Re: Back and a Question
- From: ryan_gaffuri@xxxxxxxxxxx
- To: jkstill@xxxxxxxxx, david@xxxxxxxxxxxxxxxxxx
- Date: Tue, 15 Aug 2006 22:50:42 +0000
I was told by management that SOX states developers can't have access to
production. Might be a misinterpretation of some agreement with auditors. Even
with read only access you open the door to people downloading data and putting
it up for sale on ebay which is where this comes from. The only way I know to
mitigate that is limit who has access, audit the access, and tell people with
access how many ways they will be raped in prison if they break the law.
-------------- Original message --------------
From: "Jared Still" <jkstill@xxxxxxxxx>
On 15 Aug 2006 13:03:01 -0700, David Aldridge <david@xxxxxxxxxxxxxxxxxx> wrote:
Tsh, is there any lie that those operations people won't tell in order
to keep us out of their sandbox?
Seriously though, I don't think that SOX is that detailed, and I don't
believe any STIG is either. It sounds like that rule is more along the
lines of an _interpretation_ of the regulations, or a quoting of the
regulations to justify a rule (depending on your degree of cynicism).
SOX is not that detailed.
The details are agreed upon by your company and your auditing company of
choice.
There are no rules that state "developers cannot have access to production data"
It is highly unlikely that a developer, or anyone else for that matter, will
get an
account that is anything other than read only.
DBAs are an exception to that. There should be safeguards to ensure that
DBAs cannot muck around with that data. I believe Oracle Data Vault will do
that.
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
Other related posts:
