Re: [U2] SOX question (United States only, I believe)
What's a 'cracker'? On 7/18/06, Jerry Banker [EMAIL PROTECTED] wrote: Exactly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Walker Sent: Tuesday, July 18, 2006 1:48 PM To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) The friendly neighborhood cracker isn't a threat. It's only the employees that can't be trusted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Banker Sent: Tuesday, July 18, 2006 1:51 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) But doesn't this leave the information readily available to the friendly neighborhood cracker? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon J Glorfield Sent: Tuesday, July 18, 2006 10:41 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) Document everything! Make no changes without a written request from the users. Have them test and approve the changes, in writing, after completion. Store your documentation in a format that is readily accessible to the auditors. Gordon J. Glorfield Sr. Applications Developer UnitedHealthcare's Mid-Atlantic Health Plans 301-360-8839 [EMAIL PROTECTED] wrote on 07/18/2006 10:18:48 AM: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- john --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
From Wikipedia, the free encyclopedia * Cracker (computing), a person who engages in illegal system cracking or software cracking, circumventing computer security systems; also known as a black hat hacker -- Dave What's a 'cracker'? On 7/18/06, Jerry Banker [EMAIL PROTECTED] wrote: Exactly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Walker Sent: Tuesday, July 18, 2006 1:48 PM To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) The friendly neighborhood cracker isn't a threat. It's only the employees that can't be trusted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Banker Sent: Tuesday, July 18, 2006 1:51 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) But doesn't this leave the information readily available to the friendly neighborhood cracker? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon J Glorfield Sent: Tuesday, July 18, 2006 10:41 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) Document everything! Make no changes without a written request from the users. Have them test and approve the changes, in writing, after completion. Store your documentation in a format that is readily accessible to the auditors. Gordon J. Glorfield Sr. Applications Developer UnitedHealthcare's Mid-Atlantic Health Plans 301-360-8839 [EMAIL PROTECTED] wrote on 07/18/2006 10:18:48 AM: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- john --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
On Behalf Of [EMAIL PROTECTED] From Wikipedia, the free encyclopedia * Cracker (computing), a person who engages in illegal system cracking or software cracking, circumventing computer security systems; also known as a black hat hacker To distinguish from hacker who is someone who breaks into systems for fun and the challenge of it. A cracker does it for malicious purposes. - jmh --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
A cracker does it for malicious purposes. And all these years I thought a cracker was a good ol' boy from north Georgia. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Wendy, thanks for the new word, pejorative. That's a great one. Tom Dodds [EMAIL PROTECTED] 513-563-2800 Cincinnati Office 708-234-9608 Chicago Office 630-235-2975 Anywhere Cell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wendy Smoak Sent: Wednesday, July 19, 2006 1:40 PM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) On 7/19/06, Horn, John [EMAIL PROTECTED] wrote: To distinguish from hacker who is someone who breaks into systems for fun and the challenge of it. A cracker does it for malicious purposes. Nope. Hacker is not a pejorative term... it's properly applied to people who make stuff work often for fun. * http://en.wikipedia.org/wiki/Hacker See also: Care and Feeding of your Hacker http://web.demigod.org/~zak/geek/hack.shtml 0.0: Won't my hacker break into my computer and steal my trade secrets? No. Hackers aren't, contrary to media reporting, the people who break into computers. Those are crackers. Hackers are people who enjoy playing with computers. Your hacker may occasionally circumvent security measures, but this is not malicious; she just does it when the security is in her way, or because she's curious. The Cathedral and the Bazaar http://www.catb.org/esr/writings/cathedral-bazaar/ -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
On 7/19/06, Tom Dodds [EMAIL PROTECTED] wrote: Wendy, thanks for the new word, pejorative. That's a great one. :) I think this thread gets the prize for the most deviation from the initial topic. Shall we adjourn to u2-community before we get evicted? -- Wendy --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Ray, One way to do it is to form a joint venture with other tea makers and do business through that company, which subcontracts your company and the others. Of course, in theory, all the subs would have to be SOX compliant, but it should satisfy most customers. - Chuck Or, You Could Just Assign Tasks to Each of My Multiple Personalities Barouch DAWES, Ray wrote: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Short answer: you can't. (We just went thru a Sox audit) Regards, -- Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of DAWES, Ray Sent: Tuesday, July 18, 2006 10:19 AM To: u2-users@listserver.u2ug.org Cc: ALLEN, David Subject: RE: [U2] SOX question (United States only, I believe) Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Document everything! Make no changes without a written request from the users. Have them test and approve the changes, in writing, after completion. Store your documentation in a format that is readily accessible to the auditors. Gordon J. Glorfield Sr. Applications Developer UnitedHealthcare's Mid-Atlantic Health Plans 301-360-8839 [EMAIL PROTECTED] wrote on 07/18/2006 10:18:48 AM: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
But doesn't this leave the information readily available to the friendly neighborhood cracker? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon J Glorfield Sent: Tuesday, July 18, 2006 10:41 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) Document everything! Make no changes without a written request from the users. Have them test and approve the changes, in writing, after completion. Store your documentation in a format that is readily accessible to the auditors. Gordon J. Glorfield Sr. Applications Developer UnitedHealthcare's Mid-Atlantic Health Plans 301-360-8839 [EMAIL PROTECTED] wrote on 07/18/2006 10:18:48 AM: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Exactly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Walker Sent: Tuesday, July 18, 2006 1:48 PM To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) The friendly neighborhood cracker isn't a threat. It's only the employees that can't be trusted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jerry Banker Sent: Tuesday, July 18, 2006 1:51 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) But doesn't this leave the information readily available to the friendly neighborhood cracker? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon J Glorfield Sent: Tuesday, July 18, 2006 10:41 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) Document everything! Make no changes without a written request from the users. Have them test and approve the changes, in writing, after completion. Store your documentation in a format that is readily accessible to the auditors. Gordon J. Glorfield Sr. Applications Developer UnitedHealthcare's Mid-Atlantic Health Plans 301-360-8839 [EMAIL PROTECTED] wrote on 07/18/2006 10:18:48 AM: Hi, I have been reading this thread and others with interest, but no one has managed to answer how you can be SOX compliant when you have only one guy who programmes, administers, upgrades the software and makes the tea! Any suggestions anyone? Cheers, Ray Dawes Manufacturing Systems Manager CarnaudMetalbox Engineering plc, Dockfield Road, Shipley, BD17 7AY, UK Email: [EMAIL PROTECTED] Tel: 0 (+44) 1274 846283 Fax: 0 (+44) 1274 846201 CONFIDENTIALITY NOTICE The information contained in this e-mail is intended only for the confidential use of the above named recipient. If you are not the intended recipient or person responsible for delivering it to the intended recipient, you have received this communication in error and must not distribute or copy it. Please accept the sender's apologies, notify the sender immediately by return e-mail and delete this communication. Thank you. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Why not separate DBA from programmer role? It's none of their bleeping concern. You have procedures, you have documented those procedures, and in an audit you can prove that you follow those documented procedures. End of story. You are compliant. You do NOT have to justify your procedures - no-one can tell you how to run your business. IMHO, of course. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Two salaries! Yay! - Original Message - From: Lance Jahnke [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Date: Fri, 9 Dec 2005 07:35:39 -0600 What happens when the programmer is the dba? One person developing and managing universe... --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
You do NOT have to justify your procedures - no-one can tell you how to run your business. But this is the USA. Everyone tells you how to run your business, from the IRS to the state, to the lawyers, to the insurance companies, to the... You name it. All SOX does is amplify prison as an option for doing it incorrectly as best described by people who make rules instead of follow them. -Kevin [EMAIL PROTECTED] http://www.PrecisOnline.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
What happens when the programmer is the dba? One person developing and managing universe... -Original Message- From: [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Fri Dec 09 05:49:55 2005 Subject: Re: [U2] SOX question (United States only, I believe) Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M Wagner Sent: Friday, December 09, 2005 8:27 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
You mean you don't separate them? Absolutely there needs to be a division of labor here. As a developer I have no time to keep up with mundane tasks as password verification, file resizing and maintenance, upgrades, etc... That doesn't even touch on the security and accountability issues. In a small shop ( 50 users) you might be able to get away with combining the two roles. But in any shop larger than that, I don't see how you could effectively do both jobs. Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [EMAIL PROTECTED] wrote on 12/08/2005 04:28:09 PM: When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand [snip] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
The difference is that you have access to LOOK, but not in any way CHANGE... How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Is it sufficient to formally separate the roles and procedures, even if they are carried out by the same person? and just think, you could put in for two pay rises :) Brian SOX-Free here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lance Jahnke Sent: 09 December 2005 13:36 To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) What happens when the programmer is the dba? One person developing and managing universe... --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
On 12/9/05, Peter Gonzalez [EMAIL PROTECTED] wrote: SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. snip Goodness! How long does it take to get something accomplished with these steps? Our problem is that our sysadmin doesn't understand how our Unidata environment works so getting him to move programs from DEV to PROD would be next to impossible, IMHO. :) Although, these seem like very nice steps to satisfy most if not all of SOX requirements. -- The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it. Linus Torvalds --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Is that all there is to it We have to do all that now... We also produce diff items of the programs. This details all the changes made. But I do have access to the live machine as well. Les -Original Message- From: Peter Gonzalez [mailto:[EMAIL PROTECTED] Sent: 09 December 2005 14:13 To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M Wagner Sent: Friday, December 09, 2005 8:27 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This message has been comprehensively scanned for viruses, please visit http://virus.e2e-filter.com/ for details. This e-mail and any attachments are confidential and intended solely for the use of the addressee only. If you have received this message in error, you must not copy, distribute or disclose the contents; please notify the sender immediately and delete the message. This message is attributed to the sender and may not necessarily reflect the view of Travis Perkins plc or its subsidiaries (Travis Perkins). Agreements binding Travis Perkins may not be concluded by means of e-mail communication. E-mail transmissions are not secure and Travis Perkins accepts no responsibility for changes made to this message after it was sent. Whilst steps have been taken to ensure that this message is virus free, Travis Perkins accepts no liability for infection and recommends that you scan this e-mail and any attachments. Part of Travis Perkins plc. Registered Office: Lodge Way House, Lodge Way, Harlestone Road, Northampton, NN5 7UG. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
I am surprised by all the differing methodology's for being SOX compliant. For data fixes we have an audit approved process as below. 1. All changes must be requested from the user. Artifact: User Request (Can be a hard copy of an email.) 2. LIST.ITEM hard copy of the data before the change. 3. Change data item using a self-documenting change utility. Must be assigned to User Request and associated with a Root Cause Form that's on file. 4. LIST.ITEM hard copy of the data after the change. 5. Notify user of data fix and how the user can verify the change is correct. (Mini Test Plan. Can be hard copy of an email.) 6. User approval. (Can be hard copy of an email.) 7. IT Manager approval. Program changes (unless deemed an emergency) are much more artifact intensive. (Formal Specs, Spec Change Requests, Test Plans, Cross Testing, Management Approvals of all, etc...) Yes, productivity has gone down but accountability is way up. It also makes the users think about requests rather than just asking for shoot-from-the-hip development. (I don't know exactly what I want but, I'll know it when I see it.) Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [EMAIL PROTECTED] wrote on 12/09/2005 09:13:00 AM: SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. [snip] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Gordon, I used to work for a $500M company (multi-national, multiple office) where I was the Unix Admin, the secondary DBA, the Hiring Manager, an Area Manager, Head of Computer Security and QC, and a hands on programmer simultaneously. The primary DBA also ran the operations department, worked as an Area Manager, and was a hands on coder as well. When I worked for a $72M company (multi-national, multiple office), I was at on point the AIX Admin, the Sun Admin, the Webmaster, Sr. Programmer, and managed all the consultants - while assisting in Mac, PC, and network support. You'd be amazed at what sort of workloads you can adapt to when need impels you. - Chuck Renaissance Man Barouch Gordon J Glorfield wrote: In a small shop ( 50 users) you might be able to get away with combining the two roles. But in any shop larger than that, I don't see how you could effectively do both jobs. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Les, I didn't include the MMDIFF program that we run. It too, prints the difference, if any, on LIVE and DEVEL. Our understanding of SOX is not to have one or two people involved in software administration and conspiring to hard the system. The more people that are involved, the less chances of company fraud. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les Hewkin Sent: Friday, December 09, 2005 10:34 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) Is that all there is to it We have to do all that now... We also produce diff items of the programs. This details all the changes made. But I do have access to the live machine as well. Les -Original Message- From: Peter Gonzalez [mailto:[EMAIL PROTECTED] Sent: 09 December 2005 14:13 To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M Wagner Sent: Friday, December 09, 2005 8:27 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ This message has been comprehensively scanned for viruses, please visit http://virus.e2e-filter.com/ for details. This e-mail and any attachments are confidential and intended solely for the use of the addressee only. If you have received this message in error, you must not copy, distribute or disclose the contents; please notify the sender immediately and delete the message. This message is attributed to the sender and may not necessarily reflect the view of Travis Perkins plc or its subsidiaries (Travis Perkins). Agreements binding Travis Perkins may not be concluded by means of e-mail communication. E-mail transmissions are not secure and Travis Perkins accepts no responsibility for changes made to this message after it was sent. Whilst steps have been taken to ensure that this message is virus free
RE: [U2] SOX question (United States only, I believe)
I know that SOX is a US thing but the change management process you describe is very close to that used by government departments in the UK So its all over, not just you yanks that have to put up with it :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Gonzalez Sent: 09 December 2005 14:13 To: 'u2-users@listserver.u2ug.org' Subject: RE: [U2] SOX question (United States only, I believe) SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M Wagner Sent: Friday, December 09, 2005 8:27 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. You can even compile a program in the test account, and then copy that to the main account via q pointers as long as you copy the voc pointer as well. You have to be sure you get the right path for the object code, but that's a piece of cake, and then the sox auditors would have absolutely no way of finding out who did what if you just delete the q pointers when you're done. Not that I would do such a thing (because I get paid by the hour and the more complicated the procedure the longer it takes), but it is possible. fwiw, Allen E. Elwood www.tortillafc.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
I wrote a package for MANAGE-2000 clients that addressed these issues. I call it DTS (Development Tracking System). It does a great job separating Programmer from Live Data. To use it one would create a Development Account and an end-user testing account. My software would run on the Development Account and would pull objects from the Live Account into the Development Account and then lock them so that other programmers won't be changing the same items. The system would create a backup copy of the original, creating an undo capability. When all the modifications have been completed and tested by the programmer, in the Development Account, it prompted the programmer to Move the modifications into the Test Account. The Move only takes only a few seconds and no recompiling is needed. It could then send an email to the person listed as the contact of the enhancement so that they would know it was ready for them to test. After the end-user has tested it in the Test Account someone fills in the Approved By and it would trigger the Move into the Live Account and release the lock. David A. Green DAG Consulting (480) 813-1725 www.dagconsulting.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Steve, If you have a good set of test data the user can frequently replicate the problem in a test environment. You must regularly update your test data. As a last resort, there is an emergency password for a programmer to have access, in read-only mode to the production data. Sounds tedious, and it is. But after a period of adaptation the need to access production data goes sharply down as the users and programmers begin to (forcably) understand the need for thorough testing. In this scenario rarely does a faulty implementation make its way into production. I must emphasize that this is not for every user site, total development times probably are at least double, but the end result is more than twice as solid. But you probably can't sell this to a small or medium size company. Regards, Marc - Original Message - From: Steven M Wagner [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Friday, December 09, 2005 10:27 AM Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
Peter, I am frequently frustrated at having to spend 2 to 3 times as much time to fix something thanks to SOX or SOX-like norms. However if you put yourself in the place of a director of a large company who doesn't know the IT staff personally, you must bear in mind that your department (IT) holds the key to daily operations and any slight mistake - be it intentional (remember that the director does not know you, so he doesn't know that you and your entire staff are above reproach) or accidental could potentially be much more costly than paying for twice as much staff. The other way to look at it is that somebody is paying you to be VERY thorough with your work. Productivity goes way down, as you say, and so do bugs. Regards, Marc - Original Message - From: Peter Gonzalez [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Friday, December 09, 2005 11:13 AM Subject: RE: [U2] SOX question (United States only, I believe) SOX SUCKS! (we have tee shirts with 'SOX SUCKS' on the front) Our productivity has gone way down. If there is a problem here is what we have to do now. And there are plenty of internal and external auditors to make sure we do the following. 1. Create a request to modify. 2. Copy the records from LIVE to DEVEL. 3. Debug the process. 4. Mod the program and correct the data records. 5. Create a user approval form. 6. Have the user sign off. 7. Have the IT manager sign off. 8. Notify the manager of programmers of the change 9. The manager of programmers notifies the system admin. 10. The system admin then moves the programs and (or) the corrected data records. 11. The system admin then notifies the IT staff of the move. 12. The programmer then notifies the user. Documentations includes screen shoots of all changes, programs, DICT, screens and records. The average doc package is about 8 pages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M Wagner Sent: Friday, December 09, 2005 8:27 AM To: u2-users@listserver.u2ug.org Subject: Re: [U2] SOX question (United States only, I believe) Marc How do the programmers to customer support if they cannot look at the data in the production data-base? It would be hard to research problems if you cannot look at live data. Steve At 08:49 AM 12/9/05 -0300, you wrote: Good Morning Charlie, No only a US issue, but also an issue for multinationals with US home offices. We are in Argentina and have clients that must comply and frankly we DO separate the DBA role from the programmer role and I am in favor of this although it is an administrative pain at times. Programmers on these sites do not get access to the production data-base and only get read-only to the user testing environment. Regards, Marc Hilbert Pick Professional Center Buenos Aires, Argentina. - Original Message - From: Charlie Rubeor [EMAIL PROTECTED] To: u2-users@listserver.u2ug.org Sent: Thursday, December 08, 2005 6:28 PM Subject: [U2] SOX question (United States only, I believe) When we started implementing Sarbanes-Oxley, I knew the question of why we don't separate the Database Admin role from the Programmer role would come up. Has anyone on this list been able to provide a satisfactory answer to the auditors, without spending a lot of time explaining the benefits of an MV database? Charlie Rubeor Unix/Database Administrator Wiremold/Legrand 60 Woodlawn Street West Hartford, CT 06110 Tel: 860.233.6251 x3498 Fax: 860.523.3690 Email: [EMAIL PROTECTED] Internet: www.wiremold.com [demime 1.01d removed an attachment of type image/jpeg] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ -- Steven M Wagner [EMAIL PROTECTED] Cary, North Carolina, United States of America --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] SOX question (United States only, I believe)
The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. You can even compile a program in the test account, and then copy that to the main account via q pointers as long as you copy the voc pointer as well. You have to be sure you get the right path for the object code, but that's a piece of cake, and then the sox auditors would have absolutely no way of finding out who did what if you just delete the q pointers when you're done. Not that I would do such a thing (because I get paid by the hour and the more complicated the procedure the longer it takes), but it is possible. fwiw, Allen E. Elwood www.tortillafc.com Well, there goes any new U2 install's in a SOX company. No decent auditor is going to stand for anything like that. Richard --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
That why we have triggers on our basic program files and on the voc. If you do copy something from dev to live, it will show up in the logs. Then your supervisor comes to you not in a very genial mood. You then have to end up doing the paperwork anyway. Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [EMAIL PROTECTED] wrote on 12/09/2005 02:38:04 PM: [snip] The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. You can even compile a program in the test account, and then copy that to the main account via q pointers as long as you copy the voc pointer as well. You have to be sure you get the right path for the object code, but that's a piece of cake, and then the sox auditors would have absolutely no way of finding out who did what if you just delete the q pointers when you're done. Not that I would do such a thing (because I get paid by the hour and the more complicated the procedure the longer it takes), but it is possible. fwiw, Allen E. Elwood www.tortillafc.com [snip] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Ahh, but if one were to copy just the object code to the same path as the voc that already existed in the main account, no trigger would be activated. Doing this, someone could potentially 'cry war and wreck havoc'. Or, someone could quickly disable the trigger, do the dirty work and re-enable, unless that is locked down somehow. Also, I believe someone told me that triggers didn't work on directories in UV so it wouldn't work there (unless that someone was wrong). Just playing the devils advocate on this - TGIF. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gordon J Glorfield Sent: Friday, December 09, 2005 13:55 To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) That why we have triggers on our basic program files and on the voc. If you do copy something from dev to live, it will show up in the logs. Then your supervisor comes to you not in a very genial mood. You then have to end up doing the paperwork anyway. Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [EMAIL PROTECTED] wrote on 12/09/2005 02:38:04 PM: [snip] The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. You can even compile a program in the test account, and then copy that to the main account via q pointers as long as you copy the voc pointer as well. You have to be sure you get the right path for the object code, but that's a piece of cake, and then the sox auditors would have absolutely no way of finding out who did what if you just delete the q pointers when you're done. Not that I would do such a thing (because I get paid by the hour and the more complicated the procedure the longer it takes), but it is possible. fwiw, Allen E. Elwood www.tortillafc.com [snip] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [ ] - RE: [U2] SOX question (United States only, I believe) - Found word(s) list error in the Text body
So if you're use to working with triggers, you know how to take the trigger off the file, do the dirty deed, then put the trigger back on. The bottom line of SOX is that someone in authority is ultimately responsible for the accuracy of the financial reports that get published, there-by giving stock holders/analysts/purchasers some kind of assurance that the numbers they use to base their financial decisions on are accurate. All of this is to provide a CYA shield for those that rely on others to provide them accurate information. SOX is a good thing, in spite of the complexity it causes, but a bottom line understanding needs to be propagated up the chain of command that any programmer worth his/her salt, can get into the system, probably without being detected, to change data or programs regardless of their title or job duties. SOX is a lock and locks are only there to keep the honest people honest. I was once given a task to change a selection of data so that it includes two weeks instead of one week. It took me three days to jump through all the hoops to document changing a number from 7 to 14 in a procedure record. Guess we all have to decide how we react to more government requirements. BobW -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon J Glorfield Sent: Friday, December 09, 2005 1:55 PM To: u2-users@listserver.u2ug.org Subject: [ ] - RE: [U2] SOX question (United States only, I believe) - Found word(s) list error in the Text body That why we have triggers on our basic program files and on the voc. If you do copy something from dev to live, it will show up in the logs. Then your supervisor comes to you not in a very genial mood. You then have to end up doing the paperwork anyway. Gordon J. Glorfield Sr. Applications Developer MAMSI (A UnitedHealth Company) 301-360-8839 [EMAIL PROTECTED] wrote on 12/09/2005 02:38:04 PM: [snip] The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. You can even compile a program in the test account, and then copy that to the main account via q pointers as long as you copy the voc pointer as well. You have to be sure you get the right path for the object code, but that's a piece of cake, and then the sox auditors would have absolutely no way of finding out who did what if you just delete the q pointers when you're done. Not that I would do such a thing (because I get paid by the hour and the more complicated the procedure the longer it takes), but it is possible. fwiw, Allen E. Elwood www.tortillafc.com [snip] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
Allen: Which makes one wonder why in the world security was pulled out of the dbms. There's something illogical about an O/S administrator knowing better how to set up security in the application than the application vendor. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Allen E. Elwood Sent: Friday, December 09, 2005 11:38 AM To: u2-users@listserver.u2ug.org Subject: RE: [U2] SOX question (United States only, I believe) The thing that always cracks me up is that all one has to do in a U2/PICK environment is to create q pointers to the main account from the test account. You can look and even modify without having access to that account unless it is locked down by logon at the OS level, which I have yet to find and as a consultant I have worked on several 'sox compliant' boxes. [snipped] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] SOX question (United States only, I believe)
At 17:04 09/12/05 -0800, you wrote: Allen: Which makes one wonder why in the world security was pulled out of the dbms. There's something illogical about an O/S administrator knowing better how to set up security in the application than the application vendor. Bill Might it have something to do with Them that can, do. Them that can't, consult. Them that can't consult, teach. Them that are left over from that frame legislation against it? -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 09/12/05 Regards, Bruce Nichol Talon Computer Services ALBURYNSW 2640 Australia http://www.taloncs.com.au Tel: +61 (0)411149636 Fax: +61 (0)260232119 If it ain't broke, fix it till it is! -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 09/12/05 --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
