Re: Conflict of interests

[aaa.bbb () ccc com]

Actually, if you have the situation properly documented and LOGGED (audit trail) there shouldn't be an issue with the 
auditors.  Naturally, logging implies that each person has a UNIQUE ID that is logged, no more shared "God Access" IDs. 
Although it may take a discussion with them to explain to them why it is unavoidable.  So why not be proactive, if you 
suspect that auditors will be concerned, arrange to meet with them before the audit to find out what their concerns 
would be and how they would like those concerns to be addressed.  As a Security person you have to change your 
perception of auditors.  They are not the enemy, they should be your allies. They can provide an independent set of 
eyes with a different perspective to review your work, identifying potential vulnerability(ies) that you may have 
missed.

Don't forget, many DB applications now have admin level access that allow access to meta data but not directly to 
specific data stored in the DB.  I don't know specifically if the newest versions of Windows Active Directory or Nix 
provide that type of separation of duties type access.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------