This is one of the things I loathe about SOx and all the other audits I've had to deal with. I've never been given a document saying "this is what you have to comply with": instead it seems they invent things to whinge about each time a new audit rolls around. I'm Australian, so we don't have to stick to things like HIPAA and PCI DSS (we deregistered ourselves from the NYSE because of SOx, which I believe is becoming quite common for non-US companies), although we do use them as guidelines: it's all the additional "best practices" that crop up each new audit that peeve me.
Anyway, what we do for the systems that qualify as SOx systems (even though we don't try explicitly to stick to SOx et al) is:
- Support staff have read access to prod and prod-copy (unscrambled) support systems
- Developers have dbo rights to scrambled dev and System test systems
- Developers and business analysts have read-only access to "higher" test systems (eg. UAT, Int Test, OAT), which are also scrambled
- Regression Test, P&V & QA systems require business sign-off to refresh and users to have (read-only) access to those are defined by the business before each round of testing.
It's the last group of systems that causes the greatest effort as the users need to be set up each time.
NB. Data scrambling is included as part of our automated test system refresh routines. The refresh needs to be done manually by specific people if the data is not to be scrambled. We have full segregation of duties, so people who are identified as support staff do not have access to dev/test systems and, most importantly, dev/test users do not have access to prod/prod-copy systems (although there is a process for them getting elevated rights in the event of a production incident).