Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Database Schema Changes & SOX


Database Schema Changes & SOX

Author
Message
Darren Fuller
Darren Fuller
SSC Rookie
SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)

Group: General Forum Members
Points: 31 Visits: 1

Having an audit trail & controls over changes to data within a database is a requirement of the SOX Act. But does this also include providing an audit trail of changes to the database schema, reference tables & stored procedure code?

Thanks,

Darren


Mike Dominick
Mike Dominick
SSC-Enthusiastic
SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)SSC-Enthusiastic (175 reputation)

Group: General Forum Members
Points: 175 Visits: 33

Yes everything needs to be tracked and no changes can be implemented by the developer per our SOX auditor. The developer makes the changes and documents it then sets it up in a test enviornment for the users to test. Once testing passes the change must be handed off to a "migration specialist" whom will be responsible for making the change to the production serves. Change in security, adding new users, etc all needs to be tracked and audited. We are a small shop and still figuring out how to create all then new hats since we are not allowed to wear hats in both the production and developer worlds.

Mike





Kerris Wright
Kerris Wright
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 5

I agree with your SOX separation of duties setup and monitoring interpretations. What have you done to monitor the activities of your individuals who have the capability to alter the production schema (such as your 'migration specialists')? Do you have a process built to report any 'DBA' type activities in the Production environment?





Derrick Leggett
Derrick Leggett
SSC-Enthusiastic
SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)SSC-Enthusiastic (184 reputation)

Group: General Forum Members
Points: 184 Visits: 1

We have the same requirements here. We're doing a few things to insure we're compliant:

1. Seperation of duties. Developers can't change ANYTHING in production.

2. Set up a trace to monitor all metadata changes and permissions changes.

3. Set up a trace to monitor all connections outside of app and web server pairs.

4. Lock down security on applications to only permit needed access per application context.



Derrick Leggett
Mean Old DBA
When life gives you a lemon, fire the DBA.
devereauxj
devereauxj
SSC Veteran
SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)

Group: General Forum Members
Points: 249 Visits: 140

We have seperation of duties. All promotions (data/schema) come through the DBA's. We have an audit trail of paper. The developers fill out a form for the promotion. Their manager must also sign off on it. We do the promotion, sign it and put it in a 3 ring binder. We do this for all databases (SQL, Oracle, DB2, Adabase).

I don't know about others, but the auditors we got seem very green. We got told to "audit all transactions on all platforms" basically. We told management that it would require 2 to 4 times the hardware for CPU, memory, ect. Management went back to the auditors and said that was not realistic. No word yet on where this will go.

Our department's philosphy up to this point has been, if there are actions and processes that need to be scrutinized, the application should be auditing those. Actions that need to be tracked (who update what row, what purchasing amount) should be tracked in the application.

Has anyone been hit with "List of those approved to change the list of those approved to be on the list of those who can request promotions?" Our security people are dealing with that.

Joseph





mark baekdal-145375
mark baekdal-145375
SSC-Enthusiastic
SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)SSC-Enthusiastic (108 reputation)

Group: General Forum Members
Points: 108 Visits: 6
check out www.dbghost.com for a process to follow that can a long way to satisfy any auditing requirements.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search