stephenwales
MIS
We are in the process at the moment of doing a very large segregation of duties among all stuff in our IT department.
As a part of this, our auditors want to restrict the DBA’s access to production databases.
For example (quoted from our Sarbanes Oxley Compliance Officer):
==============================
The Auditors will start screaming Segregation of Duties when they look at the DBA access. Here’s the basic premise (Stolen directly from the U of U):
-----------------------------------------------------------------------------
Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.
If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities.
--------------------------------------------------------------------------------
Because DBA’s may access the database directly, all controls implemented by applications are automatically bypassed. Other controls are required to keep the Auditors happy. Typically, that means all updates by DBA’s must be reviewed by someone else.
A system that will probably create enough control to make auditors happy would be something like this:
1. The DBA’s have Read Only access for day to day operations. This gives them the ability to run queries, copy data to a development system when necessary, and do the required research to correct issues on Production.
2. All corrections, changes, modifications, etc are created on a development copy of the database, tested by QA.
3. Changes are approved for movement to production by someone other than the DBA. Maybe a customer requesting the change (must be a data owner) and an IT manager, still needs to be determined.
4. The scripts are run by some designated person. Minimally, this cannot be the DBA that created the scripts. Preferably, the scripts are run by someone without sufficient knowledge to fix the problems (there are reasons for this, just not space here)
In case of an emergency where the DBA needs to fix stuff or install patches, etc
1. An ID with full update privileges is checked out to the DBA. This ID should have sufficient logging turned on also.
2. The DBA does whatever needs to be done.
3. The ID is checked back into whoever maintains the ID. This might need to be the manager or someone else that knows the Database. This one can be tricky to implement, but can be done.
4. The log is reviewed by another DBA and signed as appropriate. The signed logs are kept for Audit purposes.
There is room for modification, but this seems to cover the basics. Perhaps if we contacted some other Oracle Users or Oracle and asked what capabilities Oracle has to implement Segregation of Duties at the DBA level, they have a better plan. After all, we can’t be the first to group to need this.
===============================
While I can see where they are coming from, I envisage some major restructuring efforts of our infrastructure to support this. Currently we have an HP Superdome which runs 30-odd database instances, a cross between about a dozen production and the rest dev/test/training. At present, you log in to oracle to start/stop a database and you have access to pretty much everything. I’m almost positive they’ll want us to configure another server and move all the non production instances to the other server.
Then we also have the “what happens” when you are granted access to log in to oracle to attend to the needs of one problem database (where you’re also able to access all other databases on the server).
I guess what I’m wanting to find out is what other people have done or had thrown at them in order to address this segregation of duties issue and how you’re dealing with restricted access to production instances, if you are at all? What tools are you using to grant/revoke access? If you’re able to get your auditors to agree to letting you keep access via a tight control and monitoring of DBA activities, what are you using for that?
I’d very much like to be able to capture this thread and show management and the SOX Compliance officer what other companies are doing.
Thanks for your thoughts on this issue.
Steve
As a part of this, our auditors want to restrict the DBA’s access to production databases.
For example (quoted from our Sarbanes Oxley Compliance Officer):
==============================
The Auditors will start screaming Segregation of Duties when they look at the DBA access. Here’s the basic premise (Stolen directly from the U of U):
-----------------------------------------------------------------------------
Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found. At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.
If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities.
--------------------------------------------------------------------------------
Because DBA’s may access the database directly, all controls implemented by applications are automatically bypassed. Other controls are required to keep the Auditors happy. Typically, that means all updates by DBA’s must be reviewed by someone else.
A system that will probably create enough control to make auditors happy would be something like this:
1. The DBA’s have Read Only access for day to day operations. This gives them the ability to run queries, copy data to a development system when necessary, and do the required research to correct issues on Production.
2. All corrections, changes, modifications, etc are created on a development copy of the database, tested by QA.
3. Changes are approved for movement to production by someone other than the DBA. Maybe a customer requesting the change (must be a data owner) and an IT manager, still needs to be determined.
4. The scripts are run by some designated person. Minimally, this cannot be the DBA that created the scripts. Preferably, the scripts are run by someone without sufficient knowledge to fix the problems (there are reasons for this, just not space here)
In case of an emergency where the DBA needs to fix stuff or install patches, etc
1. An ID with full update privileges is checked out to the DBA. This ID should have sufficient logging turned on also.
2. The DBA does whatever needs to be done.
3. The ID is checked back into whoever maintains the ID. This might need to be the manager or someone else that knows the Database. This one can be tricky to implement, but can be done.
4. The log is reviewed by another DBA and signed as appropriate. The signed logs are kept for Audit purposes.
There is room for modification, but this seems to cover the basics. Perhaps if we contacted some other Oracle Users or Oracle and asked what capabilities Oracle has to implement Segregation of Duties at the DBA level, they have a better plan. After all, we can’t be the first to group to need this.
===============================
While I can see where they are coming from, I envisage some major restructuring efforts of our infrastructure to support this. Currently we have an HP Superdome which runs 30-odd database instances, a cross between about a dozen production and the rest dev/test/training. At present, you log in to oracle to start/stop a database and you have access to pretty much everything. I’m almost positive they’ll want us to configure another server and move all the non production instances to the other server.
Then we also have the “what happens” when you are granted access to log in to oracle to attend to the needs of one problem database (where you’re also able to access all other databases on the server).
I guess what I’m wanting to find out is what other people have done or had thrown at them in order to address this segregation of duties issue and how you’re dealing with restricted access to production instances, if you are at all? What tools are you using to grant/revoke access? If you’re able to get your auditors to agree to letting you keep access via a tight control and monitoring of DBA activities, what are you using for that?
I’d very much like to be able to capture this thread and show management and the SOX Compliance officer what other companies are doing.
Thanks for your thoughts on this issue.
Steve
![[soapbox]](/data/assets/smilies/soapbox.gif "[soapbox] [soapbox]")
![[3eyes]](/data/assets/smilies/3eyes.gif "[3eyes] [3eyes]")