We are currently putting processes in place to comply with the Deloitte & Touche interpretation of Sarbanes-Oxley for our internal audit department, and for certification of compliance with Deloitte & Touche. As a DBA, I normally don't complain about processes and have introduced many at my company; however, today I read the proposed functions the DBA would have in my organization if they pass the version currently being considered.
Database Administrator: The DBA will insure the integrity and performance of the database environment. The DBA will not have access to security functions. The DBA will not have access to the physical servers. The DBA will not be able to view production data.
?????? Do these people have any clue about reality? I can't view production data. My developers can't view production data, neither can anyone who is considered a developer. So we have nobody able to view the data, who can fix a bug should it occur. I can't have access to the physical server. Now this is a problem since I currently manage ALL the 27 SQL Servers we have including patches and critical updates. I can't have access to security either, so everytime I set up a new user, or need to add a user to an existing NT Group I need to forward the change control to the NT Security group. I can then do my job. That's fine with me.....less work.
In addition, all fixes need to go through a full SDLC including emergency bug fixes. Think about this before you say it sounds reasonable. This means I not only have to provide a dev/test/staging/prod environment for releases. I need to have the ability to clone production quickly to produce test/staging environments for the bug fixes as well. This will mean buying space for an entire new environment that can be quickly cloned with SnapView for testing of fixes seperately from the normal process. While this environment is being build, and everyone on earth is taking time to test the bug fix, the users are just screwed. I understand we need controls, but this is going WAAAAAAAAAY overboard.
The thing that bothers me the most about this is the incredibly stupid and inept people dictating these processes. We have non-technical people giving us their interpretation of the law as it regards technical matters. Notice it's an interpretation that will benefit ONLY THEM!!!!! That is where the real conflict of interest resides, not in the off chance that some developer could copy someone's phone number down and call them on the phone at night. The head of our internal auditor department said that we must “think like criminals” and think that our developers are. I believe the criminal is the one who slantingly interprets the law solely for the purpose of creating jobs for themselves to the point it erodes shareholder value by limiting the service levels provided by IT/IS departments. That is criminal.
Favorite words used: 8 (complain, reality, WAAAAAAAAAY, overboard, stupid, inept, screwed, Touche) --I just love that word.
Mean level (1-10): 4 (If you are an idiotic auditor completely out of touch with reality, I'm sure you'll find this somewhat mean.)
Education level (1-10): -2 (You really can't learn anything from these people. You are dumber after you sit in their presence.)
Entertainment level (1-10): 5 (Don't worry. Your turn is coming.)