SOX是否限制对QA环境或只是生产的访问? [英] Does SOX restrict access to QA environments or just production?
问题描述
我们的开发团队有4个环境:
开发人员,测试,质量检查和生产,并在整个环境中改变顺序。
Our dev team has 4 environments: Dev, Test, QA and Production and changes progress in that order across the environments.
SOX作为拒绝团队领导的原因,开发人员和测试人员在测试,QA和生产环境中更新只读访问数据库对象。因此,我们无法验证部署是否正确执行。
Our DBA has given "SOX" as the reason for denying team leads, developers and testers update READ ONLY access to database objects on the Test, QA, and Production environments. As a result, we cannot verify that deployments were correctly performed.
我可以看到限制对生产数据的访问。数据可能是敏感的。但是,我们拥有对数据的完全读取访问权限。但我想能够看到生产中的代码,以验证它是应该在生产中的代码,并且没有不正确地部署或忽略部署。即使我们的部署过程是自动化的,仍然需要验证自动化过程是否按预期工作。
I can see limiting access to production data. The data may be sensitive. However.we have full read access to the data. But I want to be able to see the code in production to verify that it is the code that SHOULD be in production and that something was not incorrectly deployed or left out of the deployment. Even if our deployment process were automated, there would still be a need to verify that the automated process worked as expected.
Dos SOX法律要求真的限制了对非生产环境的访问? SOX真的有什么要说是否应该拒绝开发人员只读访问生产数据库对象(代码/模式)还是这个限制真的自我强加?
Dos SOX legal requirements really limit access to non production environments? Does SOX really have anything to say on whether developers should be denied READ ONLY access to Production database objects (code/schema) or is this restriction really self imposed?
推荐答案
根据我的理解,在我的经验中,SOX合规性导致我没有对生产数据库的任何读取访问。这可能是因为在那里的信用卡号码,因为在我们的开发环境,实际的数字被改变和加密,所以我们看不到任何东西。
From what I understand, and in my experience, SOX compliance led to me not having any read access to the production database. This could be because of things like credit card numbers being in there, as, in our development environment, the real numbers were changed and encrypted, so we couldn't see anything anyway.
此外,在正确的部署文档中,您应该在QA上模拟在生产环境中会发生什么,因此您不应该在QA上执行任何操作,因为如果您必须执行某些操作,则会出现问题您的部署文档。您应该修复您的文档,以便系统管理员可以在没有开发人员的任何帮助的情况下进行部署。
Also, in a proper deployment document you should simulate on QA what will happen when going to production, so you shouldn't be able to do anything on QA, as, if you have to do something then there is a problem with your deployment docs. You should fix your docs so that the sysadmins can do the deployment without any help from the developers.
在一家公司,他们实际上在不同的网络上有QA,
At one company they actually had QA on a different network that the developers basically couldn't get to, in order to comply with SOX regulations.
此文档可能会帮助您:
http://hosteddocs.ittoolbox.com/new9.8.06.pdf
This document may help you out: http://hosteddocs.ittoolbox.com/new9.8.06.pdf
这篇关于SOX是否限制对QA环境或只是生产的访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
