DM Review Published in DM Review Online in July 2005.
Printed from DMReview.com


Auditing and Risk Management: Eight Questions to Ask the Chief Auditing Executive

by Murray S. Mazer

Editor's Note: DM Review welcomes Dr. Murray Mazer as a new online columnist. He will address issues surrounding Auditing and Risk Management. His column will appear quarterly on the fifth Friday.

Because executives and board members are more accountable today for data protection, it is important that they know who is accessing and changing data, what was altered, when it occurred and how it was done. Audit trails are necessary to comply with government regulations, and the lack of records may mean sanctions for the company and its executives.

How can the CEO and CFO be assured of the integrity of the information they must attest to for SOX, for example, and that the corporation is keeping accurate and complete records? Board members and executives should be asking the chief audit executive (CAE) the following questions:

Do we know who is accessing data? Records of data access are essential, not just to meet compliance requirements but to insure good business practices. Without complete records, a corporation cannot know or validate who is viewing or changing data. This puts the company at risk for fraud, invasion of privacy, business errors and other risks that can cost the corporation direct financial losses, damage to its reputation, and loss of customers.

Are the people who are actually accessing data the ones we intended? The greatest misuse of data occurs when insiders (authorized or unauthorized) appropriate information for fraud, alter the data without permission or simply make an error. Every commercial security safeguard has vulnerabilities through which these improper actions may occur - the key is to be able to identify when individuals are using data in ways they should not. Only with complete records of data access can a corporation insure the integrity and security of their data.

Can we monitor privileged users? If you entrust your DBAs to be the monitors of data access and the implementers of security safeguards, who is watching them? Separation of duties is an important concept in the best practices of data auditing and to insure a company is in full compliance with regulatory requirements. In one instance, a company allowed the DBA to perform the auditing; it turned out he was the one defrauding the company of hundreds of thousands of dollars. In another, the DBA created fake accounts for an accomplice. "Trust but verify" is the proper approach - trust alone actually increases risk.

Is there a gap between what we intended to happen and what really happened? It is important to test and validate security measures to be sure that they allow access only to those individuals who should be able to reach the data. Many corporations develop elaborate security policies and procedures, but never audit to determine whether these measures are working. Unvalidated security safeguards increase risk.

What steps are we taking to insure complete data access monitoring? Some data auditing approaches do not capture all access to the database. For example, application modification (changing the source code of every application that might be used to access the data of interest) is one method with shortfalls. Access outside of the modified applications (e.g., via a database administrative console) is not captured, implying incomplete coverage and changes to permissions and schema cannot be captured by this means. Also, triggers, the traditional way of capturing data modifications, have a number of drawbacks: they cannot capture data viewing or changes to schema and permissions, they are hard to write correctly and the added runtime performance overhead leads DBAs to minimize the number of modifications recorded or the period over which they are recorded, resulting in incomplete monitoring.

Is our data auditing solution flexible enough to evolve? Organizations have a diverse and changing IT infrastructure. As much as possible, the technology supporting compliance should provide a single framework, rather than having a different solution for each piece. For example, the database auditing solution should support all of the organization's key databases with a single auditing platform. Because regulations, and their interpretations, continue to change, compliance solutions must support those changes, rather than having to be replaced.

Does our data auditing solution meet the required capabilities? Does it:

  • Capture data access, automatically tracking whenever data is modified or viewed by any means;
  • Capture structural changes to the permissions that control data access and to database schema (to ensure ongoing integrity of the structures storing data);
  • Consolidate tracked information from multiple databases into an easily managed, long-term common repository;
  • Centralize configuration and management of all servers;
  • Provide flexible, efficient means to process the stored information to identify activities of interest;
  • Detect conditions of interest and generate selected alerts;
  • Produce ad hoc or standard, scheduled reports.

How can the CEO and CFO help to insure data integrity? Because many regulations provide only broad frameworks and little precise guidance for reaching compliance, company executives must interpret the immediate and long-term implications then set the strategy for solutions and determine how resources will be allocated among policy development, monitoring, reporting and all of the varied activities involved in implementing a comprehensive compliance solution.

The CEO and CFO must be able to clearly communicate these needs to the IT team, so that the monitoring criteria are melded with the technology environment to create a complete solution. Partnering with the CAE and CIO to understand more of what the company's financial systems can deliver in terms of audited records and where the shortfalls may be is an essential step in getting to a comprehensive auditing solution.


Dr. Murray S. Mazer is co-founder and vice president of Lumigent Technologies, a leading risk management solutions company. With 20 years of industry experience in startups and established companies, he has directed security, server, intellectual property and technology licensing strategies and development. Before becoming an entrepreneur, Mazer led R&D programs for the Defense Advanced Research Projects Agency (DARPA), OSF and Digital Equipment Corporation; he and his teams innovated in areas such as data replication, workflow, location-aware computing, mobile data access, security and proxy-based applications. You can reach him at murray.mazer@lumigent.com.

Copyright 2006, SourceMedia and DM Review.