Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Who Watches the Watchers?


Who Watches the Watchers?

Author
Message
mike.styers
mike.styers
SSC Rookie
SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)

Group: General Forum Members
Points: 29 Visits: 1145
Another name for Compliance is Internal Controls. Where I work, it is all day, everyday.

In today's world, now with SOX / HIPAA, it is just part of doing business. At the places I've worked over the last 10 years or so, the mantra is acknowledge and move on..........

M
Jason Miller-476791
Jason Miller-476791
SSC-Enthusiastic
SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)

Group: General Forum Members
Points: 162 Visits: 694
I work in a highly regulated industry. We have three external auditors that I'm familiar with. On for IT specific issues, another for business process flow, and yet another for something that I'm not entirely familiar... (Can you say SAS70?)
That's not to mention the standard accounting audits and such.
Then there's group internal audit...


All this is well and good. but as someone mentioned previously, "Locks keep honest people out." (paraphrased)

Again, this concept of watching the watchers was touched before, and will again. It comes down to having to trust SOMEONE at some point.


Courage is not simply one of the virtues but the form of every virtue at the testing point, which means at the point of highest reality. - C. S. Lewis

Perfect courage is to do without witnesses what one would be capable of doing with the world looking on. - François, Duc de La Rochefoucauld


I guess it comes to a point where what matters is the character of the individual. To quote one of my favorite movies, "Ethics..."
-Jon Polito as Johnny Caspar. I'll save you the whole line, but if interested check out "Miller's Crossing" (And the name has nothing to do with it.)

Honor Super Omnia-
Jason Miller
WayneS
WayneS
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6243 Visits: 10403
Jason Miller-476791 (12/3/2009)
... It comes down to having to trust SOMEONE at some point...

Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.

Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings

Jason Miller-476791
Jason Miller-476791
SSC-Enthusiastic
SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)

Group: General Forum Members
Points: 162 Visits: 694
WayneS (12/3/2009)


Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.



At some point, there is a requirement for trust. Peel back a layer on the onion enough times, eventually you get to the core...

Honor Super Omnia-
Jason Miller
Elliott Whitlow
Elliott Whitlow
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6208 Visits: 5314
A recent poster mentioned having to trust somebody sometime and I largely agree, but the compliance (internal controls, whatever) group doesn't need high level access, they need to be able to check logs and to see if internal controls are being followed, but that doesn't translate into high level access, maybe for the tools but not necessarily for the people themselves.

In many cases I wouldn't trust the compliance people with high level access, the reason? They often don't have strong knowledge of the software, they are usually "process" people they know more about security and process than SQL Server or Windows. But then again that is my experience, mileage may vary..

CEWII
Brandie Tarvin
Brandie Tarvin
SSCertifiable
SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)

Group: General Forum Members
Points: 7804 Visits: 8745
In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
mike.styers
mike.styers
SSC Rookie
SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)SSC Rookie (29 reputation)

Group: General Forum Members
Points: 29 Visits: 1145
What I've observed is that the compliance folks typically don't want access to anything. Otherwise they are performing GONZO auditing because they've added themselves into the mix. They want the technical folks to deliver copies of logs, documentation, access logs, audit logs/reports, etc. But here again, this does imply trust and an assumption that the dear old DBA doesn't have time or access to doctor everything prior to delivering the requested documentation.

M
chrisn-585491
chrisn-585491
SSC Eights!
SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)SSC Eights! (964 reputation)

Group: General Forum Members
Points: 964 Visits: 2321
Ethics and integrity are a necessary basis for a fully-functional civilization. Those civilizations that don't play by those rules tend to tumble down.


Tell that to the folks at .gov and on Wall Street. Us little people can be as ethically and honest as possible, but it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.
Jason Miller-476791
Jason Miller-476791
SSC-Enthusiastic
SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)SSC-Enthusiastic (162 reputation)

Group: General Forum Members
Points: 162 Visits: 694
chrisn-585491 (12/3/2009)
...it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.



I worked at a company and the Director of SE had a meeting to inform us that "... they wanted to institute an annual mandatory drug screen for employees." A bunch of us agreed with him on the condition that it starts with senior management.

It went no farther.

Honor Super Omnia-
Jason Miller
Matt Miller (#4)
Matt Miller (#4)
SSCertifiable
SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)SSCertifiable (7.6K reputation)

Group: General Forum Members
Points: 7643 Visits: 18084
Brandie Tarvin (12/3/2009)
In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?


We had that particular question come up recently (not because of an incident, because of an independent audit.) So - our Audit and compliance team contracted an external entity to hook up and store a remote, encrypted version of SQL Compliance manager, which not only track any changes made to the data when it's not tracking changes.

So - the tracking company can't read what they're storing, unless internal compliance unlocks the data, and we can't get to the logging data.

I'm sure there's a way to get around it, but at this point, it's like a car alarm: if it's enough of a pain, you will discourage meddling with the system.

----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search