Sarbanes - Oxley requirements

Mr K S

Sarbanes - Oxley requirements
Hi,

I am sure most database shops would have gone through the Sarbanes-Oaxley requirements. I am trying to understand what the major changes that happened as part of meeting the requirements in your shops. For ex., what sort of accesses the DBAs lost or ganied (SYSADM?) ?

I look forward to hearing from your experiences, and what level of access DBAs are now expected to have to meet these requirements.

Thanks,
Kals

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Cathy Taddei

Re: Sarbanes - Oxley requirements
(in response to Mr K S)
Our DBA's still have SYSADM, but we had to set up monitoring to detect
updates to production data by them. Since there was no money for a log
analysis tool, we're doing random spot checks. It's kind of weird, but
at least they are hanging on to SYSADM for now.

HTH,
Cathy

-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of teldb2kals
Sent: Monday, December 05, 2005 2:41 PM
To: [login to unmask email]
Subject: [DB2-L] Sarbanes - Oxley requirements

Hi,

I am sure most database shops would have gone through the
Sarbanes-Oaxley requirements. I am trying to understand what the major
changes that happened as part of meeting the requirements in your shops.
For ex., what sort of accesses the DBAs lost or ganied (SYSADM?) ?

I look forward to hearing from your experiences, and what level of
access DBAs are now expected to have to meet these requirements.

Thanks,
Kals

------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

======

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Mr K S

Re: Sarbanes - Oxley requirements
(in response to Cathy Taddei)
Thanks, Cathy.

There is a proposal to get rid of SYSADM for the DBAs, and we are not sure what the impact of that would be in terms of response time. We have not yet determined what level of accesses the DBA needs. I saw some archive notes about SYSCTRL being a preferred option in some cases, but, that still gives you load access to the table. I understand the SOx requirements are being interpreted differently in various organisations, and it may help knowing what has been the general trend in restricting access to DBAs.

(I am all for monitoring, but restricting access may impede our support levels.).

Kals

"Taddei, Cathy" <[login to unmask email]>
Sent by: DB2 Data Base Discussion List <[login to unmask email]>
06/12/2005 11:54
Please respond to DB2 Database Discussion list at IDUG

To: [login to unmask email]
cc:
Subject: Re: [DB2-L] Sarbanes - Oxley requirements


Our DBA's still have SYSADM, but we had to set up monitoring to detect
updates to production data by them. Since there was no money for a log
analysis tool, we're doing random spot checks. It's kind of weird, but
at least they are hanging on to SYSADM for now.

HTH,
Cathy

-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of teldb2kals
Sent: Monday, December 05, 2005 2:41 PM
To: [login to unmask email]
Subject: [DB2-L] Sarbanes - Oxley requirements

Hi,

I am sure most database shops would have gone through the
Sarbanes-Oaxley requirements. I am trying to understand what the major
changes that happened as part of meeting the requirements in your shops.
For ex., what sort of accesses the DBAs lost or ganied (SYSADM?) ?

I look forward to hearing from your experiences, and what level of
access DBAs are now expected to have to meet these requirements.

Thanks,
Kals

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Martin Hubel

Re: Sarbanes - Oxley requirements
(in response to Mr K S)
Hi,
I might add that while SYSCTRL limits access to data where you are not the creator, many shops lose the benefit if you 1) created the tables in question, or 2) have access to a secondary auth-id with SYSADM. Hypothetically, SYSCTRL could see the data anyway, if they used utilities to read/restore the data.

Also, audit tools will not show read access. The only way to catch this access is with AUDIT ALL turned on tables with the audit trace turned on, or perhaps a performance tool that captures SQL going through the engine (provided it retains the auth-id who ran it).

Best wishes--Martin

>> Thanks, Cathy.

>> There is a proposal to get rid of SYSADM for the DBAs, and we are not sure
>> what the impact of that would be in terms of response time. We have not
>> yet determined what level of accesses the DBA needs. I saw some archive
>> notes about SYSCTRL being a preferred option in some cases, but, that
>> still gives you load access to the table. I understand the SOx
>> requirements are being interpreted differently in various organisations,
>> and it may help knowing what has been the general trend in restricting
>> access to DBAs.

>> (I am all for monitoring, but restricting access may impede our support
>> levels.).

>> Kals

>> "Taddei, Cathy" <[login to unmask email]>
>> Sent by: DB2 Data Base Discussion List <[login to unmask email]>< /a>
>> 06/12/2005 11:54
>> Please respond to DB2 Database Discussion list at IDUG
>>
>> To:
[login to unmask email]< font >
>> cc:
>> Subject: Re: [DB2-L] Sarbanes - Oxley requirements


>> Our DBA's still have SYSADM, but we had to set up monitoring to detect
>> updates to production data by them. Since there was no money for a log
>> analysis tool, we're doing random spot checks. It's kind of weird, but
>> at least they are hanging on to SYSADM for now.

>> HTH,
>> Cathy

>> -----Original Message-----
>> From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
>> Behalf Of teldb2kals
>> Sent: Monday, December 05, 2005 2:41 PM
>> To: [login to unmask email]< font >
>> Subject: [DB2-L] Sarbanes - Oxley requirements

>> Hi,

>> I am sure most database shops would have gone through the
>> Sarbanes-Oaxley requirements. I am trying to understand what the major
>> changes that happened as part of meeting the requirements in your shops.
>> For ex., what sort of accesses the DBAs lost or ganied (SYSADM?) ?

>> I look forward to hearing from your experiences, and what level of
>> access DBAs are now expected to have to meet these requirements.

>> Thanks,
>> Kals

>> --------------------------------------------------------------------------
>> -------
>> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
>> home page at http://www.idugdb2-l.org/archives/d b2-l.html. From that page
>> select "Join or Leave the list". The IDUG DB2-L FAQ is at
>> http://www.idugdb2-l.org. The IDUG List Admins can be reached at
>> [login to unmask email] Find out the latest on IDUG conferences
>> at http://conferences.idug.org/index.c fm






===========
Martin Hubel
MHC Inc.
www.mhubel.com
+1 905-764-7498
+1 416-670-7498 Mobile
+44 7986 041838 UK Mobile
+1 905-764-8411 Fax

Check out www.db-hq.net Your Headquarters of How-To for DB2
=========== --------------------------------------------------------------------------------- Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm

Pushkar Bhogale

Re: Sarbanes - Oxley requirements
(in response to Martin Hubel)

DBAs being SYSADM are kind of 'Trusted Individuals' under IT General
Controls. So monitoring and auditing their activities might be an extra
strain on CPU.

But it is advisable to have all the updates to production data done via
applications or through utilities run by the DBAs. Any kind of AD HOC
updates to production data should be able to trace back to the individuals
who submit those requests, and the manager who approves it. So it is
necessary to have such updates submitted via some kind of application which
will register the relevant user ids in a database table. Thus in an ideal
situation, user ids should not have direct update access to any of the
production data.

Regards,

Pushkar Bhogale

-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On Behalf Of
Martin Hubel
Sent: Monday, December 05, 2005 7:46 PM
To: [login to unmask email]
Subject: Re: [DB2-L] Sarbanes - Oxley requirements


Hi,
I might add that while SYSCTRL limits access to data where you are not the
creator, many shops lose the benefit if you 1) created the tables in
question, or 2) have access to a secondary auth-id with SYSADM.
Hypothetically, SYSCTRL could see the data anyway, if they used utilities to
read/restore the data.

Also, audit tools will not show read access. The only way to catch this
access is with AUDIT ALL turned on tables with the audit trace turned on, or
perhaps a performance tool that captures SQL going through the engine
(provided it retains the auth-id who ran it).


Best wishes--Martin



>> Thanks, Cathy.

>> There is a proposal to get rid of SYSADM for the DBAs, and we are not
sure
>> what the impact of that would be in terms of response time. We have not
>> yet determined what level of accesses the DBA needs. I saw some archive
>> notes about SYSCTRL being a preferred option in some cases, but, that
>> still gives you load access to the table. I understand the SOx
>> requirements are being interpreted differently in various organisations,
>> and it may help knowing what has been the general trend in restricting
>> access to DBAs.

>> (I am all for monitoring, but restricting access may impede our support
>> levels.).

>> Kals

>> "Taddei, Cathy" <mailto:[login to unmask email]>
<[login to unmask email]>
>> Sent by: DB2 Data Base Discussion List <mailto:[login to unmask email]>
<[login to unmask email]>< /a>
>> 06/12/2005 11:54
>> Please respond to DB2 Database Discussion list at IDUG
>>
>> To: <mailto:[login to unmask email]> [login to unmask email]< font
style="font-family:'Arial';font-size:10pt;">
>> cc:
>> Subject: Re: [DB2-L] Sarbanes - Oxley requirements


>> Our DBA's still have SYSADM, but we had to set up monitoring to detect
>> updates to production data by them. Since there was no money for a log
>> analysis tool, we're doing random spot checks. It's kind of weird, but
>> at least they are hanging on to SYSADM for now.

>> HTH,
>> Cathy

>> -----Original Message-----
>> From: DB2 Data Base Discussion List <mailto:[login to unmask email]>
[mailto:[login to unmask email] On
>> Behalf Of teldb2kals
>> Sent: Monday, December 05, 2005 2:41 PM
>> To: <mailto:[login to unmask email]> [login to unmask email]< font
style="font-family:'Arial';font-size:10pt;">
>> Subject: [DB2-L] Sarbanes - Oxley requirements

>> Hi,

>> I am sure most database shops would have gone through the
>> Sarbanes-Oaxley requirements. I am trying to understand what the major
>> changes that happened as part of meeting the requirements in your shops.
>> For ex., what sort of accesses the DBAs lost or ganied (SYSADM?) ?

>> I look forward to hearing from your experiences, and what level of
>> access DBAs are now expected to have to meet these requirements.

>> Thanks,
>> Kals

>>
--------------------------------------------------------------------------
>> -------
>> Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
>> home page at < http://www.idugdb2-l.org/archives/db2-l.html >
http://www.idugdb2-l.org/archives/d b2-l.html. From that page
>> select "Join or Leave the list". The IDUG DB2-L FAQ is at
>> < http://www.idugdb2-l.org > http://www.idugdb2-l.org. The IDUG List
Admins can be reached at
>> <mailto:[login to unmask email]>
[login to unmask email] Find out the latest on IDUG conferences
>> at < http://conferences.idug.org/index.cfm >
http://conferences.idug.org/index.c fm






===========
Martin Hubel
MHC Inc.
< http://www.mhubel.com > www.mhubel.com
+1 905-764-7498
+1 416-670-7498 Mobile
+44 7986 041838 UK Mobile
+1 905-764-8411 Fax

Check out < http://www.db-hq.net > www.db-hq.net Your Headquarters of How-To
for DB2
===========
----------------------------------------------------------------------------
----- Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and
home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page
select "Join or Leave the list". The IDUG DB2-L FAQ is at
http://www.idugdb2-l.org. The IDUG List Admins can be reached at
[login to unmask email] Find out the latest on IDUG conferences at
http://conferences.idug.org/index.cfm



"This e-mail may contain confidential and/or legally proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies."

---------------------------------------------------------------------------------
Welcome to the IDUG DB2-L list. To unsubscribe, go to the archives and home page at http://www.idugdb2-l.org/archives/db2-l.html. From that page select "Join or Leave the list". The IDUG DB2-L FAQ is at http://www.idugdb2-l.org. The IDUG List Admins can be reached at [login to unmask email] Find out the latest on IDUG conferences at http://conferences.idug.org/index.cfm