Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Auditing and Risk Management:
Eight Questions to Ask the Chief Auditing Executive

online columnist Murray S. Mazer     Column published in DMReview.com
July 28, 2005
  By Murray S. Mazer

Editor's Note: DM Review welcomes Dr. Murray Mazer as a new online columnist. He will address issues surrounding Auditing and Risk Management. His column will appear quarterly on the fifth Friday.

Because executives and board members are more accountable today for data protection, it is important that they know who is accessing and changing data, what was altered, when it occurred and how it was done. Audit trails are necessary to comply with government regulations, and the lack of records may mean sanctions for the company and its executives.

How can the CEO and CFO be assured of the integrity of the information they must attest to for SOX, for example, and that the corporation is keeping accurate and complete records? Board members and executives should be asking the chief audit executive (CAE) the following questions:

Do we know who is accessing data? Records of data access are essential, not just to meet compliance requirements but to insure good business practices. Without complete records, a corporation cannot know or validate who is viewing or changing data. This puts the company at risk for fraud, invasion of privacy, business errors and other risks that can cost the corporation direct financial losses, damage to its reputation, and loss of customers.

Are the people who are actually accessing data the ones we intended? The greatest misuse of data occurs when insiders (authorized or unauthorized) appropriate information for fraud, alter the data without permission or simply make an error. Every commercial security safeguard has vulnerabilities through which these improper actions may occur - the key is to be able to identify when individuals are using data in ways they should not. Only with complete records of data access can a corporation insure the integrity and security of their data.

Can we monitor privileged users? If you entrust your DBAs to be the monitors of data access and the implementers of security safeguards, who is watching them? Separation of duties is an important concept in the best practices of data auditing and to insure a company is in full compliance with regulatory requirements. In one instance, a company allowed the DBA to perform the auditing; it turned out he was the one defrauding the company of hundreds of thousands of dollars. In another, the DBA created fake accounts for an accomplice. "Trust but verify" is the proper approach - trust alone actually increases risk.

Is there a gap between what we intended to happen and what really happened? It is important to test and validate security measures to be sure that they allow access only to those individuals who should be able to reach the data. Many corporations develop elaborate security policies and procedures, but never audit to determine whether these measures are working. Unvalidated security safeguards increase risk.

What steps are we taking to insure complete data access monitoring? Some data auditing approaches do not capture all access to the database. For example, application modification (changing the source code of every application that might be used to access the data of interest) is one method with shortfalls. Access outside of the modified applications (e.g., via a database administrative console) is not captured, implying incomplete coverage and changes to permissions and schema cannot be captured by this means. Also, triggers, the traditional way of capturing data modifications, have a number of drawbacks: they cannot capture data viewing or changes to schema and permissions, they are hard to write correctly and the added runtime performance overhead leads DBAs to minimize the number of modifications recorded or the period over which they are recorded, resulting in incomplete monitoring.

Is our data auditing solution flexible enough to evolve? Organizations have a diverse and changing IT infrastructure. As much as possible, the technology supporting compliance should provide a single framework, rather than having a different solution for each piece. For example, the database auditing solution should support all of the organization's key databases with a single auditing platform. Because regulations, and their interpretations, continue to change, compliance solutions must support those changes, rather than having to be replaced.

Does our data auditing solution meet the required capabilities? Does it:

  • Capture data access, automatically tracking whenever data is modified or viewed by any means;
  • Capture structural changes to the permissions that control data access and to database schema (to ensure ongoing integrity of the structures storing data);
  • Consolidate tracked information from multiple databases into an easily managed, long-term common repository;
  • Centralize configuration and management of all servers;
  • Provide flexible, efficient means to process the stored information to identify activities of interest;
  • Detect conditions of interest and generate selected alerts;
  • Produce ad hoc or standard, scheduled reports.

How can the CEO and CFO help to insure data integrity? Because many regulations provide only broad frameworks and little precise guidance for reaching compliance, company executives must interpret the immediate and long-term implications then set the strategy for solutions and determine how resources will be allocated among policy development, monitoring, reporting and all of the varied activities involved in implementing a comprehensive compliance solution.

The CEO and CFO must be able to clearly communicate these needs to the IT team, so that the monitoring criteria are melded with the technology environment to create a complete solution. Partnering with the CAE and CIO to understand more of what the company's financial systems can deliver in terms of audited records and where the shortfalls may be is an essential step in getting to a comprehensive auditing solution.


For more information on related topics visit the following related portals...
Risk Management.

Dr. Murray S. Mazer is co-founder and vice president of Lumigent Technologies, a leading risk management solutions company. With 20 years of industry experience in startups and established companies, he has directed security, server, intellectual property and technology licensing strategies and development. Before becoming an entrepreneur, Mazer led R&D programs for the Defense Advanced Research Projects Agency (DARPA), OSF and Digital Equipment Corporation; he and his teams innovated in areas such as data replication, workflow, location-aware computing, mobile data access, security and proxy-based applications. You can reach him at murray.mazer@lumigent.com.

Solutions Marketplace
Provided by IndustryBrains

Numara Track-It! Help Desk Software
Numara provides Track-It! - the leading help desk solution for call tracking, problem resolution, IT asset management, LAN/PC auditing, patch management, electronic software distribution, remote control, and more. Free demo

See Enterprise Business Intelligence in Action
See how business intelligence can be used to solve real business problems with this live demo from Information Builders

Continuous Data Protection - recover it all fast!
TimeSpring FREE WHITE PAPER - click here. Continuously protect Exchange, SQL Server and NTFS with TimeData CDP software. Easiest to use, non disruptive, affordable. "Infinite" choice of restore points.

Website tracking, web statistics and analytics
Watch your visitors in real time as they browse your site. Website statistics provide insight. Understanding website traffic and visitor clickstream behavior is crucial to managing a website on a daily basis. Real-Time reporting. 4 week free trial.

Rosette Linguistics Platform
Basis Technology utilizes powerful techniques to provide software solutions for extracting meaningful intelligence from unstructured text in Asian, European and Middle Eastern languages.

Click here to advertise in this space

E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.