I’ve been through relatively few audits in my database career. I’ve worked in a few industries that didn’t require them, and avoided the stringent requirements of PCI and HIPAA. ISO 9000 was the first audit I encountered and I had been preparing for Sarbanes-Oxley (recently passed) when I left that company to come work for SQLServerCentral.
The preparation for an audit required a lot of work, meetings, and organization. The first time I suffered through an ISO audit, I was amazed at how much of our daily work was interrupted and the time spent ensuring we would pass the audit. The second time wasn’t much better, though I’d instituted some processes and controls for the DBA group that did reduce the amount of preparation needed for our portion of the audit.
I wish that more companies I’d worked for had actually built the controls, security, and documentation into their processes. Maybe then they’d only need a 30 minute window to prepare for the audit. That’s what an insurance company needed to do recently according to this piece. I found many of the rules and regulations required in the ISO and SOX documents to be ones I’d want to implement for my database systems. The hard part was getting management to agree and implement the rules as part of our daily work.
I did find it interesting that the company had built their own software to match their processes and allow employees to work efficiently. Lots of companies have struggled with the idea of becoming their own software company, but if software is truly going to be an important part of most businesses, perhaps it’s a good investment for most of them.
The Voice of the DBA Podcasts
We publish three versions of the podcast each day for you to enjoy.