Re: Back and a Question
- From: Nuno Souto <dbvision@xxxxxxxxxxxx>
- Date: Thu, 17 Aug 2006 20:50:58 +1000
ryan_gaffuri@xxxxxxxxxxx wrote,on my timestamp of 16/08/2006 11:51 PM:
if it doesn't state in SOX that developers can't have access to
production data, how do the auditors determine what is a violation?
Exactly.
Not having access to PROD data is a real problem for ETL systems that
recieve external data feeds. You can have alot of validation checks when
you get the file, but you will never catch everything and sometimes you
get bad data. You need to people to check it.
I guess the other option is to 'promote' a developer to systems
administrator and put him on the production team so he can look at the
data?
Narh. Knock-up a coupla screens in htmldb or other similar RAD tool,
let them access data through an application interface, using a
given uid and "canned" sql. Audit every last breath of that id.
Last thing you want is a developer lose in a production system
with sqlplus or worse: sqlnavigator or some such development tool.
Or worse: an "educated" user with a tool like Toad or sqlnavigator:
what stops that user from taking the entire schema, sql and pl/sql
code and everything else easily available to their next job at
one of your competitors? Ah yes: ethics? Sure!...
--
Cheers
Nuno Souto
in sunny Sydney, Australia
dbvision@xxxxxxxxxxxx
--
//www.freelists.org/webpage/oracle-l
Other related posts:
