Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Database Schema Changes & SOX Expand / Collapse
Author
Message
Posted Sunday, May 23, 2004 4:02 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Monday, March 13, 2006 2:12 PM
Points: 31, Visits: 1

Having an audit trail & controls over changes to data within a database is a requirement of the SOX Act.  But does this also include providing an audit trail of changes to the database schema, reference tables & stored procedure code?

Thanks,

Darren

Post #117197
Posted Monday, May 24, 2004 7:37 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Saturday, November 15, 2014 1:22 PM
Points: 175, Visits: 33

Yes everything needs to be tracked and no changes can be implemented by the developer per our SOX auditor. The developer makes the changes and documents it then sets it up in a test enviornment for the users to test. Once testing passes the change must be handed off to a "migration specialist" whom will be responsible for making the change to the production serves. Change in security, adding new users, etc all needs to be tracked and audited. We are a small shop and still figuring out how to create all then new hats since we are not allowed to wear hats in both the production and developer worlds.

Mike




Post #117296
Posted Tuesday, July 27, 2004 6:50 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, May 6, 2011 11:49 AM
Points: 3, Visits: 5

I agree with your SOX separation of duties setup and monitoring interpretations.  What have you done to monitor the activities of your individuals who have the capability to alter the production schema (such as your 'migration specialists')?  Do you have a process built to report any  'DBA' type activities in the Production environment?




Post #128422
Posted Tuesday, July 27, 2004 7:09 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, May 18, 2006 9:21 PM
Points: 184, Visits: 1

We have the same requirements here.  We're doing a few things to insure we're compliant:

1.  Seperation of duties.  Developers can't change ANYTHING in production.

2.  Set up a trace to monitor all metadata changes and permissions changes.

3.  Set up a trace to monitor all connections outside of app and web server pairs.

4.  Lock down security on applications to only permit needed access per application context.



Derrick Leggett
Mean Old DBA
When life gives you a lemon, fire the DBA.
Post #128434
Posted Wednesday, August 18, 2004 8:48 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Wednesday, June 6, 2012 6:49 AM
Points: 249, Visits: 140

We have seperation of duties.  All promotions (data/schema) come through the DBA's.  We have an audit trail of paper.  The developers fill out a form for the promotion.  Their manager must also sign off on it.  We do the promotion, sign it and put it in a 3 ring binder.  We do this for all databases (SQL, Oracle, DB2, Adabase).

I don't know about others, but the auditors we got seem very green.  We got told to "audit all transactions on all platforms" basically.  We told management that it would require 2 to 4 times the hardware for CPU, memory, ect.  Management went back to the auditors and said that was not realistic.  No word yet on where this will go.

Our department's philosphy up to this point has been, if there are actions and processes that need to be scrutinized, the application should be auditing those.  Actions that need to be tracked (who update what row, what purchasing amount) should be tracked in the application.

Has anyone been hit with "List of those approved to change the list of those approved to be on the list of those who can request promotions?"  Our security people are dealing with that.

 

Joseph




Post #132590
Posted Monday, December 20, 2004 11:09 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, December 17, 2008 8:34 AM
Points: 108, Visits: 6
check out www.dbghost.com for a process to follow that can a long way to satisfy any auditing requirements.
Post #151856
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse