Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


No DBAs allowed access to Production DB Servers...


No DBAs allowed access to Production DB Servers...

Author
Message
marris
marris
Grasshopper
Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)Grasshopper (17 reputation)

Group: General Forum Members
Points: 17 Visits: 1

You should have control and review process in place rather than imposing a blanket ban. You can your director that all logins with sysadmin prvilege will be audited, DBA logins will be added only after approval from a Manager, Audit activities need to be reviewed, DBA's cannot add/modify logins. In other words, securityadmin should be separated by sysadmin. All the best!





David.Poole
David.Poole
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3698 Visits: 3120

Really, this is a case of the road to hell being paved with good intentions. You can see the spirit of what the IT Director wanted to do its just that the letter of what he wanted was a right pigs ear!

I've had a similar instance where we were told to comply with the Data Protection Act (UK) in terms of not retaining data without permission or once its use by date has expired.

The problem was it was insisted that if that data existed on a backup tape then we would be in breach of the act. So, run a destructive process on data without a backup..hey wow what a good idea!!!!



LinkedIn Profile

Newbie on www.simple-talk.com
Slavek Rotkiewicz
Slavek Rotkiewicz
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 1

Half-and-half solution

1) Only DBA can change data structures, stored procs etc....

2) Only users can access database via production GUI ( DBA is prevented from

this via encrypted password that user creates )

3) Even that DBA has access to every object in DB could not enter a finacial

transaction without a complete understanding of the schema.

( This is for an accounting solution )


Madhav Vedula
Madhav Vedula
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 1

Interesting topic:

Well I have seen enough bashing of Auditors. I am an IT auditor and yes CISA too working on Sarbanes

Recently we are auditing a client who is running Solomon on SQL Server and other Oracle Database applications.

I am working with one of the top risk consulting companies. Our intrepretation of the Sarbanes Oxley act is for IT - in addition to all other Controls, Segregation of Duties is a key control. That control requires Development and DBA functions be carried out by 2 seperate individuals.

I am not sure if Keykeeper idea is a good one. However, from complaince perspective, Database Developers cannot access the production environment. The same applies to SDLC- developers cannot QA and certify their own work.

That is how Sox compliance mandates and we auditors intrepret - The remediation is upto each client and How each company is going ot handle is open.

Madhav Vedula CISA

Sr.Internal Auditor


stonemw
stonemw
Valued Member
Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)

Group: General Forum Members
Points: 60 Visits: 73
This is what happens when people who are clueless make laws. Many shops have developer and DBA as one in the same. Why should smaller shops be required to hire a DBA and a developer especially if they can not afford both nor need both. What SOX is doing is having accountants dictate the way IT does business. Now you have those responsible for the making of SOX telling us how to do our job. There are already those in Washington who realize that this law is way off base and are trying to change and/or repeal it.



Mike Dominick
Mike Dominick
SSC-Enthusiastic
SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)

Group: General Forum Members
Points: 175 Visits: 33

I am curious to know what an auditors thoughts are on what a company should do when there are only 2 individuals qualified to be Database Administrators and both of these people are also responsible for internal application and development.

What is your definition of database development?

In my case our company is to small to have a dedicated database administrator, let alone a secondary support person that will cover him/her while they are on vacation.

In our company this person would be bored because it would only be a 8 hour a week job, on average. Now there is more than enough work for 2+ programmers.

Whats better, having an experienced DBA or some secretary who just inherited a new title so that we can maintain separation of duties on paper.





ndeangelo
ndeangelo
Grasshopper
Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)Grasshopper (18 reputation)

Group: General Forum Members
Points: 18 Visits: 21
We're just about thru the Sarbanes prep. It has been a nightmare. DBA's no longer have the 'sa' password - we're not supposed to have access to the production system (financial apps, Solomon on one server, Epicor on another) - when we do need access, we have to call someone with a special user and password, do our thing, then call them back so they can change the password. The first day, we changed the password 4 times! There has to be a better way. The thing I disliked most about the audit is how the auditors make you feel. I got the impression that it was dangerous for me to know my databases inside and out, and that they would have been happier had I been some clueless accountant fixing things thru MS Access. What Sarbanes does is makes life harder for honest companies. For those who want to cheat, they are still going to find a way. I guess the upside is that it gave a temporary respite to all the auditors who lost their jobs because of Enron, Adelphia, etc...thanks for letting me vent!



Max-146500
Max-146500
SSC Veteran
SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)SSC Veteran (255 reputation)

Group: General Forum Members
Points: 255 Visits: 363

Most interesting.

One would think that the best people to prevent fraud and misuse of data would be the ones who designed or maintained that system.

Although none of us are infalliable I would much prefer a professional to look after my data and it's structure than handing over access rights to a potential target.

I couldn't imagine working effectively in an environment like that, but I suppose it depends on how much you paid me...

Integrity and honesty, do only lawyers and auditors have it?



Max
Gary Andrade
Gary Andrade
SSC-Enthusiastic
SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)SSC-Enthusiastic (140 reputation)

Group: General Forum Members
Points: 140 Visits: 57
This whole thing seems like a big money making raquet for a select industry. Companies like Price Waterhouse Cooper are making money hand over fist charging companies to do audits. This whole undertaking is supossed give investers the confidence to back companies that have been certified and passed the SOX audits. The goverment has not enacted any audit passing requirements. In fact the goverment has no SOX auditors. This whole thing is suspect as best! If you saw the cost and resources companies are throwing at SOX you might think twice about investing in these companies
noeld
noeld
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6324 Visits: 2048

... Integrity and honesty, do only lawyers and auditors have it?

really ?




* Noel
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search