Re: Back and a Question

From: ryan_gaffuri@xxxxxxxxxxx
To: "Jared Still" <jkstill@xxxxxxxxx>
Date: Tue, 15 Aug 2006 23:12:58 +0000

What do people think about having a security analyst on a team with sensitive 
data? This is not a technical person. Someone who is in charge of policy and 
reviews designs to make sure it meets security policy. We had one on my last 
project. I only had one interaction with her. She interjected herself into 
something that she thought might be insecure and we swapped a few emails and 
worked out a compromise. It was not much of a hassle at all. It was kind of 
nice to know you have someone making sure you don't make a stupid security 
mistake. 


-------------- Original message -------------- 
From: "Jared Still" <jkstill@xxxxxxxxx> 
On 8/15/06, ryan_gaffuri@xxxxxxxxxxx <ryan_gaffuri@xxxxxxxxxxx> wrote:
I was told by management that SOX states developers can't have access to 
production. Might be a misinterpretation of some agreement with auditors.  Even 
with read only access you open the door to people downloading data and putting 
it up for sale on ebay which is where this comes from. 

While possible, I think most IT folks are at least smart enough
to know that selling propietary information on eBay would be
easily traceable.

Though there are other ways to dispose of the data. 

I think the greater concern is that someone could form a shell company,
redirect money to the company, and then leave.

If done well, it could take awhile to discover the problem.

-- 
Jared Still 
Certifiable Oracle DBA and Part Time Perl Evangelist

Follow-Ups:

RE: Back and a Question
From: Kevin Closson

Re: Back and a Question

Other related posts: