RE: Back and a Question
- From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
- To: <ryan_gaffuri@xxxxxxxxxxx>, <dbvision@xxxxxxxxxxxx>, "oracle-l" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 16 Aug 2006 09:24:28 -0600
You should speak with your auditors to get clarification on the subject
of developers having access to production. My guess is there are no
formal change controls procedures in place.
rr
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of
ryan_gaffuri@xxxxxxxxxxx
Sent: Wednesday, August 16, 2006 7:52 AM
To: dbvision@xxxxxxxxxxxx; oracle-l
Cc: Nuno Souto
Subject: Re: Back and a Question
if it doesn't state in SOX that developers can't have access to
production data, how do the auditors determine what is a violation?
Not having access to PROD data is a real problem for ETL systems that
recieve external data feeds. You can have alot of validation checks when
you get the file, but you will never catch everything and sometimes you
get bad data. You need to people to check it.
I guess the other option is to 'promote' a developer to systems
administrator and put him on the production team so he can look at the
data?
-------------- Original message --------------
From: Nuno Souto <dbvision@xxxxxxxxxxxx>
> From where I stand, it's exactly like Ryan described:
> we got SOx-audited last year and again this year and in both
> occasions access to production by developers came up as an
> absolute no-no and something we simply cannot allow.
> Which I tend to agree with, BTW. ;-)
>
>
> --
> Cheers
> Nuno Souto
> from sunny Sydney
>
>
>
> Quoting David Aldridge :
>
> > Tsh, is there any lie that those operations people won't
tell in order
> > to keep us out of their sandbox?
> >
> > Seriously though, I don't think that SOX is that detailed,
and I don't
> > believe any STIG is either. It sounds like that rule is m
ore al ong the
> > lines of an _interpretation_ of the regulations, or a
quoting of the
> > regulations to justify a rule (depending on your degree of
cynicism).
> >
> > ryan_gaffuri@xxxxxxxxxxx wrote:
> > >
> > > I did DOD befoer this. I am doing financial now. The
federal government
> > > actually passed security laws for financial companies as
part of
> > > Sarbanes-Oxley(SOX). I was told by operations that one of
the rules is
> > > that development cannot have access to production data.
That is a
> > > problem for production support when you get data issues.
> --
> //www.freelists.org/webpage/oracle-l
>
>
This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is
intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
Other related posts:
