Here's what you need to do. Be warned, it is TEDIOUS and work intensive.
First, list out every account you have in SQL Server with that account's permissions and db access. (this includes roles attached to each account and both Windows & SQL Only accounts).
Secondly, list out every person who has the password to the SQL Only accounts.
Thirdly, get a solid business reason why all these people have the pwds to the SQL Only accounts.
Fourthly, get together with the people who make the security decisions and write down a solid policy of how these passwords are passed out, by whom, the acceptible reasons for giving people access to these accounts, the reasons for account access "rejection", how you are tracking who has account access and how you deal with the account access when someone changes jobs / teams or leaves the company.
Lastly, make sure the document is accessible (in both electronic and paper format) to everyone who makes the security decisions and that they have all read it and are aware of the policies.CONGRATULATIONS! You are now SOX compliant!
Yes, it really is that easy. @=) You don't have to change a thing unless you have holes in your security and cannot prove these people have a solid business reason for having access.
Now, as a DBA, your situation makes me majorly paranoid, waiting to change the SA password and revoke access to everyone's accounts. But from a SOX Compliant POV, really all you have to do is plug the holes and document the process.
Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog
, and Twitter
.Freelance Writer: ShadowrunLatchkeys: Nevermore
, Latchkeys: The Bootleg War
, and Latchkeys: Roscoes in the Night
are now available on Nook and Kindle.