Today we have a guest editorial as Steve is out of the office.
A while back I took a two year break from being a DBA to lead an effort to enhance security for a large company. When I arrived, they were still working on the task list, from small things like changing service account passwords to bigger items like replacing 80 firewalls, all based on an in-depth review by an external auditor.
After weeks of effort the list stabilized, solutions were decided on and the work was started. The work took months to accomplish and overall, seemed to go as well as it can when you drop a ton of work onto a team that is already fully tasked. Then the second auditor arrived and started his review. Second auditor? Oh yes, we had a second firm come in to make sure nothing was missed. That second go-around resulted in more work with a lot less time to get it done to meet the compliance deadline.
We got it all done, literally finishing on the last day. We scheduled some clean up and enhancements and looked forward to the next audit being a business as usual process.
You can see the train coming, right?
For the second “official” audit, we started about three months from the due date as we expected things to go smoothly. Perhaps it would have, but we now had a third auditor, and while he liked most of what he saw, there were some things he didn’t like that were deal breakers. Fix-these-or-fail kind of things. Some weren’t too bad, but one of them was huge. Not fun. But we were a better team now and we got it all done, just in time.
It was a learning moment, if a painful one. The different auditors were all interpreting the same requirements and our implementation of them, but not all in the same way or to the same degree, and so we kept having new work (and potentially previously unaddressed vulnerabilities) added to the list. We were only as good as our auditor, or perhaps the sum of our recent auditors. It was a frustrating lesson, but in hindsight an obvious one.
It’s not as easy as saying using a different auditor each year. Businesses like to use the same auditor (or at least the same company) year over year because it is faster and less expensive. They’ve learned the environment and have the previous year documentation as a base. It’s a reasonable strategy, because a new auditor every year would soak up a lot of time and an returning auditor will often have time to dig into things they didn’t see or have time to fully vet on the first audit.
My goal isn’t to diminish the value of an audit - passing one is a good thing! Just don’t make the mistake of equating passing the test with having done enough. Keep looking for the gaps and remember that few auditors have deep experience with every bit of tech you use.
Create copies of production databases and SQL backups in seconds and save up to 99% of disk space using SQL Clone. Redgate’s new tool removes much of the time and resource needed to create and manage database copies, allowing teams to work on local environments to develop, test and diagnose issues faster. Try it free.
This book shows how to deliver eye-catching Business Intelligence with Microsoft Power BI Desktop. You can now take data from virtually any source and use it to produce stunning dashboards and compelling reports that will seize your audience’s attention. Slice and dice the data with remarkable ease then add metrics and KPIs to project the insights that create your competitive advantage.
Yesterday's Question of the Day
(by Steve Jones):
I want to secure my Reporting Services report server so that all of my clients can connect with SSL. In order to do this, what cryptographic object do I need?
Answer: Create a certificate and import it into the Local Computer certificate store, then select it in the the Reporting Services Configuration Manager
To secure a Reporting Services installation with SSL, you need a certificate.
DB restore stucks after recovery step
- Hi, trying to restore my db for testing https://www.sqlservercentral.com/Forums/1862799/checkdb-Multiple-IAM-pages-for-object
I splitted the restore process into 2 steps, i restore full with...
Index Size Difference
- Hi Experts,
For testing I have created a table with a clustered index selecting all columns and inserted some data . The...
This newsletter was sent to you because you signed up at SQLServerCentral.com.
Feel free to forward this to any colleagues that you think might be interested.
If you have received this email from a colleague, you can register to receive it here.