Reducing risk through data auditing: changes to company data could involve simple user errors, but for executives to confidently attest to the integrity of their data, they must ensure that the proper controls and monitoring are in place.
Data auditing enables enterprises to meet Sarbanes-Oxley and other government regulations related to data access accountability. It also mitigates the significant business risks associated with the use of corporate data assets, including fraud, failed audits, lost customers and damage to brand and reputation. Without data auditing, companies are open to substantial losses, because a data-access incident that poses a threat often goes undetected until it's too late.
Some consider data auditing part of traditional security measures meant to prevent unauthorized access to data, such as firewalls or password protection. However, data auditing on activity inside firewalls is critical, too, since this is where the majority of data misuse--intentional or otherwise--occurs as a result of privileged users having direct access to data. Consequently, data auditing augments security measures that can't audit internal data access and use from these privileged users.
What if you were the CFO of a company where a database administrator (DBA) changed information in one of the company's databases, altering values that flowed into your company's public financial reporting? Perhaps the resulting financial statements showed a slightly better situation than was actually the case. Because the company did not audit data access, no one knew this change was made.
Maybe this hasn't happened to you--yet. However, situations like this have occurred. Think about this example. Unaware of the inaccurate figures, the CFO and CEO affirmed their accuracy. Whether the change was an unintended error or an attempt to manipulate stock values, once it was discovered, the company would be obligated by Sarbanes-Oxley Section 409 to immediately report the discrepancy and restate its financial report, then issue a public announcement, which could seriously harm shareholder confidence and the stock price. The board of directors would probably ask both executives to resign, and regulators could investigate.
While changes in data could be simple user errors, it doesn't matter if an error was intentional or not. For executives to confidently attest to the integrity of data, they must ensure that the proper controls and monitoring are in place. Without database auditing, the integrity of financial reports is in question.
Most public companies, and some private ones, have worked diligently to comply with Sarbanes-Oxley Section 404. The Public Company Accounting Oversight Board (PCAOB) establishes an important key concept in data auditing, namely that audits of financial statements and internal controls are inseparable (Audit Standard No. 2, March 9, 2004). Executives and information technology managers must insure that controls include preventive measures and detection capabilities.
With data auditing procedures in place, there is a record of what happened--what data was accessed, when it was changed and how it changed--long before financial reports are issued.
What is the Role of Data Auditing?
Financial professionals are accustomed to auditing financial systems. Data auditing is an extension of this concept, intended to assure the integrity of the underlying data that feeds these systems. It is a paramount concern for any organization that must satisfy government regulations.
Meeting these challenges requires insight into how enterprise data is accessed and used, and an unimpeachable audit trail of changes. A central aspect of safeguarding data assets is ensuring that data is accessed and changed only in intended ways, and that only the proper parties view the data.
Implementing suitable privacy and security policies and mechanisms is an important step, but these do not address two important realities. First, even authorized users will sometimes access data inappropriately, deliberately or accidentally. Second, flaws in policy and implementation can introduce vulnerability, enabling unintended data access or changes.
While data auditing can provide essential internal controls, it is important that those with wide-ranging access to databases (DBAs and IT staff) are not put in charge of auditing. Segregation of duties, or the separation of responsibility for day-to-day management of the data-base from the auditing of it, insures that no single individual has the opportunity to make changes and then conceal them during the auditing process.
What are the goals of a data auditing solution, beyond compliance?
First and foremost, it should protect sensitive information from misuse and improve business operations. This applies to data access within the organization and from outside. CEOs and CFOs must insure that those with direct, unlimited access to data do not accidentally or maliciously alter important corporate information.
However, beyond the broad goals of protecting data assets, a comprehensive data auditing solution can allow enterprises to:
* comply with internal corporate policies and processes;
* understand and improve internal business processes;
* detect and analyze breaches in user and application behavior, intentional or accidental;
* perform forensic analysis for detecting fraud, outsider intrusion and employee misbehavior;
* rapidly respond to violations and vulnerabilities;
* verify strategic partner activities
* verify application behavior and that application controls are working properly;
* audit legacy applications that do not support suitable application controls and audit trails;
* answer ad hoc business questions;
* satisfy external due diligence for strategic relationships or customer confidence.
Requirements of a Sound Solution
Certain essential elements form the foundation for a data auditing solution. Whether developed internally by the IT staff or purchased, it should be able to produce very specific information (see table) that provides a complete record of access to databases, producing reports to insure compliance or satisfy internal audit needs. Because an effective solution provides such a granular level of detail on data access, enterprises can be confident that they have collected information required for auditors.
Insuring that data is secure, and that the organization knows who is accessing and changing data, requires an IT system with the capability to: record data access and permissions changes; manage the data for lengthy periods; flexibly analyze the data; produce reports; and detect conditions of interest for timely notification.
However, this must be accomplished without degrading IT system performance.
Technology is vital to establishing a solution that can meet these challenges. An organization should engage in a problem analysis lifecycle, similar to most other IT projects. First, the team must identify applicable strategic and regulatory requirements, analyze existing policies and technologies to find aspects of inadequate coverage, then update existing policies and procedures.
The team must identify changes that must be made to the technology infrastructure to support the implementation and verification of new policies and procedures. A data auditing plan will guide the implementation of new systems. Once the solution is installed, it is necessary to validate the behavior of the new system to ensure that it is meeting established goals.
An essential step is to educate employees, partners, customers and others about the changes and new policies and procedures, and provide a high level of support and assistance through the transition period.
Required Technical Capabilities
An effective solution providing data access accountability must include these capabilities:
Capture Data Access: Automatically track whenever data is modified or viewed by any means on target data-bases, preferably with control over the granularity of data tracked.
Capture Structural Changes: Automatically track changes both to the permissions that control data access and to database schema (to ensure ongoing integrity of the structures storing data).
Manage Captured Information: Automatically consolidate the tracked information from multiple databases into an easily managed, long-term common repository.
Centralize Configuration and Management of All Servers: Provide a straightforward way to configure auditing of all of the target servers, specify the activities of interest, the repository for managing the information and the schedule for transferring data.
Flexible Information Access: Provide flexible and efficient means for processing the stored information to identify activities of interest.
Produce Reports: Ad hoc and periodic exporting of analysis results in a variety of formats, for display, printing and transmission.
Detect Conditions of Interest for Notification: Automatic monitoring for conditions of interest and generating selected alerts.
Capture Login Activity: Automatically capture information on who has logged into certain database information, or who was unsuccessful in logging in.
These capabilities will produce the proper oversight and reporting necessary to satisfy Sarbanes-Oxley. A company can then know how data assets are accessed, and that they are used as intended. Executives can react quickly to exception events (such as user permission changes or changes to data structure) and maintain a complete long-term record of what actually occurred. In the end, the enterprise will have met its goals of complying with regulatory requirements and providing assurance of data integrity.
It is essential to audit access to data from all sources, including privileged users. A comprehensive data auditing program will supplement external security measures and insure that the financial viability of the enterprise is not compromised by unauthorized and inappropriate access or changes to data by internal users.
For enterprise-level solutions, some corporations are turning to comprehensive database audit software, which provides the ability to capture a wide range of data-related activity, consolidate and manage this information, review and analyze it in a variety of ways, create reports about the activity at various levels of detail and send timely notifications about certain kinds of detected activity.
RELATED ARTICLE: What a Data Auditing Solution Should Reveal
* All changes to schemas and permissions
* When someone changes database schema or permissions
* Who has viewed certain data and when
* What data was changed, when and by whom
* Who accessed certain tables
* Login activity, both successful and unsuccessful
* Suspicious behavior on certain tables
* Who modified a set of tables over a period of time
Ron Benanto (firstname.lastname@example.org) is CFO at Acton, Mass.-based Lumigent Technologies. Lumigent provides data auditing solutions to help organizations manage the risks associated with the use of enterprise data and address regulatory compliance.