No DBAs allowed access to Production DB Servers...
-
OMFG. Wow am I ever glad I am located and do business in Canada. SOX sounds like a nightmare!
I agree with the earlier poster, with so much division of duties who is going to know enough to see the signs and catch the cheaters.
Dave
Trainmark.com IT Training B2B Marketplace
(Jobs for IT Instructors) -
We did this at a dot.com. I was the lead DBA with two full-time and two part-time DBAs under me. I also coordinated with one admin/DBA for production. With one exception, no "development" DBAs were allowed on production machines. I installed the clusters in the cage at the co-host facility, and beyond that, I never saw them again. All code, all data uploads, and all patches where scripted and delivered in self-installing packages. It was back to that general management philosophy that "SQL Server is so easy that Monkey's can do it!"
Okay, so maybe monkeys CAN do it if the developers (including developer DBAs) do their jobs right.
The one exception to the rule was when a link was discovered, created by a user, to no longer point from our site to its' original site; but now pointing to a porn site. It seemed pretty funny at first that people were buying up URLs and making them porn sites; but it wasn't a laughing matter since our audience was K-8.
it was inconvenient; but not unworkable. and for all the reasons I see people saying they have done it to... maybe the right way to go.
-
I suggest, no congress member and no SOX-auditor should be allowed in their jobs without a degree in physics. This will give you some basic clue: http://www.newscientist.com/channel/fundamentals/quantum-world/mg18925405.700
>Even for the crazy world of quantum mechanics, this one is twisted. A quantum computer program has produced an answer without actually running.<
A quantum dba has maintained his servers, without actually having access to them. - or - A quantum dba has committed fraud, without actually having access to the money.
That's, what you we're all looking for. Sincerely.
_/_/_/ paramind _/_/_/ -
Common and big misunderstanding. NO SOX auditors will make you do that. IF THEY DO, make the give you names of others that have implemented it. They won't and can't inforce it. Happened here and quickly went away. We are in our 3rd year of full compliance.
joe
-
I have been in a situation like this before. It was not for any SOX or HIPAA reasons. It was just so my Boss has full control over everything even the stuff he do not know about. (BTW, my boss was not a bad guy either - he was a control freak (may be due to his cultural background)).
After little over a year, I decided to get out of that place because I have to request access for everything and explain every thing. As a DBA, I must have a feel for my server which I did not have in that place. My boss felt giving more money will solve everything. Money can go only so far.
One day, I decided to walk out even without any job in hand. I was able to find another job within a week and before my last day. I still help them out occassionally (as an outside consultant).
Give me a fish, you feed me for a day! Teach me to fish, you feed me for a life time.
-
Bond a DBA or whatever is necessary, but no matter what the circumstance, the DBA must be a trusted individual in order to protect the very security required by SOX... and THAT DBA must have SA privs in order to do that job.
--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
Isn't that the basic understanding: If you can't trust your DBA with your data who can you trust?
-------------------------------------------------------------------------
Normal chaos will be resumed as soon as possible. :crazy: -
Gosh, you would think so... I guess I understand why some folks don't, though... some DBA's don't practice what I consider to be the cardinal rule of being a DBA and it's kind of like being a doctor... "Above all else, cause no harm to the data"... not even if you leave or are asked to leave the company. Shouldn't even be tempted if you're truly a good DBA.
--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
Lots of good stuff here. Basically I agree that SOX is a pain and those who know the least make the most mess procedurally for us DBAs. But now I am going to a bullseye on my back - or for those that are more medievil out there, my head on the chopping block.
I say if you have:
- good standards - hardware and software
- a solid infrastructure - SAN, network, backup and architecture
- automated monitoring - MSX Server, MOM and custom scripts
- somewhat stable applications - need I add to this ?
At present I support 20+ instances and 40+ applications. I only access production servers for upgrades. As a matter of fact I now am making changes to system maintenance switching from SAN to NAS drives for database backup storage. This is the first production change that I have made this year !!!
OK now that I've made my peace I am ready ...
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
-
Bombard them with requests and then you'll see how fast they'll change it and give you rights again.
-
Then there's THAT
Works almost everytime...--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
The auditors should research he concept of "arms length transactions" this is a standard method for dealing with people having multiple roles in financial transactions. i.e. the corporation I own all of the stock in wants to give me a check for personal expenses. The way this is handled is simple. First do everything like it is separate people. Second, document everything. Third do everything by the book.
So log everything done on a production server, and don't do any development work when you're working on the production facilities. If you want be completely covered, log all of your development work as well. Dev work logs can be looser, but this will give a documentable trail of the two separate activities.
--C
-
We recently moved our datacenter and went through this whole discussion. The Finance/Sr Mgmt/Auditors all pulled that same argument that I couldn't have the SA password nor be a local admin on the box.
I agreed but only on the condition that they (the trustworthy ones --their words) were to be the "key masters". When our folks at overseas offices started calling me at 3 in the morning, I gave them the phone numbers to these trustworthy ones, a meeting was called very quickly to resolve this issue. (I actually go some decent sleep those three nights!)
The end result of the meeting was:
1. I am back were I am able to do my job (SA and local admin). We implemented many standardized procedures that can be documented and followed which is the real meaning of SOX and ultimately what the auditors are looking for.
2. I did use it to get most of the developers off the production boxes and for them to create more of an admin interface to do their jobs.
3. They now have a much bigger appreciation/understanding for the number of hours that we work and our job skills.
4. We had a serious and meaningful discussion about data security, job roles and responsibilities.
I hate politics as much as anyone but sometimes it has to be played when they won't come in with an open mind.
Good luck!
SJ
-
That's usually the case, where somoene takes your tools to be able to do your job away then they figure out that they made you handicapped. But that is really not enough, it has to hurt their bottom line and disrupt the business in order for them to realize they made a decision without really thinking of the consequences. They have to come to the realization that you are not the enemy and that you are there to help them do exactly what they are trying to accomplish. But this is true...we have to play politics.... I have learned that the better you are with dealing with politics in your company, the more you are able to get done. There's no way around the politics.
-
Wow!
Guys, honestly, instead of cursing politics and auditors you should pay more attention to the quality of your applications.
Can you imagine: some people deploy their projects on Client's site totally isolated from external world! And no one except local sysadmins can access the servers. And of course, those sysadmins don't know anything about data processing in your bloody application and won't mess with the data under any circumstances.
Only thing they can do is to give you most recent database backup for investigation if something went wrong.
But you must do your investigation in their environment, on separate test server because some kind of data (like hospital patients history) should not be taken outside of the organisation.
And you may apply any change to Production by sending scripts to those sysadmins for validation and deployment.
And you know - it works!
One of my recent projects is running for a year without any intrusion at all.
The only time I get news about it is when new customer is assigned for using the application.
Small companies should not host their production databases at all. It's just impossible for them to provide comprehensive service. If they do everything - they are not good in anything.
Sorry, guys, but if SOX is a problem for you - your development quality sucks.
_____________
Code for TallyGenerator
Accepting all invitesViewing 15 posts - 31 through 45 (of 62 total)
You must be logged in to reply to this topic. Login to reply