SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


First time CoBIT audit experience....


First time CoBIT audit experience....

Author
Message
Barkingdog
Barkingdog
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13542 Visits: 930
We had our first CoBIT audit. From the sql side I can only say the auditors want us to have policies, e.g. password expiration and complexity, and also prove that the policies were actually implemented. They also wanted to know all sql users created or deleted in the last year, the actual create\delete request, and what proof we have that done the tasks. BTW: For us, they did not provide any examples showing exactly what they are looking for.

My problem is not so much meeting their requests (which I think are often reasonable) but other than Excel, maybe SharePoint, or a database table as an IT person I have no way to capture the flood of new documentation that will be required to document these tasks. And capturing is not the full story. I need to be able to retrieve answers to their questions from the data at least twice a year when they revisit us.

How do you manage all the CoBit (HIPPA, etc.) information you are now required to keep for audits?

TIA,
edm2



Sue_H
Sue_H
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: General Forum Members
Points: 62739 Visits: 13325
Barkingdog - Wednesday, October 18, 2017 8:42 PM
We had our first CoBIT audit. From the sql side I can only say the auditors want us to have policies, e.g. password expiration and complexity, and also prove that the policies were actually implemented. They also wanted to know all sql users created or deleted in the last year, the actual create\delete request, and what proof we have that done the tasks. BTW: For us, they did not provide any examples showing exactly what they are looking for.

My problem is not so much meeting their requests (which I think are often reasonable) but other than Excel, maybe SharePoint, or a database table as an IT person I have no way to capture the flood of new documentation that will be required to document these tasks. And capturing is not the full story. I need to be able to retrieve answers to their questions from the data at least twice a year when they revisit us.

How do you manage all the CoBit (HIPPA, etc.) information you are now required to keep for audits?

TIA,
edm2


It's going to be different for everyone depending on the company, available resources, etc.
Most places I've been at use some type of change control processes and some kind of ticketing software and we would rely on those for a lot of the auditing documentation.
We never made any changes in production without the tickets and having everything go through change control. That can be the documentation. If the DBA implementing the changes has to sign off on the ticket indicated what work was done, when it was completed, etc then that can be the proof of this getting done. If SQL Server users needed to be added or deleted, it went through the change control process, ticketing system. Password changes for the service accounts went through the same thing. If someone needed access to some more secure database for some business reason, that was all done through that process - when the elevation was enabled, how it was monitored and when it was disabled. You can get a pretty good set of documentation for audits by using those types of programs, processes.

Sue



Barkingdog
Barkingdog
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13542 Visits: 930
Insane --

That seems like a practical approach! A ticketing system.

We just need the courage and persistence to tell everyone we need a ticket for stuff that used to be done by an email or as part of project..

edm2



Sue_H
Sue_H
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: General Forum Members
Points: 62739 Visits: 13325
Barkingdog - Thursday, October 19, 2017 4:19 PM
Insane --

That seems like a practical approach! A ticketing system.

We just need the courage and persistence to tell everyone we need a ticket for stuff that used to be done by an email or as part of project..

edm2


Yup...but they get used to it. Just don't do anything without a ticket. The positive that comes with that is when you say "Sure I'll take care of that when I have a ticket" or "Please open a ticket so I can do that for you"...sometimes no ticket ever comes and they no longer "need" whatever it was. So another task off your plate Smile

Sue



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search