Are you compliant with Sarbanes-Oxley security requirements for OD

G

Guest

I have just been told by someone in my IT department that soon we will no
longer be able to use Microsoft Access to access data on our servers via ODBC
connections!

We log in to ODBC-linked tables now using a username and password prompted
to be entered when we click on an ODBC-linked table, but they say when they
make the servers Sarbanes-Oxley compliant, that we will be unable to use MS
Access to get the data. That we will have to use "other tools" to get the
data.

This is rather alarming since my group has numerous extensive MS Access
databases written against existing ODBC-linked tables that are used daily to
report and manage the business.

Can this be true? Will we have to re-write our tools into "other tools"?
Say it's not so!
 
L

Lynn Trapp

I'm not an attorney nor an expert on Sarbanes-Oxley, but I don't see any
reason why an Access frontend can't be made SOX compliant. As long as you
take care to protect the integrity of the data and put some really tight
constraints on your users, you should be able to do it in Access, especially
if you keep all the data in your server side database.

--
Lynn Trapp
MS Access MVP
www.ltcomputerdesigns.com
Access Security: www.ltcomputerdesigns.com/Security.htm
Jeff Conrad's Access Junkie List:
http://home.bendbroadband.com/conradsystems/accessjunkie.html
 
G

Guest

Yes, all data resides on the server side. My group merely logs in via an
ODBC connection to the server and takes the data that we were granted
userid/login access to and massages it to categorize/group & derive info the
way we need to see it in our reports.

So, I don't see any reason why as long as they make the data and access to
the servers compliant with Sarbanes-Oxley, that we should have any problems
continuing to access those servers via ODBC connections using MS Access (a
software we know and use every day).

Thanks Lynn for your 2 cents! Anyone else have any other info to add??
 
L

Lynn Trapp

Yes, all data resides on the server side. My group merely logs in via an
ODBC connection to the server and takes the data that we were granted
userid/login access to and massages it to categorize/group & derive info
the
way we need to see it in our reports.
Click to expand...

I have the feeling that it's the massaging of the data in Access that your
IT person is concerned about. You may need to demonstrate to that person
that what you are doing is compliant and that you have implemented
sufficient controls in your Access frontend to prevent someone from
destroying the integrity of the data.
 
I

Immanuel Sibero

Hi Worksfire1,

This seems absurd. Did you ask exactly what makes Access "non-compliant"
with SOX? And what makes other tools "compliant"?
I imagine "other tools" that they mention can pretty much do what Access can
do in terms of accessing, manipulating data, etc.

Compared to "other tools", Access simplifies the process of accessing,
manipulating data. It also provides rapid application development. It does
not / can not compromise data store (server) security any more than any
other tools can.

As Lynn pointed out, maybe the security scheme implemented at the server
level is not compliant.


Immanuel
 
D

david epsom dot com dot au

Compliance is something that is determined by management
and auditors - it does not have a technical definition.

It is likely that your IT people have a fairly poor
understanding of data security.

You can connect to sql server data using ODBC, OLEDB,
ADO, Telnet, etc and lots of variations within, between
and in addition to those technologies.

But they might mean that you will only be allowed a Web
interface. That is, no network connections at all. So
you would have to re-write all your apps as ASP -- or
organise for daily file downloads and run your own
parallel database.

You need to work out what they mean, and then if you are
going to co-operate or try to do an end run.

The good news is that when you request extra funding
to do the new work for inter-operability with the
new system, you can say that is required for S-0
compliance - which is what your IT people said to
management to get funding for their pet project...

(david)
 
T

TC

One question is whether your Access databases have been developed with
the support (or at least, knowledge) of your IT department, or whether
you have done them "under the radar", as it were.

If the former, then, you should object to your and/or IT's management,
that there needs to be a project plan in which the impact of this
change, on your databases, is properly addressed, and there is a
documented method & timeframe for addressing it.

If the latter, ie. you did the databases under the radar, then, you
probably won't get much sympathy from the IT folks and/or their
management!

HTH,
TC
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Sarbanes Oxley 404 3
Access 2007 Application for Reports Only – SQL Server Security 3
Linked Table Security Issue 1
Microsoft Access Table Security 2
Linking to ODBC Linked Tables 2
Inflated Database 4
ODBC lost connection's 6
Are there any public SQL-Server databases available for testing Ac 5

Top