I received an advertisement brochure recently. Prominently displayed on a front page was section was this eye-catching question: "Is compliance taking over your life?"
I responded (out loud, even): "Not anymore."
It occurred to me how less stressed my professional life is now that I am working for a private firm. The stress from my former Fortune 500 corporate experience was due in large part to Sarbanes-Oxley compliance - or rather the interpretation of Sarbanes-Oxley compliance.
Whether you agree with the legislation or not, most admit there was clearly a need to do something in response to the WorldCom and Enron scandals. So, something was done. Personally, I believe the legislation attacks the wrong side of the equation for this reason: there were already laws on the books to address the crimes committed at these corporations. If Congress truly wants to protect investors, educate them. And if Congress simply must pass a new law, pass legislation requiring investors become certified before being allowed to invest in publicly traded companies. (Step 1: A DVD of me pointing at the camera, screaming "YOU CAN LOSE ALL YOUR MONEY IF YOU PUT IT IN THE STOCK MARKET... ALL OF IT!!! DO YOU UNDERSTAND?!?" Step 2: Sign the document acknowledging you understand what you learned at Andy's School of Investing.)
But I digress...
While I was enduring the stresses placed upon a sole database administrator group manager by internal auditors, a colleague mused: "Those can, do. Those who cannot, teach. And those who cannot do or teach, audit." That was mean (...apologies to all my auditing readers out there...), but I think I understand the underlying sentiment.
Given the tools on hand, we were faced with unpleasant choices:
I chose to be honest. My reward was pressure from every imaginable angle.
From business, sales, and accounting, "Why can't you just comply and end all this?"
From auditors, "We will have to report this to _____. They will open an incident. It will be filed with the SEC. It will be made public."
From executives, "Make this go away."
It was ugly. And it all stems from an open season on business data. Heck, the auditors at my former employer were reaching into the personal development databases of developer workstations. I understand some of it, but not all.
I'm interested in your thoughts on the matter. Have any of you had similar experiences with SOx compliance?
:{> Andy
In his excellent blog, my friend and co-author Haidong Ji thanks Andy, Brian, and Steve for SQLServerCentral.com. I second the sentiment! We, the SQL Server community, are indeed fortunate to count them among us. The innovation and vision offered by Andy, Brian, and Steve (listed in alphabetical order here...) in creating and maintaining the SQLServerCentral community often goes unnoticed - which is itself a testament to their hard work and diligence.
In short, thanks guys!
I will be delivering a Beginning SSIS Development presentation at the Baltimore SQL Server User Group meeting 1 Feb 2006, and at the Hampton Roads SQL Server User Group 16 Feb 2006.
Thomas Edison said "Genius is 10% inspiration and 90% perspiration." (Edison was a renowned workaholic... in competition most of his career with another type of genius, Nikola Tesla...)
Is this accurate in modern IT? If so, what motivates you to put forth that 90%?
Is it money? fame? the rush that accompanies watching your efforts execute in Production?
I've created a thread in the forums for responses.
I recently documented building a virtual server for use with the Team Foundation Server Dec 2005 CTP. It was a lot of fun / work - and it's documented at VSTeamSystemCentral.com.
An opportunity at work prompted use of another virtual server to facilitate a data-transformation-intense software migration. In order to make this particular migration work, I needed to install an old ODBC driver. I did not have access to the driver installation - apart from installing a suite of software products purchased back in the day. I needed to land the migrated data on an existing test server and I did not want to corrupt other software currently installed there.
So... I built a VPC, installed Windows and SQL Server 2k. I loaded the legacy software package, which installed the driver, then built some DTS packages to migrate the data from the source to my target server. Voila!
It's worked wonderfully. Among the many benefits is the low impact to our existing Development / Test environment.
This experience - coupled with clustering functionality built into Virtual Server 2005 R2 - has me seriously considering Production Virtual Servers. Thoughts?
Which are you? Gatekeeper or roadblock? ... or none of the above?
When it comes to database work, both stop "things" from occurring. Here's a couple/three questions I ask myself when my knee begins its pre-jerk twitch:
1. Are we in the data-protection business? Does this business in general - and my job specifically - exist solely to guard this data from everyone? I am still quoted at a manufacturing facility. I once said to a network engineer: "I understand, we're a network company. Apologies if all these ____-making efforts are getting in your way." (... for some reason, I no longer work in manufacturing...)
2. Does this request support or provide business value? Not: Is it a duplication of data? or even: Does it violate 3rd normal form?
3. Perhaps the most important question when I truly disagree with the request (which is rare, mind you): Is this battle worth fighting?
I consider myself a little of both gatekeeper and roadblock, at times. Mostly, I see my DBA role in the IT department as facilitator. When someone shows up with a request, I endeavor to help them succeed.
How about you?
Found a great article on Everyday Leadership.
