ryan_gaffuri@xxxxxxxxxxx wrote,on my timestamp of 16/08/2006 11:51 PM:
if it doesn't state in SOX that developers can't have access to production data, how do the auditors determine what is a violation?
Exactly.
Not having access to PROD data is a real problem for ETL systems that recieve external data feeds. You can have alot of validation checks when you get the file, but you will never catch everything and sometimes you get bad data. You need to people to check it.
I guess the other option is to 'promote' a developer to systems administrator and put him on the production team so he can look at the data?
Narh. Knock-up a coupla screens in htmldb or other similar RAD tool, let them access data through an application interface, using a given uid and "canned" sql. Audit every last breath of that id.
Last thing you want is a developer lose in a production system with sqlplus or worse: sqlnavigator or some such development tool.
Or worse: an "educated" user with a tool like Toad or sqlnavigator: what stops that user from taking the entire schema, sql and pl/sql code and everything else easily available to their next job at one of your competitors? Ah yes: ethics? Sure!...
-- Cheers Nuno Souto in sunny Sydney, Australia dbvision@xxxxxxxxxxxx -- //www.freelists.org/webpage/oracle-l