To err is human. To update wrong data in the wrong field at the wrong time is the hallmark of every business analyst's career. More often than not the responsibility to correct this data falls on the head of the IT team and for that they need UPDATE ACCESS TO PRODUCTION!
This brings us to the nightmare scenario of a developer who may need update access in production to make updates as and when needed. Even though this scenario is legitimate and the data needs to be updated, a SOX auditor would not agree to the fact that a DEV has update access on production data. To make the auditor happy and maintain his faith in the integrity of your financial data you would need to design a process that not only helps you get the job done, but also keeps you Sox Compliant.
Let's examine one such process:
This 10 step plan, not only maintains data integrity but also helps document each update , commonly referred to as back-end update to the database.
This brings us to the nightmare scenario of a developer who may need update access in production to make updates as and when needed. Even though this scenario is legitimate and the data needs to be updated, a SOX auditor would not agree to the fact that a DEV has update access on production data. To make the auditor happy and maintain his faith in the integrity of your financial data you would need to design a process that not only helps you get the job done, but also keeps you Sox Compliant.
Let's examine one such process:
- For this to work perfectly you would need the Help-desk team, the dba team and the application support team.
- Let the dba team design a functional account on the database with update access and self expiring password. The account should be such that the password, once generated, should expire in 4 hours
- Add all your support team members who may update data in prod to a list which captures responses for few secret questions personalized for each member of the team.
- Share this list with help-desk team. They should be trained to challenge the caller with the secret question and tally their response before forwarding their request for password to the dba team.
- Once a data issue is identified, the Business Analyst raises a High Priority incident in the Incident Management System.
- The Incident gets assigned to the app support team, who then raise an Emergency Preventive Change Order to update the data, citing the Incident that was just created by the Business Analyst.
- Once the CO is raised, the app Support team member calls the Help-Desk to get the password for the functional account.
- The Help-Desk team co-ordinates with the DBA team to get the password generated and then share the same with the app support team member.
- Once the password is generated, the app support team member updates the data that was requested in the INC, closes the INC and closes the CO, leaving the password to expire.
- This maintains chain of control over the account being used to make the update and also makes sure the account was used for intended purposes.
This 10 step plan, not only maintains data integrity but also helps document each update , commonly referred to as back-end update to the database.
No comments:
Post a Comment