Published in DM Review Online in July 2005.|
Printed from DMReview.com
Auditing and Risk Management: Eight Questions to Ask the Chief Auditing Executiveby Murray S. Mazer
Editor's Note: DM Review welcomes Dr. Murray Mazer as a new online columnist. He will address issues surrounding Auditing and Risk Management. His column will appear quarterly on the fifth Friday.
Because executives and board members are more accountable today for data protection, it is important that they know who is accessing and changing data, what was altered, when it occurred and how it was done. Audit trails are necessary to comply with government regulations, and the lack of records may mean sanctions for the company and its executives.
How can the CEO and CFO be assured of the integrity of the information they must attest to for SOX, for example, and that the corporation is keeping accurate and complete records? Board members and executives should be asking the chief audit executive (CAE) the following questions:
Do we know who is accessing data? Records of data access are essential, not just to meet compliance requirements but to insure good business practices. Without complete records, a corporation cannot know or validate who is viewing or changing data. This puts the company at risk for fraud, invasion of privacy, business errors and other risks that can cost the corporation direct financial losses, damage to its reputation, and loss of customers.
Are the people who are actually accessing data the ones we intended? The greatest misuse of data occurs when insiders (authorized or unauthorized) appropriate information for fraud, alter the data without permission or simply make an error. Every commercial security safeguard has vulnerabilities through which these improper actions may occur - the key is to be able to identify when individuals are using data in ways they should not. Only with complete records of data access can a corporation insure the integrity and security of their data.
Can we monitor privileged users? If you entrust your DBAs to be the monitors of data access and the implementers of security safeguards, who is watching them? Separation of duties is an important concept in the best practices of data auditing and to insure a company is in full compliance with regulatory requirements. In one instance, a company allowed the DBA to perform the auditing; it turned out he was the one defrauding the company of hundreds of thousands of dollars. In another, the DBA created fake accounts for an accomplice. "Trust but verify" is the proper approach - trust alone actually increases risk.
Is there a gap between what we intended to happen and what really happened? It is important to test and validate security measures to be sure that they allow access only to those individuals who should be able to reach the data. Many corporations develop elaborate security policies and procedures, but never audit to determine whether these measures are working. Unvalidated security safeguards increase risk.
What steps are we taking to insure complete data access monitoring? Some data auditing approaches do not capture all access to the database. For example, application modification (changing the source code of every application that might be used to access the data of interest) is one method with shortfalls. Access outside of the modified applications (e.g., via a database administrative console) is not captured, implying incomplete coverage and changes to permissions and schema cannot be captured by this means. Also, triggers, the traditional way of capturing data modifications, have a number of drawbacks: they cannot capture data viewing or changes to schema and permissions, they are hard to write correctly and the added runtime performance overhead leads DBAs to minimize the number of modifications recorded or the period over which they are recorded, resulting in incomplete monitoring.
Does our data auditing solution meet the required capabilities? Does it:
How can the CEO and CFO help to insure data integrity? Because many regulations provide only broad frameworks and little precise guidance for reaching compliance, company executives must interpret the immediate and long-term implications then set the strategy for solutions and determine how resources will be allocated among policy development, monitoring, reporting and all of the varied activities involved in implementing a comprehensive compliance solution.
The CEO and CFO must be able to clearly communicate these needs to the IT team, so that the monitoring criteria are melded with the technology environment to create a complete solution. Partnering with the CAE and CIO to understand more of what the company's financial systems can deliver in terms of audited records and where the shortfalls may be is an essential step in getting to a comprehensive auditing solution.
Dr. Murray S. Mazer is co-founder and vice president of Lumigent Technologies, a leading risk management solutions company. With 20 years of industry experience in startups and established companies, he has directed security, server, intellectual property and technology licensing strategies and development. Before becoming an entrepreneur, Mazer led R&D programs for the Defense Advanced Research Projects Agency (DARPA), OSF and Digital Equipment Corporation; he and his teams innovated in areas such as data replication, workflow, location-aware computing, mobile data access, security and proxy-based applications. You can reach him at email@example.com.
Copyright 2006, SourceMedia and DM Review.