THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Kevin Kline

Is it Time for a Professional Code of Ethics for DBAs?

The root of this blog post is witnessing one too many DBAs, either through direct action or indirectly by failing to act, damage or destroy the very databases they are charged with protecting.  In a sense, DBAs are the guardians of an extremely valuable corporate asset - its data.  But a large number of DBAs, while responsible for databases, have no idea how to be a proactive guardian of that data.  And, in my opinion, that is a moral and ethical breach more than it is a technical shortcoming.  This is even more important when we consider that some of these databases have a direct impact on human lives, particularly medical, security, and defense related data.  (I write more about this topic in my monthly column in Database Trends & Applications Magazine.)

When we consider other professions with a direct effect on human lives, we can see that they have all implemented professional codes of ethics.  Famously, the Hippocratic Oath of doctors is just the beginning.  "First, do no harm."  Professional Engineers (PE), whose buildings might fall down on our heads were they only motivated by maximizing profits, must adhere to seven fundamental canons.  Among them, PE's shall hold paramount the safety, health, and welfare of the public and that PE's shall perform services only in areas of their core competency.  Even professions that affect our finances (e.g., certified public accountants) and contractual obligations (e.g., lawyers) are sworn to uphold professional codes of ethics.

The Association for Computing Machinery has a rather long code of conduct for a variety of computer-related disciplines.  But the closest it gets to a DBA-type role is one for a systems engineer.  Certainly, it has some passages which are reusable, such as those related to conflicts of interest.  Honestly, though, it's not that close.  I think we need our own - a code of ethics for DBAs, database programmers, and BI professionals.

So - what do you think?  What are some ethical standards that we should aspire to?  What are some big ethical lapses that you've witnessed, and that we should be sure to avoid as true professionals?

Published Tuesday, April 21, 2009 4:13 PM by KKline
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Greg Linwood said:

DBAs will always make mistakes so the #1 rule should focus on assurance that recovery from mistakes is always possible. Having a solid DR is numero uno & any DBA that doesn't have one of these (or a DOCUMENTED reason why not) shouldn't be a DBA.

April 21, 2009 6:23 PM
 

Denis Gobo said:

I am not sure that it will help...how many lawyers, cops, doctors, CEOs, CFOs do you see in the news breaking the law?...a ton

It would probably be better if they were trained well

Adam posted something (not quite the same) here: http://sqlblog.com/blogs/adam_machanic/archive/2007/05/24/editorial-get-rid-of-the-bad-apples-in-it.aspx

He got a ton of different opinions in the comments

April 22, 2009 2:41 PM
 

Michael K. Campbell said:

Kevin,

I agree whole-heartedly about the perils of what can happen. But I've also seen entirely too many companies be way too cavalier about letting good/expensive DBAs go, and just throw this 'IT task' over the fence to someone without enough training, understanding, or sometimes even gumption to be tasked with keeping all of a company's eggs in the basket. In fact, I call these people 'reluctant DBAs'... and many of them are accidents waiting to happen. But I'm not sure how much they are at fault.

In other words, management is just as guilty in those cases of putting someone without the chops behind the wheel as the person behind the wheel. I mean... who would just decide that their CEO was overpaid and replace him/her with a fairly talented office manager?

April 22, 2009 7:08 PM
 

andyleonard said:

Hi Kevin,

  I dislike bureaucracy. I'm record as disliking it, and that hasn't changed.

  However...

  I think you make solid points here. Perhaps it was the reference to PE's - that's a solid analogy in my opinion.

  Next, I think we have to find an organization to propose, manage, and maintain such an effort. I think PASS is an obvious choice. What do you think?

:{> Andy

April 23, 2009 1:38 PM
 

Glenn Berry said:

Part of the problem is that SQL Server is a double edged sword. It is pretty simple to get it installed and running for someone who has no clue what they are doing. They have no idea what a backup strategy is, what recovery model they are using, no DR plan, etc.

A clueless DBA can cause a lot of damage...

April 24, 2009 12:30 PM
 

Rajib Bahar said:

How about a milder version of this code of ethics from the BARS [http://www.abanet.org/cpr/mrpc/mrpc_toc.html]?

April 24, 2009 3:39 PM
 

Rajib Bahar said:

This issue raises few questions...

Will there be tracking system for this dba ethics database? Maybe some kind of Point System... if someone goes beyond 100 pts then it marks the end of the dba career? Will there be appeal process?

What kind of disciplinary actions do you propose?

How many time did a dba dropped a database? 10 pt per offense as reported by the org

How many time did a dba accidentally truncated the wrong table? 5 pt per offense as reported by the org

What if the above disciplinary actions are too harsh?

Shouldn't it be the org that defines the conduct and expectation?

April 24, 2009 3:51 PM
 

AJ said:

Ethics and Integrity go hand in hand with our Values and Morals that we are taught and learn as we grow up. Having some sort of Code of Conduct would be nice but almost impossible to impliment and enforce. Take for example certification in the flavor of database we work with daily. I have been a DBA for more than 10 years and don't hold any certifications. That being said, my personal Ethics and Integrity are exceptional. Not just according to me either. The company I work for noticed this and has formally made note of this and reward me as well.

Having some sort of formal Code of Conduct would be nice but only people with Ethics already will follow the "Code". Or to use an analogy.

Locks keep honest people honest. If someone is determined to gain entry they will.

My 2 cents

Cheers!

April 27, 2009 9:57 AM
 

geekette said:

I'm with AJ - sounds great, but unenforceable.  

Also agree with earlier post that organizations often do it to themselves.  For example, a moratorium on new servers has just come out - no more for 3 years.  For the brand new servers running my apps, no problem, but for the boxes that are already 4-5 years old and have suffered thru numerous power outages and server room heat spikes, that's nuts.  Hardware can only live so long, and we've been on borrowed time for a long while now as it is.  Another 3 years is courting disaster.  DR is useless when the best I can do is hope that a dead server can be brought to life, with certain death coming.  "Being brought up on charges" for something beyond my control is not something I want to experience.

No code of ethics enforced on me can change the bad decisions made far above me.  My job requires equipment and network.  If either of those are faulty, there is only so much I can do.

All that said, I tend to live by a "beyond reproach" methodology - if I don't have any business poking around in something, I don't.  If it's in my area of responsibility, I take care of it - monitor, update, troubleshoot, whathaveyou.  Get in front of any issues before they become problems.  And when I'm too late, fix and restore.

I think people either have integrity or they don't.  

April 27, 2009 12:02 PM
 

KKline said:

Great points, everyone!

Don't forget, though, that a code of ethics isn't meant to be a contract that you can get sued for breaching.  A code of ethics is more like a public declaration of accountability.

One point of contrast to what AJ said - a lot of noobs don't know what good conduct looks like.  There's no one to mentor them within their IT shop and what little they get is from things like user groups and sites like this.  Having a code of good conduct can, at the very least, help neophites understand what to aspire to.

April 27, 2009 12:29 PM
 

geekette said:

I do understand it wasn't about actually getting sued (why I used quotation marks), but tarnishing my good name based on the ridiculous decisions of others is actually worse.  

April 27, 2009 1:54 PM
 

Robert C said:

Not only is there the ethical issue of being the guardian of access to data, but wearing the database developer hat there is the question of design.  Far too many systems are built with a "deliver what was specified" mentality, rather then looking at what the customer really needs and giving them a system that is sustainable.  I've even seen hardcoded contact phone numbers because the spec says display xxx-xxxx.  

And of course there is the issue of managing the changing meaning of business data that is contained in the system.  As a group we tend to throw up our hands and punt on this issue, but as the business processes change the data input into the system has new (now contrary to the system documentation) data.  Consequently data input via the old process has a different meaning then the data input by the new.  Often the DBA is even unaware of a change even when it is a significant one.  How can we provide good stewardship if we don't even understand the significance of the data we are suppposedly managing?  We can't.  How do we determine what is the best way to store this data if we don't see the change?  We can't.  The answer is that we need to have a role in the business change process.  How many of us are actively raising that need to our management?  Not many I'm sure.  We're too swamped pretending that by being the DBA of 200+ databases that we are providing anything more then a nice backup and recovery path in event of a disaster.

April 28, 2009 1:20 PM
 

NOTADBA said:

I stumbled upon this blog looking for some help about SQL server and I think it is a great idea to discuss these codes of ethics. I am not a DBA. I am an analyst who needs to get the data from the databased. I don’t know the ins and outs of how to administer a SQL Server database but I am trying to do it anyway.  My dilemma has to do with IT/DBA policies on central operational data systems at my organization. Direct access to the data tables is not allowed. I can usually get downloads from FTP sites, there are web services which can display predefined canned reports, etc. But I am not allowed to do a direct SQL query against any data tables or even mirror image versions (such as read only 1 day old backups).  The policy is that the database cannot be directly connected to anything outside the database (i.e., ODBC or OleDB). This should keep the data pretty secure…until someone like me comes along. I need access to these data for analysis. Canned reports don’t do it. I need more flexibility than that. I have to pull the data via ftp download in many cases and then create a shadow system (SQL Server in my case) so that I can connect to the data the way I wanted to in the first place. The problem is, I am not a DBA so I am probably not managing the SQL Server database in the best way, I am making at least 2 copies of the data in order to get them to my SQL server and I’ll bet there are several others besides me in the organization who are doing similar things. This seems LESS secure to me than if I just had direct OLEDB or ODBC access to a SQL Server. Being an analyst I have no desire for changing any of the data so I only need select access. I would love to hear the opinions some database administrators on this topic of data security. In a nutshell, from my point of view, the act of making the data secure in this way is actually causing it to be less secure.

Thanks and sorry for being so wordy.

April 30, 2009 11:53 AM
 

Robert C said:

Well NOTADBA...  There are TWO reasons for locking down a database.  One is the data security, the other is for the reliability of the system.  Ad hoc queries against the database have a tendency to impact the performance of the system and the restrictive policy may well be in order to maintain SLAs of response time etc.  

Why they wouldn't give you access to a mirror is beyond me...  That indeed leads to uncontrolled replication of data.

May 7, 2009 12:55 PM

Leave a Comment

(required) 
(required) 
Submit

About KKline

Kevin Kline is a well-known database industry expert, author, and speaker. Kevin is a long-time Microsoft MVP and was one of the founders of PASS, www.sqlpass.org.

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement