Re: Back and a Question
- From: ryan_gaffuri@xxxxxxxxxxx
- To: "Jared Still" <jkstill@xxxxxxxxx>
- Date: Tue, 15 Aug 2006 23:12:58 +0000
What do people think about having a security analyst on a team with sensitive
data? This is not a technical person. Someone who is in charge of policy and
reviews designs to make sure it meets security policy. We had one on my last
project. I only had one interaction with her. She interjected herself into
something that she thought might be insecure and we swapped a few emails and
worked out a compromise. It was not much of a hassle at all. It was kind of
nice to know you have someone making sure you don't make a stupid security
mistake.
-------------- Original message --------------
From: "Jared Still" <jkstill@xxxxxxxxx>
On 8/15/06, ryan_gaffuri@xxxxxxxxxxx <ryan_gaffuri@xxxxxxxxxxx> wrote:
I was told by management that SOX states developers can't have access to
production. Might be a misinterpretation of some agreement with auditors. Even
with read only access you open the door to people downloading data and putting
it up for sale on ebay which is where this comes from.
While possible, I think most IT folks are at least smart enough
to know that selling propietary information on eBay would be
easily traceable.
Though there are other ways to dispose of the data.
I think the greater concern is that someone could form a shell company,
redirect money to the company, and then leave.
If done well, it could take awhile to discover the problem.
--
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Other related posts:
