General discussion
Thread display: Collapse - |
All Comments
Start or search
Create a new discussion
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
DBA Segregation of Duties
One of the clients that I'm currently working with (a dot com survivor) has a four person DBA group that manages over 30 instances of SQL server databases supporting multiple web sites and internal applications. Most of these systems were developed in-house and support custom-business processes. While the default administrator accounts are not used nor shared; the DBAs have SA level access for operational reasons.
The external auditors have recommended that DBAs not be assigned SA level access; and such access be made available via a "firecall" id that is owned outside the DBA group. The risk pointed out by the auditors is that the DBAs with SA level access can bypass all manual and application controls, make modification to data or perform other unauthorized activities and wipe the access logs clean to remove evidence. The client feels that this requirement is excessive and onerous.
Could anyone point us to any relevant research or similar experiences at other clients or other industry practices?
Thanks