Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12345»»»

No DBAs allowed access to Production DB Servers... Expand / Collapse
Author
Message
Posted Thursday, May 20, 2004 8:49 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, August 13, 2007 6:10 AM
Points: 17, Visits: 1

You should have control and review process in place rather than imposing a blanket ban. You can your director that all logins with sysadmin prvilege will be audited, DBA logins will be added only after approval from a Manager, Audit activities need to be reviewed, DBA's cannot add/modify logins. In other words, securityadmin should be separated by sysadmin. All the best!




Post #116966
Posted Friday, May 21, 2004 1:22 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 6:53 AM
Points: 2,889, Visits: 1,779

Really, this is a case of the road to hell being paved with good intentions.  You can see the spirit of what the IT Director wanted to do its just that the letter of what he wanted was a right pigs ear!

I've had a similar instance where we were told to comply with the Data Protection Act (UK) in terms of not retaining data without permission or once its use by date has expired.

The problem was it was insisted that if that data existed on a backup tape then we would be in breach of the act.  So, run a destructive process on data without a backup..hey wow what a good idea!!!!



LinkedIn Profile
Newbie on www.simple-talk.com
Post #116990
Posted Saturday, September 4, 2004 8:50 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, March 22, 2007 6:05 AM
Points: 2, Visits: 1

Half-and-half solution

1) Only DBA can change data structures, stored procs etc....

2) Only users can access database via production GUI ( DBA is prevented from

this via encrypted password that user creates )

3) Even that DBA has access to every object in DB could not enter a finacial

transaction without a complete understanding of the schema.

( This is for an accounting solution )

Post #135391
Posted Thursday, September 16, 2004 1:01 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, September 16, 2004 12:39 PM
Points: 1, Visits: 1

Interesting topic:

Well I have seen enough bashing of Auditors. I am an IT auditor and yes CISA too working on Sarbanes

Recently we are auditing a client who is running Solomon on SQL Server and other Oracle Database applications.

I am working with one of the top risk consulting companies. Our intrepretation of the Sarbanes Oxley act is for IT  - in addition to all other Controls, Segregation of Duties is a key control. That control requires Development and DBA functions be carried out by 2 seperate individuals.

I am not sure if Keykeeper idea is a good one. However, from complaince perspective, Database Developers cannot access the production environment. The same applies to SDLC- developers cannot QA and certify their own work.

That is how Sox compliance mandates and we auditors intrepret - The remediation is upto each client and How each company is going ot handle is open.

Madhav Vedula CISA

Sr.Internal Auditor

 

 

 

 

Post #137464
Posted Thursday, September 16, 2004 1:20 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, August 9, 2010 5:25 PM
Points: 58, Visits: 73
This is what happens when people who are clueless make laws.  Many shops have developer and DBA as one in the same.  Why should smaller shops be required to hire a DBA and a developer especially if they can not afford both nor need both.  What SOX is doing is having accountants dictate the way IT does business.  Now you have those responsible for the making of SOX telling us how to do our job.  There are already those in Washington who realize that this law is way off base and are trying to change and/or repeal it. 


Post #137468
Posted Thursday, September 16, 2004 1:22 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, July 12, 2012 6:43 PM
Points: 175, Visits: 32

I am curious to know what an auditors thoughts are on what a company should do when there are only 2 individuals qualified to be Database Administrators and both of these people are also responsible for internal application and development. 

What is your definition of database development? 

In my case our company is to small to have a dedicated database administrator, let alone a secondary support person that will cover him/her while they are on vacation.

In our company this person would be bored because it would only be a 8 hour a week job, on average. Now there is more than enough work for 2+ programmers.

Whats better, having an experienced DBA or some secretary who just inherited a new title so that we can maintain separation of duties on paper.

 




Post #137470
Posted Tuesday, November 2, 2004 2:47 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, May 8, 2013 5:29 AM
Points: 18, Visits: 21
We're just about thru the Sarbanes prep.  It has been a nightmare.  DBA's no longer have the 'sa' password - we're not supposed to have access to the production system (financial apps, Solomon on one server, Epicor on another) - when we do need access, we have to call someone with a special user and password, do our thing, then call them back so they can change the password.  The first day, we changed the password 4 times!  There has to be a better way.  The thing I disliked most about the audit is how the auditors make you feel.  I got the impression that it was dangerous for me to know my databases inside and out, and that they would have been happier had I been some clueless accountant fixing things thru MS Access.  What Sarbanes does is makes life harder for honest companies.  For those who want to cheat, they are still going to find a way.  I guess the upside is that it gave a temporary respite to all the auditors who lost their jobs because of Enron, Adelphia, etc...thanks for letting me vent!


Post #144396
Posted Thursday, December 9, 2004 4:16 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, July 15, 2014 7:07 AM
Points: 280, Visits: 356

Most interesting.

One would think that the best people to prevent fraud and misuse of data would be the ones who designed or maintained that system.

Although none of us are infalliable I would much prefer a professional to look after my data and it's structure than handing over access rights to a potential target.

I couldn't imagine working effectively in an environment like that, but I suppose it depends on how much you paid me...

Integrity and honesty, do only lawyers and auditors have it?



Max
Post #150192
Posted Tuesday, December 14, 2004 8:01 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, March 24, 2010 1:57 PM
Points: 140, Visits: 57
This whole thing seems like a big money making raquet for a select industry.  Companies like Price Waterhouse Cooper are making money hand over fist charging companies to do audits.  This whole undertaking is supossed give investers the confidence to back companies that have been certified and passed the SOX audits.  The goverment has not enacted any audit passing requirements.  In fact the goverment has no SOX auditors.  This whole thing is suspect as best!  If you saw the cost and resources companies are throwing at SOX you might think twice about investing in these companies
Post #151083
Posted Wednesday, December 15, 2004 3:44 PM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, May 6, 2014 5:51 AM
Points: 6,266, Visits: 2,028

... Integrity and honesty, do only lawyers and auditors have it?

really ?




* Noel
Post #151293
« Prev Topic | Next Topic »

Add to briefcase ««12345»»»

Permissions Expand / Collapse