RE: Back and a Question
- From: "Reidy, Ron" <Ron.Reidy@xxxxxxxxxxxxxxxxxx>
- To: <ryan_gaffuri@xxxxxxxxxxx>, <jkstill@xxxxxxxxx>, <david@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Aug 2006 18:24:16 -0600
Ryan,
Section 404 does not specify this at all. It does specify:
A statement of management's responsibility for establishing and
maintaining adequate internal control over financial reporting for the
company
A statement identifying the framework used by management to evaluate the
effectiveness of internal control
Management's assessment of the effectiveness of internal control as of
the end of the company's most recent fiscal year
Disclosure of material weaknesses (A material weakness is a significant
deficiency or combination of significant deficiencies that result in
more than a remote likelihood that a material misstatement will not be
prevented or detected.)
A statement that its auditor has issued an attestation report on
management's assessment
There is nothing about access restrictions in section 404. SOX is about
accountability (and full employment for the Big 4/5 accounting firms)
and controls. The controls are evaluated and assessed by both the
internal auditors (if any) and external auditing firm. When they are
satisfied your have defined controls to ensure SOX compliance and that
you are monitoring actions to ensure these controls are followed, then
you are in compliance.
My company uses the COBIT Guidelines and the COSO Guidelines as the
blueprints for our controls. I personally use COBIT for my internal
auditing assessments (yes, I do these annually; yes, it is like the fox
watching the hen house).
I also spend great amounts of time applying the CPU patches and keeping
my DB instances as up to date as possible. I do this because, in my
opinion, if your DB is not as secure as possible, there is no way you
can be in compliance. This is because if you are hacked, you cannot
meet the 440 requirements cited above. Again, this is just my opinion
and not intended to start a flame war.
It is a valid point to try and restrict access to prevent IP theft, but
you might find this an even harder task to implement than the 404
remediations. I have implemented resource limits on the developers at
my company to try and prevent this, but the risk still exists.
Management knows this and also knows that completely eliminating the
risk is almost impossible from this standpoint. So, we use other
methods to secure our IP (digital signatures etc.).
--
Ron Reidy
Lead DBA
Array BioPharma, Inc.
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of
ryan_gaffuri@xxxxxxxxxxx
Sent: Tuesday, August 15, 2006 4:51 PM
To: jkstill@xxxxxxxxx; david@xxxxxxxxxxxxxxxxxx
Cc: Jared Still; oracle-l
Subject: Re: Back and a Question
I was told by management that SOX states developers can't have access to
production. Might be a misinterpretation of some agreement with
auditors. Even with read only access you open the door to people
downloading data and putting it up for sale on ebay which is where this
comes from. The only way I know to mitigate that is limit who has
access, audit the access, and tell people with access how many ways they
will be raped in prison if they break the law.
-------------- Original message --------------
From: "Jared Still" <jkstill@xxxxxxxxx>
On 15 Aug 2006 13:03:01 -0700, David Aldridge
<david@xxxxxxxxxxxxxxxxxx> wrote:
Tsh, is there any lie that those operations people won't tell in
order
to keep us out of their sandbox?
Seriously though, I don't think that SOX is that detailed, and I
don't
believe any STIG is either. It sounds like that rule is more
along the
lines of an _interpretation_ of the regulations, or a quoting of
the
regulations to justify a rule (depending on your degree of
cynicism).
SOX is not that detailed.
The details are agreed upon by your company and your auditing
company of choice.
There are no rules that state "developers cannot have access to
production data"
It is highly unlikely that a developer, or anyone else for that
matter, will get an
account that is anything other than read only.
DBAs are an exception to that. There should be safeguards to
ensure that
DBAs cannot muck around with that data. I believe Oracle Data
Vault will do that.
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is
intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
Other related posts:
