jim.drewe (12/4/2013)

---

The problem for most (if not all) bigger shops is offshore outsourcing. I had talks with my management (CTO level) concerning the risk of having non-employees, non-citizen offshore residents (meaning they come under a different legal system) having administrator rights to the database. So it really doesn't have anything to do with who **we** hire, but who the outsourcing company hires. Yes, there are legally binding contracts and there are company policies, but the risk of a rogue DBA running amok is a real possibility.

Let me give you an example. I was on a conference call one day discussing a database problem. I could tell from the telephone connection that one of the persons was not local -- also because I detected a southern Asian accent. After we wrapped up the call, I asked where he was from. I was familiar with most of the outsourcing centers in India. He responded "Lahore". Now I am not trying to broad-brush all Pakistanis, but Pakistan is not the model of political stability. I asked my CTO if there was any vetting of the individuals. He believed there was. But I am not talking about technical screening. What I am concerned about is terrorist screening. The CTO said he would take the matter up with the Chief IT Security Officer -- but nothing changed.

Think of all the mission-critical databases your enterprise has to maintain. Even with the best DR policies, there could be the prospect of a catastrophic event caused by a DBA that might threaten the existence of the company. What would happen if it took two weeks to recover? Most businesses would tell you they would have to shut their doors if they were honest.

Returning to our original discussion, audit is very important as the size of the enterprise grows. Sure, I would like to be trusted (and I am). But it is foolish to ignore the separation of duties.