Who Watches the Watchers?

  • In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

    The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • What I've observed is that the compliance folks typically don't want access to anything. Otherwise they are performing GONZO auditing because they've added themselves into the mix. They want the technical folks to deliver copies of logs, documentation, access logs, audit logs/reports, etc. But here again, this does imply trust and an assumption that the dear old DBA doesn't have time or access to doctor everything prior to delivering the requested documentation.

    M

  • Ethics and integrity are a necessary basis for a fully-functional civilization. Those civilizations that don't play by those rules tend to tumble down.

    Tell that to the folks at .gov and on Wall Street. Us little people can be as ethically and honest as possible, but it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.

  • chrisn-585491 (12/3/2009)


    ...it does absolutely no good in the long run if the problems at the C-level aren't corrected. I've seen more companies destroyed by management than data breaches or actions of the workers.

    I worked at a company and the Director of SE had a meeting to inform us that "... they wanted to institute an annual mandatory drug screen for employees." A bunch of us agreed with him on the condition that it starts with senior management.

    It went no farther.

    Honor Super Omnia-
    Jason Miller

  • Brandie Tarvin (12/3/2009)


    In my experience, the Compliance team (or whatever name the watchdogs have) are not tech people. If a DBA wanted to get away with something, it would be easy to obfuscate the issue simply by throwing code and technical terms at them. And even if the DBA is trustworthy, if it's the sales guy who's taking the data for instance, the Compliance team has a whole other job to do. They can't sit at everyone's shoulder making sure that nothing is done without permission.

    The whole situation makes me think of David Weber's "Honor Harrington" series where the People's Republic literally assigned a citizen commissioner to each military commander. That commissioner's job was to watch, report on, and interfere with (as needed) the commander's job. How close will RL get to this before people realize no one can do their jobs?

    We had that particular question come up recently (not because of an incident, because of an independent audit.) So - our Audit and compliance team contracted an external entity to hook up and store a remote, encrypted version of SQL Compliance manager, which not only track any changes made to the data when it's not tracking changes.

    So - the tracking company can't read what they're storing, unless internal compliance unlocks the data, and we can't get to the logging data.

    I'm sure there's a way to get around it, but at this point, it's like a car alarm: if it's enough of a pain, you will discourage meddling with the system.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • I keep losing the battle to have the proper security measures in place due to the cost of fixing applications, demands of execs to want data now and don't respect the cost of data theft\destruction. All I can do is really document my recommendations and wait for the disaster to happen (and hope we pick up on it)

    We have our auditors in atm, and while they grill our Finance department, as always they ask me vague questions indicative of thier non-tech backgrounds that would never uncover any misdoings on my behalf.

    I think the only real protection a company has is careful hiring. If a DBA can't be accountable or responsible for thier actions, there will be other consequences that will occur outside of data trust issues. I know as part of being hired in my current position I was subject to a police background check and behavioural examination.

  • There were two different crimes here. The stealing of the data is the one that is receiving the most attention. But what about the companies that received and made use of what was clearly stolen data; it's improbable that someone could purcahse data with renewal dates for customers from any other way. Do DBA's have a responsibility for the second crime also?

    Julie

  • Julie Breutzmann (12/4/2009)


    There were two different crimes here. The stealing of the data is the one that is receiving the most attention. But what about the companies that received and made use of what was clearly stolen data; it's improbable that someone could purcahse data with renewal dates for customers from any other way. Do DBA's have a responsibility for the second crime also?

    Julie

    Knowingly aiding a criminal activity is prosecutable. "Aiding and abetting" laws are pretty standard.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • If you know the data was stolen, you need to treat it like other stolen property. Report it, document your knowledge, don't misuse it.

    As GSquared mentioned, knowledge is punishable.

  • Steve Jones - Editor (12/4/2009)


    Report it, document your knowledge, don't misuse it.

    There are quite a few here...

    Aiding and abetting.

    How about receiving stolen property?

    Obstruction of justice.

    fraud

    (depending on how things were compensated) wire fraud

    mail fraud

    I'm sure there's a host of interstate commerce laws as well.

    Steve Jones - Editor (12/4/2009)


    As GSquared mentioned, knowledge is punishable.

    THAT is going into my file...

    KNOWLEDGE IS PUNISHABLE !

    I imagine some ashen gray face on a large but poorly constructed TV screen droning on about "KNOWLEDGE IS PUNISHABLE"... (yes, similar to Apple's famous Mac commercial.) :smooooth:

    Honor Super Omnia-
    Jason Miller

  • Oh, yeah. Steve's line gives me an idea for a whole 'nother story. @=)

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Julie Breutzmann (12/4/2009)


    But what about the companies that received and made use of what was clearly stolen data; it's improbable that someone could purcahse data with renewal dates for customers from any other way. Do DBA's have a responsibility for the second crime also?

    As others have said, the answer is yes. However, given the proliferation of companys that sell data for "a living," many of them being legit, it's harder to prove that the recepient (or the DBA) knew that it was stolen than it is to prove that the thief took the data.

    There are ways, of course, to prove that side of the crime. But if a legit data-selling company has expanded their business without telling their end customers, then the end customers could get off the hook for most of the crimes listed. At most, they'd probably get fined for accepting stolen goods or not double-checking their sources. Accessory would definitely stand up in a court of law if 1) they could look at the data and reasonably assume that there is private info that the seller shouldn't be handing out and 2) didn't report their suspicions.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Most likely, the DBA wouldn't/couldn't be held accountable in this situation. But that's counting on a sane, reasonable legal system. Definitely not the case in any country I'm aware of.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • It would appear likely that quite a few people in the companies that purchased stolen information would have known or had reason to know that this information was stolen. Have any of them been prosecuted yet?

    The US has whistle-blower laws, which may or may not protect an employee who reports it. As GSquared said, one can't be sure how things will turn out. Does the UK offer protection to whistle-blowers?

    Particularly in an economy where jobs are scarce, it could a tough situation for some. I hope I never have to chose whether my integrity or my livelihood is more important.

    Julie

  • Julie Breutzmann (12/7/2009)


    It would appear likely that quite a few people in the companies that purchased stolen information would have known or had reason to know that this information was stolen. Have any of them been prosecuted yet?

    The US has whistle-blower laws, which may or may not protect an employee who reports it. As GSquared said, one can't be sure how things will turn out. Does the UK offer protection to whistle-blowers?

    Particularly in an economy where jobs are scarce, it could a tough situation for some. I hope I never have to chose whether my integrity or my livelihood is more important.

    Julie

    I've been in that position. I chose integrity.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Viewing 15 posts - 16 through 30 (of 46 total)

You must be logged in to reply to this topic. Login to reply