IT Data Updates and Auditors

260 pts.
Tags:
AS/400
Auditors
DFU
FILMNT
iSeries
SQL
I would like to hear how other shops deal with auditors regarding data updates made by IT staff.  

We use DFU/FILMNT/SQL for occasional data fixes. We print and file a log with who and why the change was made. Then to appease the auditors, we journal pretty much everything. A report is generated twice a day that shows any of these update methods and the object updated. The idea being - the auditor pulls a report out of a pile and should be aable to find the documentation for that update in our paper files.

This is a big waste of system resources in my opinion. Recently we have started using an offsite vaulting scheme for all of our backups - we would like to get off the journalling merry-go-round for good.

So I'm hoping some of you will share with me how this works in your shop.  

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Lovemyi
    This is pretty much how we do it except we use Authority Broker and EZVIEW to gather the information for the auditors. Authority Broker gives the IT staff the needed authortiy and tracks the commands they issue during the use of the extended authority and EZVIEW records in a log the changes made to a database. There are other packages as well on the market that do the same thing but you need to have at least audit journaling active to collect some of their transactions. Hope this helps Lovemyi
    2,310 pointsBadges:
    report
  • Sunsetrider
    I'm assuming you are making changes to 'production' data. Who is responsible for maintaining the data (I suspect it's not the IT staff)? This should not be any different than your process for changing production applications. I would expect the following info to be available whenever changes to production data were made by 'non regular' means: - who made the changes - date/time of changes - identify the changes (before/after views, delta view, ect.) - why the changes were made this way (may help eliminate this process) - who approved/authorized the changes (owner/steward of data base) - backout facility (how to remove the last set of changes easily) If this is going to be an ongoing procedure, then you might want to formalize this process and make it legitimate. You may want to define a regular 'client' process so that the owner/steward can make these changes. Just my 2 cents worth. Regards
    860 pointsBadges:
    report
  • LetItBe
    Lovemyi - I am looking into the software and audit journalling you mentioned to manage this auditing information. Thanks! Sunsetrider - Yes, I am talking about "production" data. We use change management software for new or updated applications. The auditors can see if anything is in production that was not put there by the change management tool. We do review our Update logs a few times each year to see which kind of updates occur more than once to determine if a system needs a fix or a new process for the user community to maintain "legitimately" using a program with security and validity edits. I understand and agree with the things you mention should be available for 'non regular' updates. Besides the auditors, our files have been helpful for our programmers to go back and review incidents from previous months, etc. Our shop is very small, so I am looking for less cumbersome ways to appease the auditors. Thank you for your response.
    260 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following