Fundamental Segregation of Duties 320



  • Denis, you have stated:
    Now going back to the original question of 'Where did someone turn that into ‘Developers cannot access production, production cannot access development,’

    That developers cannot access production is a FUNDAMENTAL segregation of duties. The risk/issue is that developers make changes in production without testing/authorization/a fall-back plan and you have an uncontrolled system that you cannot rely on.
    I am over 15 years in IT and never seen put a code into prod without testing. I worked for more than 10 mid to large companies in Europe and USA as Business Analyst, Project Manager, Developer, DBA, Data Architect and more in 5 to 400 member teams per project. All environments I worked on have had at least 2 to 6 test environments. I do not know what untested systems are you talking about?
    Usually you get all CR tested in QA and UAT, peer reviewed, logged and approved by Manager or Change Management Board. You can have also audited all your actions on prod. Audit logs can be secured. You can be also monitored on different way during production access.
    We did it all already in last century.
    I worked on enterprise database driven systems including financial reporting. You can have as many systems as you wish, you will get issues in prod, because test environment never matches real system. When you have emergency, you have no time to clone prod. So developer have to access prod. When money is not flowing into company because EDI or Order Entry is down or nightly job during quarterly code freeze fails or whatever, the manager will come to your office and he will give you the password and beg you to fix it ASAP regardless of any Congressional regulation.
    I always supported good security and good documentation of the systems. That was the case also 15 years before SOX. SOX is now forcing more benevolent environments to improve. That is good. I see more effort in this area now. Good. Even if I do not believe that developers caused ENRON fall or that they are risk for investors. I think top managers including CFOs relied more on me than on the systems I have built.

    Tell me Denis: From where have you got the idea of ‘FUNDAMENTAL segregation of duties’? I am asking because my boss argued today just with the same words. He got it from Auditors. From where have you got this? Can you provide more arguments? How comes that now are we denied access to the production?

    Just this week I implemented a data fix in financial system. It was tested in DEV and QA and approved by users. Logged in change tracking system. If I would be allowed to put it to UAT and PROD it would be already fixed in prod. Now we have to go over all this SAX circus and write installation doc for DBAs, write more robust setup script for uninformed DBA, explain them what are we doing, and the list can go on. I am not sure how they will act if something goes wrong in prod. How will they judge the situation or improvise. The QA is one week out of sync from prod so I cannot 100% guarantee nothing. I estimate it will be done next month and it will cost us much more person hours.
    Can somebody give some supportive arguments against our auditors pushing for this bullshit?
    J.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!

Log in to reply