Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 1234»»»

Looking at SOX Expand / Collapse
Author
Message
Posted Thursday, March 17, 2011 9:21 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:59 PM
Points: 31,082, Visits: 15,529
Comments posted to this topic are about the item Looking at SOX






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1080136
Posted Thursday, March 17, 2011 9:44 PM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, May 7, 2014 7:16 AM
Points: 489, Visits: 1,265
Only one of my current clients adheres to SOX and HIPAA. Yes, it has impacted work. I agree with you, that it is really for the better in that the separation of duties, although often raising the administration work, is really our job anyway.

As for the extra paperwork, ya, I'm not going to jump for joy about that. But at the same time, it makes everyone up the food chain aware that cowboy-coding is a no-fly zone. Ok, I just had to mix something from Austin, TX with a current event in the same sentence.

I actually think it made the management of my client to become aware of the risks of them ordering a bad practice, or sneak in some code/data changes 'like before'. So although there is a longer change management process between the SQL coder and the production db, with lots of testing and approval in between, shouldn't that be needed anyway for non-trivial systems?

Really, the pressure is off my back because everyone is now used to changes taking a few days to implement - at least, and it will simply no longer be done 'this afternoon'. I'm talking about 95% of the time as a general procedure, not when there is an emergency.

So I don't mind it so much. In fact, it has helped my own DBA staff to similarly cognitive of why this is in place so we can follow similar processes with our smaller clients - but with less paperwork.

Jim


Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
Post #1080138
Posted Friday, March 18, 2011 2:19 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, September 22, 2014 9:32 AM
Points: 5, Visits: 66
I agree that SOX overall has been a force for good. I see tighter controls over who has access to data now and a better understanding from non-technical management on the relevance of that.
An interesting effect of SOX I've witnessed is that development of access control & tracing systems, bug fixes & upgrades to in-scope systems are funded & championed more readily. Where SOX is concerned the decision on whether or not to spend money on development is often made simpler for management.

Keith
Post #1080181
Posted Friday, March 18, 2011 4:13 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 1:46 PM
Points: 5,384, Visits: 7,458
HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.



- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables

Twitter: @AnyWayDBA
Post #1080225
Posted Friday, March 18, 2011 6:23 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, July 17, 2013 12:22 PM
Points: 107, Visits: 290
I think SOX has had a negative effect on business in the US, mostly because it has become a scape goat or excuse in many instances.

IT empires with a 1960's mainframe mentality have been built in the name of SOX.

It has been used as an excuse to take away users' ability to create and execute custom queries and against a reporting database on the fly.

The most bizarre extension I've seen of this came when a DBA told me that "We need to take Excel away from all the users because they can manipulate data in it and that violates SOX."

I've researched SOX quite a bit and to me it's concept is very similar to ISO. (1) Do you have set procedures in place to run your organization? (2) Do you follow those procedures?

I don't remember any SOX requirement that ensures that it will be easy to identify violations when the procedures are violated.

In short, it's resulted in a lot of extra work in our organization with no value to the stockholders or public.




Post #1080297
Posted Friday, March 18, 2011 6:41 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, September 29, 2014 8:08 PM
Points: 1,328, Visits: 19,288
Craig Farrell (3/18/2011)
HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.
Well said


---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
Post #1080316
Posted Friday, March 18, 2011 6:44 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 12:53 PM
Points: 2,581, Visits: 3,883
I don't have to deal with SOX but I do have to deal with HIPAA. Both of these are laws that were passed to make people feel better about something. SOX was to make people feel better about business in the wake of Enron and HIPAA was supposed to make people feel secure about their personal information in medical records in an effort to make health care portable.

Have either had their intended affects?
Post #1080317
Posted Friday, March 18, 2011 7:00 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, April 25, 2014 6:31 AM
Points: 29, Visits: 1,018
While I see benefits in security and controls inspired by SOX, it doesn't stop fraud instigated by upper management. All that is needed is a little collusion and its done.

I also dread the auditor visits and the long drawn out discussions of why a particular system has requirements that don't fall into their cookie cutter world. We just had this conversation last year. Didn't you take notes or document anything? Let me help, I'll forward you the email I sent last year (and probably the year before) explaining this.

I've got no problem with the additional work, separation of duties analysis for new processes, etc. I just dread those six words... "The auditors are coming next week."

M
Post #1080337
Posted Friday, March 18, 2011 7:29 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, September 16, 2014 2:03 PM
Points: 1,334, Visits: 3,069
The "Separation of duties" is the big thing I see in SOX. No more "Jack of all trades" job descriptions. I see too many smaller companies not currently under SOX get away with this like posting a single job that includes: Application Developer, Project Manager, Database Administrator, Web Developer, and Network Admin duties all in one job requirement. Simply because they are too cheap to hire separate people for each job description. SOX takes care of this, and that is a good thing IMHO.

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ..."
Post #1080356
Posted Friday, March 18, 2011 7:45 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: 2 days ago @ 6:58 AM
Points: 94, Visits: 580
Overall, the law has been a good thing as many expressed above. Allowing DBAs to tighten down production, while using SOX as the vehicle to get it done. This has improved our production environments stability considerably.

The annual audit is a good thing, although the auditors don't really know what they are asking for or how to decipher the information generally. Thankfully powershell helps make these audits quicker than doing tons of screenshots. I have documented some of the scripts on my blog that I use to make the audit faster.

A significant portion of my work from time to time is the audit, and while it can be painful, it does help us find nagging things and force us to review our environments more frequently.


Cheers
http://twitter.com/widba
http://widba.blogspot.com/
Post #1080365
« Prev Topic | Next Topic »

Add to briefcase 1234»»»

Permissions Expand / Collapse