Hidden or Unknown Job Perks
-
Jeff Moden (10/27/2010)
I have to say that the perks I enjoy are a whole lot less obvious. I'm really starting to dislike working for "publically owned" companies because of all the unnecessary stuff that some people think SOX Section 404 implies for IT. I can't really go into it because of an NDA, but... oh my! I understand the need for safeguards but privately owned companies are so much easier to work for.even private companies with publicly owned debt have to go through SOX. not really that bad after the first one or two audits. there were a few things i should have done years ago that i only did after we started SOX. things like creating processes to track security and things like backups and email daily reports
-
I'll certainly Google it but we know how that sometimes goes... so let me ask... for those of you who have gone through a SOX audit on SQL Server (or any RDBMS for that matter), can any of you provide some advice as to what they specifically look for? Section 404 is pretty much non-descript.
I've been with a couple of companies through audits but I never got any feedback as to what the auditors where looking for when it came to source-controls on code and what levels of accountability they may be looking for. One company that I worked for insisted that the Dev database should match QA database for a release candidate. My take is that just shouldn't matter. Now... QA matching production at the time of release? Yeah... I'll definately agree with that. But Dev being an exact match of QA? Not so much and that's mostly why I'm asking for what other folks have experienced with SOX auditors for SQL code.
--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
I've been through four, but only managed to find *one* auditor who would actually talk to me. They tend to be incredibly tight lipped, but we smoked together a bit and he didn't realize who I was. Ethics on that aside...
It seems they primarily cared about 3 things, or at least this one did, I never could get the other 3 to talk to me.
1) Business has a chance to signoff on ALL modifications before deployment to production. Be it a QA-Prod match server, or a UAT server, they want a 'business expert' to signoff in some way on 'computing changes'.
2) Data security. They don't really care WHO has access to the data, but they want a nearly immediately producable list of who CAN access it, and at what degrees. The primary purpose of this is so noone can claim un-accountability.
3) Documentation on financial and/or accounting components that spell out where the money's going when. This is to make sure that business has a 'business understandable' design that they can sign off on *in entirety* before it's transferred to technical staffing for conversion to code. The idea here is that a technical mistake is simply a mistake, but if it acts like the document that legal/accounting signed off on, heads roll if it's breaking laws.
In short, it seems that the auditors are making sure that executives who should know better aren't buring their tech staff with bad decisions, because the tech staff isn't supposed to know better.
- Craig FarrellNever stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA -
Craig Farrell (10/29/2010)
I've been through four, but only managed to find *one* auditor who would actually talk to me. They tend to be incredibly tight lipped, but we smoked together a bit and he didn't realize who I was. Ethics on that aside...It seems they primarily cared about 3 things, or at least this one did, I never could get the other 3 to talk to me.
1) Business has a chance to signoff on ALL modifications before deployment to production. Be it a QA-Prod match server, or a UAT server, they want a 'business expert' to signoff in some way on 'computing changes'.
2) Data security. They don't really care WHO has access to the data, but they want a nearly immediately producable list of who CAN access it, and at what degrees. The primary purpose of this is so noone can claim un-accountability.
3) Documentation on financial and/or accounting components that spell out where the money's going when. This is to make sure that business has a 'business understandable' design that they can sign off on *in entirety* before it's transferred to technical staffing for conversion to code. The idea here is that a technical mistake is simply a mistake, but if it acts like the document that legal/accounting signed off on, heads roll if it's breaking laws.
In short, it seems that the auditors are making sure that executives who should know better aren't buring their tech staff with bad decisions, because the tech staff isn't supposed to know better.
Well that explains why I was never given any feedback... Tight-lipped auditors.
I really appreciate the 3 points you offered as feedback. Oddly enough, I practice all 3 points in my day to day activities except I DO care who has access. 😉 It all boils down to common sense that you just happen to have written down. Thanks, Craig.
--Jeff Moden
RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.Change is inevitable... Change for the better is not.
Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally) -
i've been through a few and here is my experience
1. separation of duties. no devs can access production. IT can't access the development environment.
when I took CIS 101 in 1992 the teacher told us a story of a few developers at a bank who realized there is a fraction of a cent left over every day per customer account after the interest is compounded. they updated their apps to transfer that money to their own personal accounts. they got caught after an internal audit.
2. security. only the people who need access to the data should have it. especially with anything that produces revenue.
a few years ago we got dinged because someone was in a Windows Security group that had write access to a very important table. problem was that we couldn't produce something in writing why she had access. and we found a generic service account in it with nothing in writing why it was there. the auditors don't care who has access to, just that management knows they have access. especially if your job description is peon and not director of something.
3. backups - after we send the screen shots of our backup policies the auditors ask to see proof of tape pickups and they randomly pick a few days out of the year and tell us to produce proof that backups took place those days. and they ask to see proof of test restores
4. written policies - they want to see procedures in writing and that they are being followed
the first 2 audits were rough. earlier this year i started dumping data into a DBA warehouse and wrote some reports that get emailed daily via SSRS to a bunch of people. i have 3-4 daily backup reports that show the latest backups for servers and databases and any failures. a bunch of security reports including one that shows changes in Active Directory groups. few months ago i caught someone added to a group in #2 that shouldn't have been. turned out the person who created the account copied the manager's AD account and just changed the name.
it's also pretty good in making sure you ask people to open trouble tickets for everything, since everyone works with annoying people that are looking for best friends where they can email you or call you and ask for something "off the record". and that you look at any issues right away instead of maybe putting it off. a few reports i wrote are written especially for that.
It's mostly BS since Enron and MCI everyone was following the internal procedures. only thing is that it requires CEO's to sign the financial reports and this is mostly to prove to the CEO that procedures are being followed and that he's signing legit info. its kind of like the army where the commander was responsible for everything in the unit and there were tons of procedures to cover his a$$.
we used to have similar audits in the Army. forgot the name but they called it a Tiger Team or something like that for the auditors that came over. they would pick a few vehicles at random and tell you to do a user check on it that you're supposed to do weekly. then the auditor looks at it and tries to find problems that you missed. the goal is to make sure you that during the year you note any problems on the maintenance form and turn it in and that the mechanics fix them. otherwise you have to explain yourself. then they make sure you have all your manuals and records are organized according to the rules. places like the arms room get special attention.
my wife has worked in HIPAA enviroments for years and it's the same thing. especially patient privacy. a lot of big hospitals have electronic records and they track who's seen specific charts. especially with VIP's. if they catch you looking at a chart you don't have business looking at then your are fired.
-
alen teplitsky (11/1/2010)
i've been through a few and here is my experience1. separation of duties. no devs can access production. IT can't access the development environment.
when I took CIS 101 in 1992 the teacher told us a story of a few developers at a bank who realized there is a fraction of a cent left over every day per customer account after the interest is compounded. they updated their apps to transfer that money to their own personal accounts. they got caught after an internal audit.
Hmm.. I'd take this with a grain of salt. It was what Richard Pryor's character did in Superman III..
-
shaun.stuart (11/1/2010)
alen teplitsky (11/1/2010)
i've been through a few and here is my experience1. separation of duties. no devs can access production. IT can't access the development environment.
when I took CIS 101 in 1992 the teacher told us a story of a few developers at a bank who realized there is a fraction of a cent left over every day per customer account after the interest is compounded. they updated their apps to transfer that money to their own personal accounts. they got caught after an internal audit.
Hmm.. I'd take this with a grain of salt. It was what Richard Pryor's character did in Superman III..
the teacher was working in bank IT as a day job. i took college accounting in my senior year of high school and they let us take a real college class at Pace University for free. i took CIS 101 at night.
-
I heard the same story in 1987 - in a class named "Automated Accounting Information Systems". It was also done in the movie Office Space.
Probably was attempted once in like 1970 something and has been on the radar ever since.
-
alen teplitsky (11/1/2010)
shaun.stuart (11/1/2010)
alen teplitsky (11/1/2010)
i've been through a few and here is my experience1. separation of duties. no devs can access production. IT can't access the development environment.
when I took CIS 101 in 1992 the teacher told us a story of a few developers at a bank who realized there is a fraction of a cent left over every day per customer account after the interest is compounded. they updated their apps to transfer that money to their own personal accounts. they got caught after an internal audit.
Hmm.. I'd take this with a grain of salt. It was what Richard Pryor's character did in Superman III..
the teacher was working in bank IT as a day job. i took college accounting in my senior year of high school and they let us take a real college class at Pace University for free. i took CIS 101 at night.
This was also the plot of Office Space. I also heard about this back in the early 90's when I was in college. It probably really did happen but as far as I know it is more of an urban legend now.
---------------------------------------------------------------------
Use Full Links:
KB Article from Microsoft on how to ask a question on a Forum -
Now [font="Arial Black"]THAT[/font] would make an interesting discrimination court case. 😉 I can see the judge now... "Didn't you know you weren't supposed to walk into the den of Lions with a pork chop tied around your neck?"
3.....2......1...... Bing!! First pork chop of the day from Jeff!
errr.... that's tofu chop
Rich
-
I work for the state, so hidden perks? Fuhgeddaboutit!
However, I do get free flu shots, and I have a good project manager :-).
I once worked for a place that provided food and soda. I gained lots of weight.:sick:
-
The company I work for gives you a small birthday and christmas present each year, plus some choccies at easter.
Hope this helps,
Rich[p]
[/p] -
Jeff,
The SOX reviews that I've been through are pretty closed unless something was wrong and then you had to get it fixed.
Some issues I know they look for.
1. who has access to Social Security Numbers, Credit Card numbers, payroll information?
2. this goes with #1, do you audit and keep an audit trail of who accesses personal data. This includes who makes changes/deletions and what the change/deletion was. They wanted a record of what the data looked like before and after.
3. How does data get changed in Production? Is there a change approval process? Is there a test process?
4. Who can change production data/objects? We had a production server where a business unit could create their own SSIS packages and jobs for business reports. SOX shot that down REAL quick. They weren't happy with that at all.
5. this is a biggie...outside vendors should not have access to production servers.
With #1 & 2, they want to know that personal information such as SSNs, Credit Card numbers do not exist on development servers. You are even better off if they don't exist on QA/Test servers. They want to see encrypted numbers on production and 'cover' numbers on all other servers.
With #4 they want to see that a progression of testing before something is put in production. If you allow developers full access to create their own stuff on a server, before anything gets moved to production it needs to be tested on a server that is 'locked down' like the production server.
Finally, remember not all 'rules' will apply everywhere. Under SOX we are really strict because we work with medical information, which also has to follow HIPPA.
-SQLBill
-
I once worked for a company that paid for you and your spouse to spend the weekend at Lake Tahoe @ the Embassey suites. He then hosted a huge party for everyone at his house on the Tahoe shoreline.
I've also had the following -
Phone
Computer
Free Soda's/Snacks
Lunch every Friday
Oh and when I use to work for Sun Micro.. they had 'Beer Busts' the first friday of every month. (until someone got busted for a DUI and then that was over!!)
-
Susan-322874 (3/9/2011)
I once worked for a company that paid for you and your spouse to spend the weekend at Lake Tahoe @ the Embassey suites. He then hosted a huge party for everyone at his house on the Tahoe shoreline.I've also had the following -
Phone
Computer
Free Soda's/Snacks
Lunch every Friday
Oh and when I use to work for Sun Micro.. they had 'Beer Busts' the first friday of every month. (until someone got busted for a DUI and then that was over!!)
I once worked at a place that had beer parties in the parking lot. After a while they got nervous and started limiting everyone to two beer tickets. However, I was on the organizing committee and always managed to work the beer booth, so ........
Viewing 15 posts - 31 through 44 (of 44 total)
You must be logged in to reply to this topic. Login to reply