Looking at SOX

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » Looking at SOX

31 posts, Page 1 of 4

1 2 3 4 »»»

Looking at SOX

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Thursday, March 17, 2011 9:21 PM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 11:20 AM
Points: 31,437, Visits: 13,752

Comments posted to this topic are about the item Looking at SOX

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #1080136

Jim Murphy

Posted Thursday, March 17, 2011 9:44 PM

SSChasing Mays

Group: General Forum Members
Last Login: Monday, May 13, 2013 12:49 PM
Points: 632, Visits: 1,224

Only one of my current clients adheres to SOX and HIPAA. Yes, it has impacted work. I agree with you, that it is really for the better in that the separation of duties, although often raising the administration work, is really our job anyway.

As for the extra paperwork, ya, I'm not going to jump for joy about that. But at the same time, it makes everyone up the food chain aware that cowboy-coding is a no-fly zone. Ok, I just had to mix something from Austin, TX with a current event in the same sentence.

I actually think it made the management of my client to become aware of the risks of them ordering a bad practice, or sneak in some code/data changes 'like before'. So although there is a longer change management process between the SQL coder and the production db, with lots of testing and approval in between, shouldn't that be needed anyway for non-trivial systems?

Really, the pressure is off my back because everyone is now used to changes taking a few days to implement - at least, and it will simply no longer be done 'this afternoon'. I'm talking about 95% of the time as a general procedure, not when there is an emergency.

So I don't mind it so much. In fact, it has helped my own DBA staff to similarly cognitive of why this is in place so we can follow similar processes with our smaller clients - but with less paperwork.

Jim

Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph

Post #1080138

naas2005

Posted Friday, March 18, 2011 2:19 AM

Forum Newbie

Group: General Forum Members
Last Login: Monday, March 25, 2013 1:52 AM
Points: 3, Visits: 35

I agree that SOX overall has been a force for good. I see tighter controls over who has access to data now and a better understanding from non-technical management on the relevance of that.
An interesting effect of SOX I've witnessed is that development of access control & tracing systems, bug fixes & upgrades to in-scope systems are funded & championed more readily. Where SOX is concerned the decision on whether or not to spend money on development is often made simpler for management.

Keith

Post #1080181

Evil Kraig F

Posted Friday, March 18, 2011 4:13 AM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:05 AM
Points: 5,688, Visits: 6,142

HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.

- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables
Twitter: @AnyWayDBA

Post #1080225

bwillsie-842793

Posted Friday, March 18, 2011 6:23 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, April 12, 2013 7:43 AM
Points: 107, Visits: 287

I think SOX has had a negative effect on business in the US, mostly because it has become a scape goat or excuse in many instances.

IT empires with a 1960's mainframe mentality have been built in the name of SOX.

It has been used as an excuse to take away users' ability to create and execute custom queries and against a reporting database on the fly.

The most bizarre extension I've seen of this came when a DBA told me that "We need to take Excel away from all the users because they can manipulate data in it and that violates SOX."

I've researched SOX quite a bit and to me it's concept is very similar to ISO. (1) Do you have set procedures in place to run your organization? (2) Do you follow those procedures?

I don't remember any SOX requirement that ensures that it will be easy to identify violations when the procedures are violated.

In short, it's resulted in a lot of extra work in our organization with no value to the stockholders or public.

Post #1080297

jcrawf02

Posted Friday, March 18, 2011 6:41 AM

SSCrazy

Group: General Forum Members
Last Login: 2 days ago @ 6:29 AM
Points: 2,551, Visits: 18,885

Craig Farrell (3/18/2011)

HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.

Well said

---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."

Post #1080316

OCTom

Posted Friday, March 18, 2011 6:44 AM

SSCrazy

Group: General Forum Members
Last Login: 2 days ago @ 6:52 AM
Points: 2,018, Visits: 2,852

I don't have to deal with SOX but I do have to deal with HIPAA. Both of these are laws that were passed to make people feel better about something. SOX was to make people feel better about business in the wake of Enron and HIPAA was supposed to make people feel secure about their personal information in medical records in an effort to make health care portable.

Have either had their intended affects?

Post #1080317

mike.styers

Posted Friday, March 18, 2011 7:00 AM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, April 03, 2013 7:53 AM
Points: 29, Visits: 1,006

While I see benefits in security and controls inspired by SOX, it doesn't stop fraud instigated by upper management. All that is needed is a little collusion and its done.

I also dread the auditor visits and the long drawn out discussions of why a particular system has requirements that don't fall into their cookie cutter world. We just had this conversation last year. Didn't you take notes or document anything? Let me help, I'll forward you the email I sent last year (and probably the year before) explaining this.

I've got no problem with the additional work, separation of duties analysis for new processes, etc. I just dread those six words... "The auditors are coming next week." Tongue

Post #1080337

TravisDBA

Posted Friday, March 18, 2011 7:29 AM

Ten Centuries

Group: General Forum Members
Last Login: Thursday, May 09, 2013 9:23 AM
Points: 1,288, Visits: 2,996

The "Separation of duties" is the big thing I see in SOX. No more "Jack of all trades" job descriptions. I see too many smaller companies not currently under SOX get away with this like posting a single job that includes: Application Developer, Project Manager, Database Administrator, Web Developer, and Network Admin duties all in one job requirement. Simply because they are too cheap to hire separate people for each job description. SOX takes care of this, and that is a good thing IMHO. BigGrin

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ... BigGrin

Post #1080356

WI-DBA

Posted Friday, March 18, 2011 7:45 AM

SSC Journeyman

Group: General Forum Members
Last Login: Wednesday, May 22, 2013 9:10 AM
Points: 93, Visits: 546

Overall, the law has been a good thing as many expressed above. Allowing DBAs to tighten down production, while using SOX as the vehicle to get it done. This has improved our production environments stability considerably.

The annual audit is a good thing, although the auditors don't really know what they are asking for or how to decipher the information generally. Thankfully powershell helps make these audits quicker than doing tons of screenshots. I have documented some of the scripts on my blog that I use to make the audit faster.

A significant portion of my work from time to time is the audit, and while it can be painful, it does help us find nagging things and force us to review our environments more frequently.

Cheers
http://twitter.com/widba
http://widba.blogspot.com/

Post #1080365

« Prev Topic | Next Topic »

31 posts, Page 1 of 4

1 2 3 4 »»»

Permissions