Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««1234»»»

Who Watches the Watchers? Expand / Collapse
Author
Message
Posted Thursday, December 3, 2009 6:24 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, April 25, 2014 6:31 AM
Points: 29, Visits: 1,018
Another name for Compliance is Internal Controls. Where I work, it is all day, everyday.

In today's world, now with SOX / HIPAA, it is just part of doing business. At the places I've worked over the last 10 years or so, the mantra is acknowledge and move on..........

M
Post #828103
Posted Thursday, December 3, 2009 6:39 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, November 18, 2010 5:25 AM
Points: 162, Visits: 694
I work in a highly regulated industry. We have three external auditors that I'm familiar with. On for IT specific issues, another for business process flow, and yet another for something that I'm not entirely familiar... (Can you say SAS70?)
That's not to mention the standard accounting audits and such.
Then there's group internal audit...


All this is well and good. but as someone mentioned previously, "Locks keep honest people out." (paraphrased)

Again, this concept of watching the watchers was touched before, and will again. It comes down to having to trust SOMEONE at some point.


Courage is not simply one of the virtues but the form of every virtue at the testing point, which means at the point of highest reality. - C. S. Lewis

Perfect courage is to do without witnesses what one would be capable of doing with the world looking on. - François, Duc de La Rochefoucauld


I guess it comes to a point where what matters is the character of the individual. To quote one of my favorite movies, "Ethics..."
-Jon Polito as Johnny Caspar. I'll save you the whole line, but if interested check out "Miller's Crossing" (And the name has nothing to do with it.)






Honor Super Omnia-
Jason Miller
Post #828110
Posted Thursday, December 3, 2009 7:52 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 3:11 PM
Points: 5,361, Visits: 8,924
Jason Miller-476791 (12/3/2009)
... It comes down to having to trust SOMEONE at some point...

Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.


Wayne
Microsoft Certified Master: SQL Server 2008
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings
Post #828173
Posted Thursday, December 3, 2009 7:58 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, November 18, 2010 5:25 AM
Points: 162, Visits: 694
WayneS (12/3/2009)


Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.



At some point, there is a requirement for trust. Peel back a layer on the onion enough times, eventually you get to the core...




Honor Super Omnia-
Jason Miller
Post #828178
Posted Thursday, December 3, 2009 8:03 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, May 15, 2014 5:11 PM
Points: 6,032, Visits: 5,283
A recent poster mentioned having to trust somebody sometime and I largely agree, but the compliance (internal controls, whatever) group doesn't need high level access, they need to be able to check logs and to see if internal controls are being followed, but that doesn't translate into high level access, maybe for the tools but not necessarily for the people themselves.

In many cases I wouldn't trust the compliance people with high level access, the reason? They often don't have strong knowledge of the software, they are usually "process" people they know more about security and process than SQL Server or Windows. But then again that is my experience, mileage may vary..

CEWII
Post #828183
Posted Thursday, December 3, 2009 8:51 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, September 24, 2014 8:54 AM
Points: 5,579, Visits: 6,363
In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #828263
Posted Thursday, December 3, 2009 9:02 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, April 25, 2014 6:31 AM
Points: 29, Visits: 1,018
What I've observed is that the compliance folks typically don't want access to anything. Otherwise they are performing GONZO auditing because they've added themselves into the mix. They want the technical folks to deliver copies of logs, documentation, access logs, audit logs/reports, etc. But here again, this does imply trust and an assumption that the dear old DBA doesn't have time or access to doctor everything prior to delivering the requested documentation.

M
Post #828275
Posted Thursday, December 3, 2009 9:56 AM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Friday, September 26, 2014 12:51 PM
Points: 665, Visits: 1,680
Ethics and integrity are a necessary basis for a fully-functional civilization. Those civilizations that don't play by those rules tend to tumble down.


Tell that to the folks at .gov and on Wall Street. Us little people can be as ethically and honest as possible, but it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.

Post #828326
Posted Thursday, December 3, 2009 10:06 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, November 18, 2010 5:25 AM
Points: 162, Visits: 694
chrisn-585491 (12/3/2009)
...it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.



I worked at a company and the Director of SE had a meeting to inform us that "... they wanted to institute an annual mandatory drug screen for employees." A bunch of us agreed with him on the condition that it starts with senior management.

It went no farther.


Honor Super Omnia-
Jason Miller
Post #828342
Posted Thursday, December 3, 2009 10:09 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 5:56 PM
Points: 7,075, Visits: 15,325
Brandie Tarvin (12/3/2009)
In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?


We had that particular question come up recently (not because of an incident, because of an independent audit.) So - our Audit and compliance team contracted an external entity to hook up and store a remote, encrypted version of SQL Compliance manager, which not only track any changes made to the data when it's not tracking changes.

So - the tracking company can't read what they're storing, unless internal compliance unlocks the data, and we can't get to the logging data.

I'm sure there's a way to get around it, but at this point, it's like a car alarm: if it's enough of a pain, you will discourage meddling with the system.


----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Post #828345
« Prev Topic | Next Topic »

Add to briefcase ««1234»»»

Permissions Expand / Collapse