Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Back and a Question

RE: Back and a Question

From: Reidy, Ron <>
Date: Wed, 16 Aug 2006 09:24:28 -0600
Message-ID: <>

You should speak with your auditors to get clarification on the subject of developers having access to production. My guess is there are no formal change controls procedures in place.  


[] On Behalf Of
Sent: Wednesday, August 16, 2006 7:52 AM To:; oracle-l
Cc: Nuno Souto
Subject: Re: Back and a Question  

if it doesn't state in SOX that developers can't have access to production data, how do the auditors determine what is a violation?  

Not having access to PROD data is a real problem for ETL systems that recieve external data feeds. You can have alot of validation checks when you get the file, but you will never catch everything and sometimes you get bad data. You need to people to check it.  

I guess the other option is to 'promote' a developer to systems administrator and put him on the production team so he can look at the data?  

> From where I stand, it's exactly like Ryan described:
> we got SOx-audited last year and again this year and in both
> occasions access to production by developers came up as an
> absolute no-no and something we simply cannot allow.
> Which I tend to agree with, BTW. ;-)
> --
> Cheers
> Nuno Souto
> from sunny Sydney
> Quoting David Aldridge :
> > Tsh, is there any lie that those operations people won't
tell in order

> > to keep us out of their sandbox?
> >
> > Seriously though, I don't think that SOX is that detailed,
and I don't

> > believe any STIG is either. It sounds like that rule is m
ore al ong the

> > lines of an _interpretation_ of the regulations, or a
quoting of the

> > regulations to justify a rule (depending on your degree of

> >
> > wrote:
> > >
> > > I did DOD befoer this. I am doing financial now. The
federal government

> > > actually passed security laws for financial companies as
part of

> > > Sarbanes-Oxley(SOX). I was told by operations that one of
the rules is

> > > that development cannot have access to production data.
That is a

> > > problem for production support when you get data issues.
> --

This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.

Received on Wed Aug 16 2006 - 10:24:28 CDT

Original text of this message