What do people think about having a security analyst on a team with sensitive data? This is not a technical person. Someone who is in charge of policy and reviews designs to make sure it meets security policy. We had one on my last project. I only had one interaction with her. She interjected herself into something that she thought might be insecure and we swapped a few emails and worked out a compromise. It was not much of a hassle at all. It was kind of nice to know you have someone making sure you don't make a stupid security mistake. -------------- Original message -------------- From: "Jared Still" <jkstill@xxxxxxxxx> On 8/15/06, ryan_gaffuri@xxxxxxxxxxx <ryan_gaffuri@xxxxxxxxxxx> wrote: I was told by management that SOX states developers can't have access to production. Might be a misinterpretation of some agreement with auditors. Even with read only access you open the door to people downloading data and putting it up for sale on ebay which is where this comes from. While possible, I think most IT folks are at least smart enough to know that selling propietary information on eBay would be easily traceable. Though there are other ways to dispose of the data. I think the greater concern is that someone could form a shell company, redirect money to the company, and then leave. If done well, it could take awhile to discover the problem. -- Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist