What if Developers need temporary access to production? 1620

  • What solutions are you finding concerning giving Developers temporary access to production?
    #1: Can an authorized ticket from senior management meet SOX criteria, as long as this access is accounted for?
    #2: Is monitoring software required on the production servers to detect changes for these situations or is #1 enough.
    #3: Seen some implement a 2 man rule, where someone physically watches them over their sholder when making changes.
    What is everyone’s thoughts, is just #1 enough. Would the frequency of these requests be an issue as well?

  • Personally, I like #1 and #2 but not #3 … No one likes to be watched and you may use #3 only on an ultra-sensitive application like payroll, check processing, credit card applications, etc.%0AFor #1, you could use the term ‘written management approval’ rather than ‘senior management’ as it’s actually better to have a knowledgeable front-line manager approve this when needed.%0ASome best practices and ideas include:%0A1. Use of special emergency IDs (we call them FireIDs) which allows production access with a 24 hour long account. If more time is needed, the developer needs to check out a new FireID. In other words, the developer can’t use their own accounts%0A2. Log all access with FireIDs (both read/write) and have the security team actually check it the next day. 99% of the time folks are doing their job, but it’s always good to monitor.%0A3. Document this via Change Management notifications (and as part of the SOX e-Library if it’s a financial application) %0A Some additional discusion can be found here also: %0Ahttp://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1596

Log in to reply