Question Microsoft Quality Assurance: Is Access validated

[SacValGal]

A client's internal auditor has asked: "You have documented the validation of your Access app., but who has validated Access itself?"

In 2000, we wrote to Microsoft asking for quality assurance documentation for Access and Excel 97. A senior attorney responded that "the confidential nature of the information requested, and the cost and time that would be devoted to such a production [of documents], make such a production inadvisable for Microsoft."

I don't know if Microsoft's position has changed since then, but I doubt it. All I know to tell clients is that Microsoft does not document the validation of MS Office software, but Access is widely and successfully used and other clients have accepted its use for managing sensitive data. But I understand that other data management programs, such as SAS and Oracle, do document the validation of their software. So why is it too hard for MS, with their very large client base?

Has anyone dealt with this issue?

 

[Banana]

Two questions:

1) Exactly what are we validating? I have a general idea but wanted to be sure.

2) If my notion that validation has to do with assurances that X software is not insecure or contain codes that can be exploited or whatever is correct, then my next question would be why not use Operating System's permission to manage Access?

Personally, I would very seriously doubt if Access by itself only can be indeed secured to same extent as other RDBMS, and for that reason would say that if anyone wants to use it as front-end clients, allowing Windows to manage the permissions is probably the best way to secure it from outsiders, while RDBMS that Access is linked against can be used to secure the data and stamp the user who has modified the data to provide you with as much as security as possible.

HTH.

 

[SacValGal]

Thanks for the response, Banana! I have the query at second hand so don't know for sure what the auditor is concerned about, but I took it to be not so much security as just the soundness of the program itself: when you enter data, how do you know that the data are where you think they are, that data sources for controls on forms are reliable, that Access SQL retrieves the data it says it does, that the database doesn't become corrupt in places over time without it being obvious.... I haven't looked at the documentation that is supposed to exist for other programs but that is the sort of thing I was thinking of.

 

[The_Doc_Man]

Working with the U. S. Government, I frequently get auditor questions for various products. There are a couple of possible interpretation of validation. Ask the auditor to identify his interest. But here is why it ain't gonna happen.

If I build a program and publicly claim it meets some particular standard, my customers (and my competition) have a right to question the claim. Therefore, I should in that case run stringent tests against the standard to see if my program really does what that standard says it should do.

But Access doesn't claim to meet an industry standard of any particular note. It does not claim to meet any security standards. It might make a claim about some level of ANSI standard SQL compliance, but then again it might not. So the question would have to be, validation against which standard? And here's the kicker - in its price class and given its ability, Access IS the standard against which so many others must compare themselves. So ... that means you would have to validate Access against ... Access?

You can never shut up software standards auditors. It is not possible without committing some form of physical mayhem. And they tend to be so impractically minded regarding standards compliance that it wouldn't matter to them that the company can't afford to sponsor the compliance tests. The only way I've ever managed to shut one up for even 10 minutes was to suggest that since all he seemed to want to do was spend company money on standards tests, we could save a lot of money by eliminating his position and skipping all of the tests he wanted performed. For some odd reason, though, he didn't like me after that. I wonder why?

Anyway, the issue is somewhat akin to validating a compiler. You might first search the Access documentation for any references to any ANSI standards. Then try a letter to Microsoft asking if they have validated Access against the named standard. If they have not, then your answer to the client's auditor is "not audited by original product vendor."

 

[SacValGal]

Thanks for the thoughts, Doc Man. I guess one just has to have this inconclusive conversation with the auditors once in a while. They seem to end up accepting the advantages of using Access, even if you can't flourish flashy documents.