Reducing risk through data auditing: changes to company data could involve simple user errors, but for executives to confidently attest to the integrity of their data, they must ensure that the proper controls and monitoring are in place.
The Sarbanes-Oxley Act See SOX. of 2004 has brought more professional and personal accountability to CFOs. It's easy to understand why: At its core, Sarbanes-Oxley is intended to protect shareholders by increasing the visibility and transparency of financial transactions. Financial misrepresentation misrepresentation
In law, any false or misleading expression of fact, usually with the intent to deceive or defraud. It most commonly occurs in insurance and real-estate contracts. False advertising may also constitute misrepresentation. is punishable by fines, imprisonment Imprisonment
See also Isolation.
former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218]
German prison ship in World War II. [Br. Hist. or both.
Data auditing enables enterprises to meet Sarbanes-Oxley and other government regulations related to data access accountability. It also mitigates the significant business risks associated with the use of corporate data assets, including fraud, failed audits, lost customers and damage to brand and reputation. Without data auditing, companies are open to substantial losses, because a data-access incident that poses a threat often goes undetected until it's too late.
Some consider data auditing part of traditional security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security meant to prevent unauthorized access to data, such as firewalls or password protection. However, data auditing on activity inside firewalls is critical, too, since this is where the majority of data misuse--intentional or otherwise--occurs as a result of privileged users having direct access to data. Consequently, data auditing augments security measures that can't audit internal data access and use from these privileged users.
What if you were the CFO See Chief Financial Officer. of a company where a database administrator (DBA) changed information in one of the company's databases, altering values that flowed into your company's public financial reporting? Perhaps the resulting financial statements showed a slightly better situation than was actually the case. Because the company did not audit data access, no one knew this change was made.
Maybe this hasn't happened to you--yet. However, situations like this have occurred. Think about this example. Unaware of the inaccurate figures, the CFO and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. affirmed their accuracy. Whether the change was an unintended error or an attempt to manipulate stock values, once it was discovered, the company would be obligated ob·li·gate
tr.v. ob·li·gat·ed, ob·li·gat·ing, ob·li·gates
1. To bind, compel, or constrain by a social, legal, or moral tie. See Synonyms at force.
2. To cause to be grateful or indebted; oblige. by Sarbanes-Oxley Section 409 to immediately report the discrepancy and restate re·state
tr.v. re·stat·ed, re·stat·ing, re·states
To state again or in a new form. See Synonyms at repeat.
re·state its financial report, then issue a public announcement, which could seriously harm shareholder confidence and the stock price. The board of directors would probably ask both executives to resign, and regulators could investigate.
While changes in data could be simple user errors, it doesn't matter if an error was intentional or not. For executives to confidently attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to the integrity of data, they must ensure that the proper controls and monitoring are in place. Without database auditing, the integrity of financial reports is in question.
Most public companies, and some private ones, have worked diligently to comply with Sarbanes-Oxley Section 404. The Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) establishes an important key concept in data auditing, namely that audits of financial statements and internal controls are inseparable in·sep·a·ra·ble
1. Impossible to separate or part: inseparable pieces of rock.
2. Very closely associated; constant: inseparable companions. (Audit Standard No. 2, March 9, 2004). Executives and information technology managers must insure that controls include preventive measures and detection capabilities.
With data auditing procedures in place, there is a record of what happened--what data was accessed, when it was changed and how it changed--long before financial reports are issued.
What is the Role of Data Auditing?
Financial professionals are accustomed to auditing financial systems. Data auditing is an extension of this concept, intended to assure the integrity of the underlying data that feeds these systems. It is a paramount concern for any organization that must satisfy government regulations.
Meeting these challenges requires insight into how enterprise data is accessed and used, and an unimpeachable un·im·peach·a·ble
1. Difficult or impossible to impeach: an unimpeachable witness.
2. Beyond reproach; blameless: unimpeachable behavior.
3. audit trail of changes. A central aspect of safeguarding data assets is ensuring that data is accessed and changed only in intended ways, and that only the proper parties view the data.
Implementing suitable privacy and security policies and mechanisms is an important step, but these do not address two important realities. First, even authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal will sometimes access data inappropriately, deliberately or accidentally. Second, flaws in policy and implementation can introduce vulnerability, enabling unintended data access or changes.
While data auditing can provide essential internal controls, it is important that those with wide-ranging access to databases (DBAs and IT staff) are not put in charge of auditing. Segregation of duties, or the separation of responsibility for day-to-day management of the data-base from the auditing of it, insures that no single individual has the opportunity to make changes and then conceal them during the auditing process.
What are the goals of a data auditing solution, beyond compliance?
First and foremost, it should protect sensitive information from misuse and improve business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . This applies to data access within the organization and from outside. CEOs and CFOs must insure that those with direct, unlimited access to data do not accidentally or maliciously alter important corporate information.
However, beyond the broad goals of protecting data assets, a comprehensive data auditing solution can allow enterprises to:
* comply with internal corporate policies and processes;
* understand and improve internal business processes;
* detect and analyze breaches in user and application behavior, intentional or accidental;
* perform forensic analysis for detecting fraud, outsider intrusion and employee misbehavior;
* rapidly respond to violations and vulnerabilities;
* verify strategic partner activities
* verify application behavior and that application controls are working properly;
* audit legacy applications that do not support suitable application controls and audit trails;
* answer ad hoc For this purpose. Meaning "to this" in Latin, it refers to dealing with special situations as they occur rather than functions that are repeated on a regular basis. See ad hoc query and ad hoc mode. business questions;
* satisfy external due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. for strategic relationships or customer confidence.
Requirements of a Sound Solution
Certain essential elements form the foundation for a data auditing solution. Whether developed internally by the IT staff or purchased, it should be able to produce very specific information (see table) that provides a complete record of access to databases, producing reports to insure compliance or satisfy internal audit needs. Because an effective solution provides such a granular granular /gran·u·lar/ (gran´u-lar) made up of or marked by presence of granules or grains.
1. Composed or appearing to be composed of granules or grains.
2. level of detail on data access, enterprises can be confident that they have collected information required for auditors.
Insuring that data is secure, and that the organization knows who is accessing and changing data, requires an IT system with the capability to: record data access and permissions changes; manage the data for lengthy periods; flexibly analyze the data; produce reports; and detect conditions of interest for timely notification.
However, this must be accomplished without degrading TO DEGRADE, DEGRADING. To, sink or lower a person in the estimation of the public.
2. As a man's character is of great importance to him, and it is his interest to retain the good opinion of all mankind, when he is a witness, he cannot be compelled to disclose IT system performance.
Technology is vital to establishing a solution that can meet these challenges. An organization should engage in a problem analysis lifecycle, similar to most other IT projects. First, the team must identify applicable strategic and regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. , analyze existing policies and technologies to find aspects of inadequate coverage, then update existing policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental .
The team must identify changes that must be made to the technology infrastructure to support the implementation and verification of new policies and procedures. A data auditing plan will guide the implementation of new systems. Once the solution is installed, it is necessary to validate the behavior of the new system to ensure that it is meeting established goals.
An essential step is to educate employees, partners, customers and others about the changes and new policies and procedures, and provide a high level of support and assistance through the transition period.
Required Technical Capabilities
An effective solution providing data access accountability must include these capabilities:
Capture Data Access: Automatically track whenever data is modified or viewed by any means on target data-bases, preferably with control over the granularity The degree of modularity of a system. More granularity implies more flexibility in customizing a system, because there are more, smaller increments (granules) from which to choose. of data tracked.
Capture Structural Changes: Automatically track changes both to the permissions that control data access and to database schema The definition of a database. It defines the structure and content in each data element within the structure. Schemas are often designed with visual modeling tools that automatically create the SQL code necessary to define the table structures. See subschema and XML schema. (to ensure ongoing integrity of the structures storing data).
Manage Captured Information: Automatically consolidate the tracked information from multiple databases into an easily managed, long-term common repository.
v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es
1. To draw into or toward a center; consolidate.
2. Configuration and Management of All Servers: Provide a straightforward way to configure auditing of all of the target servers, specify the activities of interest, the repository for managing the information and the schedule for transferring data.
Flexible Information Access: Provide flexible and efficient means for processing the stored information to identify activities of interest.
Produce Reports: Ad hoc and periodic exporting of analysis results in a variety of formats, for display, printing and transmission.
Detect Conditions of Interest for Notification: Automatic monitoring for conditions of interest and generating selected alerts.
Capture Login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. Activity: Automatically capture information on who has logged into certain database information, or who was unsuccessful in logging in A colloquial term for the process of making the initial record of the names of individuals who have been brought to the police station upon their arrest.
The process of logging in is also called booking. .
These capabilities will produce the proper oversight and reporting necessary to satisfy Sarbanes-Oxley. A company can then know how data assets are accessed, and that they are used as intended. Executives can react quickly to exception events (such as user permission changes or changes to data structure) and maintain a complete long-term record of what actually occurred. In the end, the enterprise will have met its goals of complying with regulatory requirements and providing assurance of data integrity.
It is essential to audit access to data from all sources, including privileged users. A comprehensive data auditing program will supplement external security measures and insure that the financial viability of the enterprise is not compromised by unauthorized and inappropriate access or changes to data by internal users.
For enterprise-level solutions, some corporations are turning to comprehensive database audit software, which provides the ability to capture a wide range of data-related activity, consolidate and manage this information, review and analyze it in a variety of ways, create reports about the activity at various levels of detail and send timely notifications about certain kinds of detected activity.
RELATED ARTICLE: What a Data Auditing Solution Should Reveal
* All changes to schemas and permissions
* When someone changes database schema or permissions
* Who has viewed certain data and when
* What data was changed, when and by whom
* Who accessed certain tables
* Login activity, both successful and unsuccessful
* Suspicious behavior on certain tables
* Who modified a set of tables over a period of time
Ron Benanto (email@example.com) is CFO at Acton, Mass.-based Lumigent Technologies. Lumigent provides data auditing solutions to help organizations manage the risks associated with the use of enterprise data and address regulatory compliance.