SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Looking at SOX


Looking at SOX

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: Administrators
Points: 65007 Visits: 19118
Comments posted to this topic are about the item Looking at SOX

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jim Murphy
Jim Murphy
SSChasing Mays
SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)SSChasing Mays (651 reputation)

Group: General Forum Members
Points: 651 Visits: 1265
Only one of my current clients adheres to SOX and HIPAA. Yes, it has impacted work. I agree with you, that it is really for the better in that the separation of duties, although often raising the administration work, is really our job anyway.

As for the extra paperwork, ya, I'm not going to jump for joy about that. But at the same time, it makes everyone up the food chain aware that cowboy-coding is a no-fly zone. Ok, I just had to mix something from Austin, TX with a current event in the same sentence.

I actually think it made the management of my client to become aware of the risks of them ordering a bad practice, or sneak in some code/data changes 'like before'. So although there is a longer change management process between the SQL coder and the production db, with lots of testing and approval in between, shouldn't that be needed anyway for non-trivial systems?

Really, the pressure is off my back because everyone is now used to changes taking a few days to implement - at least, and it will simply no longer be done 'this afternoon'. I'm talking about 95% of the time as a general procedure, not when there is an emergency.

So I don't mind it so much. In fact, it has helped my own DBA staff to similarly cognitive of why this is in place so we can follow similar processes with our smaller clients - but with less paperwork.

Jim

Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
naas2005
naas2005
Forum Newbie
Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)

Group: General Forum Members
Points: 5 Visits: 87
I agree that SOX overall has been a force for good. I see tighter controls over who has access to data now and a better understanding from non-technical management on the relevance of that.
An interesting effect of SOX I've witnessed is that development of access control & tracing systems, bug fixes & upgrades to in-scope systems are funded & championed more readily. Where SOX is concerned the decision on whether or not to spend money on development is often made simpler for management.

Keith
Evil Kraig F
Evil Kraig F
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8775 Visits: 7660
HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.


- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables

Twitter: @AnyWayDBA
bwillsie-842793
bwillsie-842793
SSC-Enthusiastic
SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)

Group: General Forum Members
Points: 155 Visits: 290
I think SOX has had a negative effect on business in the US, mostly because it has become a scape goat or excuse in many instances.

IT empires with a 1960's mainframe mentality have been built in the name of SOX.

It has been used as an excuse to take away users' ability to create and execute custom queries and against a reporting database on the fly.

The most bizarre extension I've seen of this came when a DBA told me that "We need to take Excel away from all the users because they can manipulate data in it and that violates SOX."

I've researched SOX quite a bit and to me it's concept is very similar to ISO. (1) Do you have set procedures in place to run your organization? (2) Do you follow those procedures?

I don't remember any SOX requirement that ensures that it will be easy to identify violations when the procedures are violated.

In short, it's resulted in a lot of extra work in our organization with no value to the stockholders or public.
jcrawf02
jcrawf02
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2368 Visits: 19324
Craig Farrell (3/18/2011)
HIPAA, under most circumstances, hit me harder then SOX. SOX mostly forced change control into existence for the cowboy shops. It's been taken to rediculous extremes on occassion, but amongst the clients I've worked for, not very often.

HIPAA has changed the way every healthcare firm I've worked for did business, never mind just the data side of things. From what I see, for the better, but it was taken MUCH more seriously then SOX was, or still is. Not enough companies care about SOX other then trying to make a best effort until the auditors are at the door, at least from my perspective. HIPAA will destroy them if they need to care, SOX still seems like a 'Nice to Have' on the list of requirements.
Well said

---------------------------------------------------------
How best to post your question
How to post performance problems
Tally Table:What it is and how it replaces a loop

"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
OCTom
OCTom
Hall of Fame
Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)Hall of Fame (3.2K reputation)

Group: General Forum Members
Points: 3163 Visits: 4152
I don't have to deal with SOX but I do have to deal with HIPAA. Both of these are laws that were passed to make people feel better about something. SOX was to make people feel better about business in the wake of Enron and HIPAA was supposed to make people feel secure about their personal information in medical records in an effort to make health care portable.

Have either had their intended affects?
mike.styers
mike.styers
SSC Rookie
SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)SSC Rookie (47 reputation)

Group: General Forum Members
Points: 47 Visits: 1145
While I see benefits in security and controls inspired by SOX, it doesn't stop fraud instigated by upper management. All that is needed is a little collusion and its done.

I also dread the auditor visits and the long drawn out discussions of why a particular system has requirements that don't fall into their cookie cutter world. We just had this conversation last year. Didn't you take notes or document anything? Let me help, I'll forward you the email I sent last year (and probably the year before) explaining this.

I've got no problem with the additional work, separation of duties analysis for new processes, etc. I just dread those six words... "The auditors are coming next week." :-P

M
TravisDBA
TravisDBA
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2038 Visits: 3069
The "Separation of duties" is the big thing I see in SOX. No more "Jack of all trades" job descriptions. I see too many smaller companies not currently under SOX get away with this like posting a single job that includes: Application Developer, Project Manager, Database Administrator, Web Developer, and Network Admin duties all in one job requirement. Simply because they are too cheap to hire separate people for each job description. SOX takes care of this, and that is a good thing IMHO.:-D

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
WI-DBA
WI-DBA
SSC Veteran
SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)

Group: General Forum Members
Points: 278 Visits: 605
Overall, the law has been a good thing as many expressed above. Allowing DBAs to tighten down production, while using SOX as the vehicle to get it done. This has improved our production environments stability considerably.

The annual audit is a good thing, although the auditors don't really know what they are asking for or how to decipher the information generally. Thankfully powershell helps make these audits quicker than doing tons of screenshots. I have documented some of the scripts on my blog that I use to make the audit faster.

A significant portion of my work from time to time is the audit, and while it can be painful, it does help us find nagging things and force us to review our environments more frequently.

Cheers
http://twitter.com/widba
http://widba.blogspot.com/
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search