Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Need advice on SOX compliant policy for access to generic admin accounts. Expand / Collapse
Author
Message
Posted Thursday, July 24, 2008 7:37 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 11:56 AM
Points: 7,073, Visits: 6,231
SOX compliance....

Here's what you need to do. Be warned, it is TEDIOUS and work intensive.

First, list out every account you have in SQL Server with that account's permissions and db access. (this includes roles attached to each account and both Windows & SQL Only accounts).

Secondly, list out every person who has the password to the SQL Only accounts.

Thirdly, get a solid business reason why all these people have the pwds to the SQL Only accounts.

Fourthly, get together with the people who make the security decisions and write down a solid policy of how these passwords are passed out, by whom, the acceptible reasons for giving people access to these accounts, the reasons for account access "rejection", how you are tracking who has account access and how you deal with the account access when someone changes jobs / teams or leaves the company.

Lastly, make sure the document is accessible (in both electronic and paper format) to everyone who makes the security decisions and that they have all read it and are aware of the policies.

CONGRATULATIONS! You are now SOX compliant!

Yes, it really is that easy. @=) You don't have to change a thing unless you have holes in your security and cannot prove these people have a solid business reason for having access.

Now, as a DBA, your situation makes me majorly paranoid, waiting to change the SA password and revoke access to everyone's accounts. But from a SOX Compliant POV, really all you have to do is plug the holes and document the process.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #540131
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse