Brandie Tarvin (12/3/2009)
In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?
We had that particular question come up recently (not because of an incident, because of an independent audit.) So - our Audit and compliance team contracted an external entity to hook up and store a remote, encrypted version of SQL Compliance manager, which not only track any changes made to the data when it's not tracking changes.
So - the tracking company can't read what they're storing, unless internal compliance unlocks the data, and we can't get to the logging data.
I'm sure there's a way to get around it, but at this point, it's like a car alarm: if it's enough of a pain, you will discourage meddling with the system.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?