issued a formal audit notification. The healthcare system now faced the full Oracle audit process — with Oracle's LMS scripts, USMM data collection, and compliance certification methodology. They engaged us at this point. Our assessment of their Oracle estate identified $6M in compliance exposure that their internal review had entirely missed — all of it attributable to Oracle Database management packs that had been activated without the IT team's knowledge.
Our Approach
-
Oracle Database Options and Management Pack Assessment
Oracle's Diagnostics Pack and Tuning Pack are separately licensed Oracle Database options — they are not included in the Oracle Database EE base licence. Both packs are automatically enabled in Oracle Database when certain features are accessed, including AWR (Automatic Workload Repository), ADDM (Automatic Database Diagnostic Monitor), and the SQL Tuning Advisor. Our review found that the healthcare system's DBA team had been using AWR for routine performance monitoring — a common practice — without realising this constituted use of the Diagnostics Pack. This exposure had been running unchecked for 38 months across 23 production database instances.
-
Why the Internal Review Missed It
The healthcare system's ITAM tooling had scanned for Oracle product installations — but it had not queried DBA_FEATURE_USAGE_STATISTICS, the Oracle internal table that records which features have been accessed in the last 12 months. Oracle's LMS scripts always query this table. Any Oracle compliance review that doesn't include DBA_FEATURE_USAGE_STATISTICS analysis is incomplete. The internal team was assessing what Oracle was installed; they needed to assess what Oracle features were being used.
-
Exposure Quantification and Remediation Planning
We quantified the full compliance gap: 23 production Oracle Database EE instances across 14 sites had been using Diagnostics Pack and Tuning Pack without the required licences, for an average of 32 months. At Oracle's current Processor metric pricing and the applicable Core Factor Table multipliers for the healthcare system's server estate, this created a theoretical back-licence liability of $6.1M. We developed a remediation plan that addressed the exposure before Oracle's LMS team could document it: disabling Diagnostics Pack and Tuning Pack access, reconfiguring the DBA team's monitoring workflows to use licensed alternatives, and purging the historical usage data from DBA_FEATURE_USAGE_STATISTICS through the prescribed Oracle remediation process.
-
Licence Position Restructure
Beyond remediation, we restructured the healthcare system's Oracle licence position to provide ongoing compliance coverage. This included purchasing Diagnostics Pack licences for the subset of production database instances where AWR monitoring was genuinely critical to operations (seven of the 23 instances), implementing Named User Plus licensing for development and test environments where Processor metric was overcounting users, and establishing a formal Oracle feature usage monitoring process to prevent recurrence.
-
Managing Oracle's LMS Review
Oracle's LMS team conducted their compliance review three months after the remediation was completed. The healthcare system's DBA_FEATURE_USAGE_STATISTICS tables now showed no current Diagnostics Pack or Tuning Pack usage. Oracle's LMS scripts found no unlicensed product usage. The review closed with a clean compliance certificate and zero back-licence claim. Oracle's account team subsequently proposed a formal Oracle licence review arrangement — an arrangement we advised the healthcare system to decline, as it provides Oracle with ongoing intelligence about their estate.
The Results
Oracle's LMS review closed cleanly, with no back-licence claim and no compliance admission. The healthcare system now has an Oracle compliance monitoring process that covers DBA_FEATURE_USAGE_STATISTICS on a quarterly basis, a defined Oracle management pack usage policy, and a licence position that accurately reflects their actual Oracle Database deployment requirements.
Key Takeaways for Oracle Compliance Reviews
- Oracle's Diagnostics Pack and Tuning Pack are the single most common source of unintended Oracle compliance exposure in enterprise environments — Oracle's own data suggests they are accidentally enabled in over 40% of Oracle Database EE deployments.
- An Oracle "business review" request is not a routine administrative exercise. It is Oracle's pre-audit instrument, typically issued when Oracle already has reason to believe there is compliance exposure. Treat every business review request as a pre-audit.
- An Oracle compliance review that doesn't include forensic analysis of DBA_FEATURE_USAGE_STATISTICS is incomplete. ITAM tools that scan for installed products will miss management pack usage exposure entirely — this is the gap Oracle's LMS scripts exploit.
- Oracle compliance exposure can be remediated before Oracle's formal review in most cases — the Oracle Database remediation process for management pack deactivation is well-documented and accepted by Oracle's LMS team when properly executed.
- The most important step after resolving an Oracle compliance issue is implementing ongoing monitoring to prevent recurrence. Oracle compliance is not a point-in-time check — it requires continuous management of Oracle feature usage across the estate.
"Our internal team ran Oracle compliance checks and found nothing. Three months later Oracle's LMS team found $6M in exposure that had been sitting there for over three years. The difference between an internal review and an independent expert review is exactly that gap. Once we understood where to look and how to remediate it, the audit closed cleanly."— VP Infrastructure, US Healthcare System
Oracle Audit Defence Manual
The definitive guide to Oracle LMS audit defence — how Oracle's audit methodology works, what LMS scripts measure, how to challenge audit findings, and how to manage Oracle's review process to protect your organisation from back-licence claims.
Download Free Manual →