Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Auditor Knowledge of Database Environment Expand / Collapse
Author
Message
Posted Friday, September 1, 2006 5:13 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, July 10, 2013 6:21 AM
Points: 18, Visits: 33

Now that most companies have gone through at least one round of SOX, I'm wondering what everyone's assessment of the auditor's understanding of the database environment is.

I've found them to concentrate on the compiled executables of the client applications, but not think much about the unencrypted business logic that resides in stored procedures and triggers in the database environment.  In our case, they seem to think of databases as only data storage, and don't consider how powerful and immediate the environment really is.

There's probably a mosaic of response depending on what auditor companies have had, but I'm curious what everyone's experience has been.

Thanks.

Post #305599
Posted Monday, September 4, 2006 8:00 AM
SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, May 18, 2007 3:36 PM
Points: 10,039, Visits: 1
No one has responded to this topic yet. Even if you don't have a complete answer, the original poster will appreciate any thoughts you have!
Post #306034
Posted Tuesday, September 12, 2006 10:32 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, December 27, 2013 2:58 PM
Points: 1, Visits: 28
seems pretty obvious to me that the auditors we got really have no understanding of what they are asking for.  most of things they ask for or find are being read from a list of common best practices in the industry
Post #307973
Posted Tuesday, September 12, 2006 10:48 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, July 10, 2013 6:21 AM
Points: 18, Visits: 33
The last thing I want to do is push an auditor into doing a deeper audit, but they don't seem to understand tiered architecture.  I would agree with you that they're working with a checklist, and don't know when they should look deeper.
Post #307977
Posted Friday, June 20, 2008 1:29 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Tuesday, October 15, 2013 4:05 AM
Points: 554, Visits: 114
I've experienced some auditories, and my conclusion is that in many of the cases auditors don't have a deep knowledge of whatever are they auditing and they are following a checklist.

Regards Ramon
Post #520402
Posted Monday, September 13, 2010 1:13 PM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Friday, September 19, 2014 8:20 AM
Points: 663, Visits: 1,675
Most auditors are clueless, IMHO. Many times I think they focus on paperwork instead of actually examining the environment.
Post #985043
Posted Monday, September 13, 2010 1:27 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 2:43 AM
Points: 39,890, Visits: 36,236
Please note: 4 year old thread.


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #985047
Posted Monday, September 13, 2010 1:32 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 6:13 AM
Points: 20,572, Visits: 9,618
GilaMonster (9/13/2010)
Please note: 4 year old thread.



Are they any less clueless now?

Not from what I've seen here.
Post #985051
Posted Monday, September 13, 2010 1:52 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 2:43 AM
Points: 39,890, Visits: 36,236
Ninja's_RGR'us (9/13/2010)
GilaMonster (9/13/2010)
Please note: 4 year old thread.

Are they any less clueless now?

Not from what I've seen here.


Doubt it. That would violate the law of conservation of cluelessness.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #985069
Posted Tuesday, September 14, 2010 7:46 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 10:28 AM
Points: 1,660, Visits: 4,750
JunkMail Victim (9/1/2006)

I've found them to concentrate on the compiled executables of the client applications, but not think much about the unencrypted business logic that resides in stored procedures and triggers inthe database environment. In our case, they seem to think of databases as only data storage, and don't consider how powerful and immediate the environment really is.

The fact that stored procedures, triggers, views and other database objects containing SQL are not encrypted (or at best weakly encrypted) is really not an issue. By default, a user account that is not a member of the DBO or sysadmin role doesn't have VIEW SCHEMA, ALTER TRACE, VIEW SERVER STATE, etc. permission unless you explicitly grant it to them, so they shouldn't be able to see the SQL. A user account for use by the application should be a member of a role that grants them only exec permission on specific stored procedures and maybe access to some tables. That's what the auditor should be looking for.
Post #985504
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse