Question: Now that Sarbanes-Oxley compliance processes are in place in most U.S. companies, what's the next step for improving database security and compliance?
Neray: While most companies have already been through a few SOX audits, many have not yet implemented automated controls and processes around critical databases — such as financial/ERP databases — affected by Section 404 of SOX. We often see companies that are still relying on time-consuming and error-prone manual processes to audit SOX-related database activities. Typically this is a result of a "checkbox" mentality to appease auditors rather than a proactive and strategic approach aimed at both protecting information assets and reducing the ongoing cost of compliance.
In comparison, we see forward-thinking organizations taking a more holistic approach to SOX compliance to pass not only this year's audits, but to streamline reporting and compliance ownership responsibilities as well as create an auditing infrastructure that supports evolving requirements — without the need to hire additional personnel.
To accelerate database compliance, as well as safeguard confidential information, companies need automated solutions and processes that provide full visibility into all database activities, as well as automated workflows for distributing reports and getting sign-offs from compliance oversight teams. In addition, they need a unified approach that provides auditing as well as real-time security capabilities such as policies, alerting and blocking of unauthorized activities.
Question: Are there best practices that you would recommend?
Neray: The optimum approach is two-pronged: Invest in technology that rapidly addresses the immediate need for compliance monitoring and reporting, while providing a platform for addressing long-term strategic issues, such as building a more secure and manageable database infrastructure. At the same time, look for solutions that provide the flexibility to adapt to new databases and applications – as well as new regulations and reporting requirements – without placing additional requirements on IT personnel.
Auditors also have specific requirements for protecting the integrity of the audit information, such as storing it in encrypted format and separation-of-duties so that your database administrators are unable to modify or tamper with the audit data. Best practices include: 1) Plan and organize: Collect information about who touches confidential information, from which applications, from which locations (e.g., local versus VPN), and which servers and databases are available to insider access. 2) Certify and control: Certify that all database access activities are consistent with corporate policies, and ensure that any outside of SOX's required parameters can either be rectified or investigated. 3) Assess risk: Receive information that can be used to gauge possible risks, with emphasis on those areas referred to in the database requirements of SOX. Use this information to build policies that are consistent with risk. 4) Investigate and disclose: Dig deeper into any possible exceptions to discover the origin of any exceptions, as well as whether or not they are issues that warrant further handling.
Question: How does a company make its compliance processes more efficient and effective, now that they are in place?
Neray: Business leaders are looking to reduce the cost and complexity of compliance. Automating compliance controls and compliance monitoring is a great place to start, because it makes compliance more efficient and more effective (by increasing the accuracy of the audit data and preventing unauthorized activities, for example).
To get the most value from this approach, look for solutions that provide a holistic and aggregated view of your entire database infrastructure (Oracle, IBM, Microsoft, Sybase, etc.). You should also look for solutions that provide metrics regarding compliance, so that you can measure your organization's performance over time. Industry analysts like Gartner also recommend standardizing compliance controls across multiple business units and regulations (SOX, GLBA, Basel II, PCI, etc.), rather than implementing one-off solutions for each mandate.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
This was first published in August 2006