Can anyone tell me WHERE in the Sarbanes-Oxley Act of 2002 it says that programmers cannot touch production systems? I know SOX 404 speaks to an internal IT control framework, but I cannot find where it specifically requires by law that programmers not have access to production systems (db servers, etc). I do not argue the validity of this being "best practice", however I doubt it is "against the law".
Programmers being on production systems is not contrary to SOX compliance. That would be an unreasonable expectation given that programmers often need to fix production code or applications on-the-fly. Companies could potentially end up losing so much money they would fight tooth-and-nail to keep such a thing from being illegal. There is a recognized need for programmers to be in production, especially in emergency situations.
That being said, as you stated, it is not best practice to have programmers in production on a regular basis. That is what development and testing environments are for during the pre-production process. Production is not the place for programmers to test or develop their code.
May 12th, 2010 at 11:24 am
Programmers being on production systems is not contrary to SOX compliance. That would be an unreasonable expectation given that programmers often need to fix production code or applications on-the-fly. Companies could potentially end up losing so much money they would fight tooth-and-nail to keep such a thing from being illegal. There is a recognized need for programmers to be in production, especially in emergency situations.
That being said, as you stated, it is not best practice to have programmers in production on a regular basis. That is what development and testing environments are for during the pre-production process. Production is not the place for programmers to test or develop their code.
References :