You should have control and review process in place rather than imposing a blanket ban. You can your director that all logins with sysadmin prvilege will be audited, DBA logins will be added only after approval from a Manager, Audit activities need to be reviewed, DBA's cannot add/modify logins. In other words, securityadmin should be separated by sysadmin. All the best!
Really, this is a case of the road to hell being paved with good intentions. You can see the spirit of what the IT Director wanted to do its just that the letter of what he wanted was a right pigs ear!
I've had a similar instance where we were told to comply with the Data Protection Act (UK) in terms of not retaining data without permission or once its use by date has expired.
The problem was it was insisted that if that data existed on a backup tape then we would be in breach of the act. So, run a destructive process on data without a backup..hey wow what a good idea!!!!
Half-and-half solution
1) Only DBA can change data structures, stored procs etc....
2) Only users can access database via production GUI ( DBA is prevented from
this via encrypted password that user creates )
3) Even that DBA has access to every object in DB could not enter a finacial
transaction without a complete understanding of the schema.
( This is for an accounting solution )
Interesting topic:
Well I have seen enough bashing of Auditors. I am an IT auditor and yes CISA too working on Sarbanes
Recently we are auditing a client who is running Solomon on SQL Server and other Oracle Database applications.
I am working with one of the top risk consulting companies. Our intrepretation of the Sarbanes Oxley act is for IT - in addition to all other Controls, Segregation of Duties is a key control. That control requires Development and DBA functions be carried out by 2 seperate individuals.
I am not sure if Keykeeper idea is a good one. However, from complaince perspective, Database Developers cannot access the production environment. The same applies to SDLC- developers cannot QA and certify their own work.
That is how Sox compliance mandates and we auditors intrepret - The remediation is upto each client and How each company is going ot handle is open.
Madhav Vedula CISA
Sr.Internal Auditor
I am curious to know what an auditors thoughts are on what a company should do when there are only 2 individuals qualified to be Database Administrators and both of these people are also responsible for internal application and development.
What is your definition of database development?
In my case our company is to small to have a dedicated database administrator, let alone a secondary support person that will cover him/her while they are on vacation.
In our company this person would be bored because it would only be a 8 hour a week job, on average. Now there is more than enough work for 2+ programmers.
Whats better, having an experienced DBA or some secretary who just inherited a new title so that we can maintain separation of duties on paper.
Most interesting.
One would think that the best people to prevent fraud and misuse of data would be the ones who designed or maintained that system.
Although none of us are infalliable I would much prefer a professional to look after my data and it's structure than handing over access rights to a potential target.
I couldn't imagine working effectively in an environment like that, but I suppose it depends on how much you paid me...
Integrity and honesty, do only lawyers and auditors have it?
... Integrity and honesty, do only lawyers and auditors have it?
really ?
