Does one require to undergo SOX/HIPAA audit in their company/ organization, even if it is not public Company? That is what the higher management should decide. As a PSADMIN, what we have to do and don’t do is all I am going to mention here.

Section 404 is more important for the DBAs and I suggest that everyone as an administrator to go through this section, if not in details, as it is a large document, at least glance through it.

As you know the noncompliance of SOX for public companies can take responsible authorities behind bars.The SOX documents put the responsibility more towards CFO and CEOs, but what we can do as PSADMIN to ensure that we follow the procedures meticulously, so that it does not trickle down to you internally.

These are the main area that we missout as administators:

• Documentation
• Approvals
• Auditing
• Separation of duties
• Testing

Documentation:
 Always keep documentation on what you do, why you do and who authorized you [very important] to do in any production system. Document the approval procedures and the time limits.

Approvals:
 Get your written [email/document/bugzilla as long as it is not verbal] approvals before you change anything in production or  UAT [User Acceptance Test , yes it is what is going to Production after the QA approval, so it is same as Production].  Some managers will be smart enough to give verbal approvals not written, but you can send an email confirming your action upon the verbal instruction, to cover your base.

Auditing:
 If you feel there is an area that needs to be audited, don’t hesitate to do it. Try to automate it so that you need not spend time on it again and also ensure you get the report periodically, through cron or job or process. And don’t forget to save them and back them up. Unless the audit reports are saved, it has no use, especially when some issue comes up on a later date.

Separation of duties:
 If you have the authority to comply, do it. If not inform that it is not done, when you see one, mentioning that it would give chance to more bugs.

Testing:
 I realized in many shops, many things go through to production with least or no testing, mostly because it is urgent or fixing another bug. Notify the person/team responsible for testing that it is going in without testing, at least they can test, even after it is gone to production and find any issues on that. Also make sure that same changes are done in all other environments in the production path cycle.

[Sox / HIPAA is a one hell of a hippo, as it is huge. I will try to put together in parts as it is going to take lot of time to cover all of it. Keep checking…]

Be first to comment this article

Write Comment

Thankyou for your comments. Feel free to comment if there are any mistake in the postings also. If you have a Blog or website, feel free to provide the link. We will take a peak. Just ensure to *Refresh* your browser for a new security code to be displayed prior to clicking on the 'Send' button. Keep in mind that the above process only applies if you simply entered the wrong security code.
Name:
Homepage
BBCode:
Comment:
Code:*
	I wish to be contacted by email regarding additional comments

Copy Right: AKOComments v.1.4.6