Sql stored procedures 2721



  • Hi,
    I am helping a client of mine to prepre to a IT sox audit. in there last IT AUDIT made by PWC they check the sql server which is where peoplesoft stores the Database. in the audit they find that many stored procedores are used, here is the list:
    ’ sp_replcmds
    ’ sp_replcounters
    ’ sp_repldone
    ’ sp_replflush
    ’ sp_repltrans
    ’ xp_cmdshell
    ’ xp_deletemail
    ’ xp_dirtree
    ’ xp_eventlog
    ’ xp_findnextmsg
    ’ xp_fixeddrives
    ’ xp_getfiledetails ’ xp_getnetname
    ’ xp_loginconfig
    ’ xp_readmail
    ’ xp_regaddmultistrin
    ’ xp_regdeletekey
    ’ xp_regdeletevalue
    ’ xp_regread
    ’ xp_regremovemultistring
    ’ xp_regwrite
    ’ xp_sendmail
    ’ xp_servicecontrol
    my question is: it this bad from the SOX point of view? what can be done to fix this issue?
    I have asked the IT manager and he said that if there removing of those store procedures wont couse any problem to people soft he can remove them but is it necessary ?
    another issue related to the sql database: the permissions to the database procedures are as followed:
    Procedure Name:
    sp_add_job
    sp_add_jobschedule
    sp_add_jobserver
    sp_add_jobstep
    sp_enum_dtspackages
    sp_get_dtspackage
    sp_get_sqlagent_properties
    sp_start_job
    all those procedures have permissions of execute and the user how can execute them is user public.
    it it bad? ok? what can I do to fix it?
    thanks a lot …
    juan



  • Hi - While SOX 404 is silent on detailed items like this, in prinicple the theme is to ensure sound controls are in place to prevent fraud or other risks by financial transactions that don’t contain proper checks-and-balances. SOX 404 requires us to assess and rank material risks and place controls/testing on the most critically deemed items.
    I don’t have specific knowledge of the PSoft apps, but in theory the key point of evaluations are:
    – What can the user can do with these?
    – Are there any possibilities to create fraudulent transactions?
    – Are there proper approval and automony levels?
    – Could some of these actually be needed to better calculate valuations real time (going by the SP names above)?
    Suggestions
    – Might be worth talking to PSoft vendor support on what these functions do?
    – Ask the vendor about any possible SOX 404 ramifications or ITGC type concerns?
    – Vendor may have SOX 404 guidelines
    – SOX auditor may have concerns/recommendations
    Not certain if this search may help … Good luck 🙂
    http-and-#58;//www.google.com/search?hl=en-and-q=peoplesoft sox compliance
    Also, COBIT 4.x is used by many SOX auditors to assess SOX 404 controls … Free copy here:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920



  • another issue related to the sql database: the permissions to the database procedures are as followed:
    Procedure Name:
    sp_add_job
    sp_add_jobschedule
    sp_add_jobserver
    sp_add_jobstep
    sp_enum_dtspackages
    sp_get_dtspackage
    sp_get_sqlagent_properties
    sp_start_job
    all those procedures have permissions of execute and the user how can execute them is user public.
    Hi Juan - on the 2nd issue, you might want to setup specific user groups with security levels based on job roles, rather than carte blanche allowing this to all authenticated users. You still might be okay, as most likely PSoft has internal tables to control. Again not being knowledgeable, this is more of a vendor question but if it is an issue make sure only those who need these capabilities have it.



  • Hello.
    I am the new one for this site. I read in this forum about SQL. I want to know something more about SQL and how it can help me in my office work . I have small firm with some 10 to 15 people. I want to make their salaries directly stored in the bank with the record of the same on my computer. I also want to know that inthere any provision of sequrity in SQL software ? It will be great help to me if I get the proper guidence about the same thing which I mentioned as in the short time I am going to start the firm.



  • Hi FF - As I’m uncertain on which relational DB is being used, I’ll share some general ideas and this is also outside the scope of SOX controls (which could come into play for access of the specific info)

    1. Use an SQL Query Tool – If you use MS SQL-Server, Access can be used as a tool as it’s built into MS/Office (there are a # of other query tools as well. If you use Oracle, the Toad SQL browser is an excellent tool to extract data.
    2. Variety of Formats for Extracted information – Data can be shown in detail or summary formats and imported in reports, spreadsheets, etc
    3. Security – Certainly you would want ‘read-only’ access for your self and restrict access to anyone that ‘does not need to know’. The DBA or technical staff would be able to facilitate this. Also, security access is a 2-level control: (1) rights granted in the operating system to physically access the resource, (2) rights granted in the data base environment itself (e.g., certain rows with sensitive data can be restricted)
      Below are a few quick links related to security
      http-and-#58;//www.sqlsecurity.com/
      http-and-#58;//www.google.com/search?hl=en-and-source=hp-and-q=sql-server security
      http-and-#58;//www.google.com/search?hl=en-and-source=hp-and-q=oracle security

Log in to reply