In-Depth

Ten Business Benefits of Effective Data Auditing

Auditing can do more than just help you meet a host of new government regulations. The author outlines the significant business benefits from a solid data-auditing program and explains the basic requirements of such a solution. (Part one of a two-part series.)

• By Murray S Mazer
• 02/18/2004

Introduction

Today’s government regulations place strict requirements on enterprises to audit access to corporate information and produce reports detailing who has changed, or even seen, that information. Reports on data access are now required by government regulations such as Sarbanes-Oxley, HIPAA, FDA 21 CFR Part 11, EUDPA, and the USA PATRIOT Act. This is especially true in financial services, where oversight from the SEC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and FDIC is imposing much stronger operational controls on databases and their use in banks, savings and loan associations, investment houses, brokerage firms, and other financial institutions.

Auditing an enterprise’s databases has always been an excellent practice to improve business operations and safeguard data integrity. However, the ability to determine when databases have been accessed (and by whom) and when compromises have been made to data integrity has moved from a secondary IT function to an essential one. This shift has occurred because of several factors, including:

• heightened expectations for the respect for individual privacy and control over personal information
• increased access by employees, customers, partners, and other individuals to corporate data previously accessible only in highly restricted back-office configurations
• much higher volumes of sensitive corporate data being captured and maintained electronically
• mistrust generated by recent events where corporations have hidden important information from the public, leading to large-scale financial disasters

These factors have led to increased scrutiny and more demanding findings by both internal and external auditors, with 2004 being an especially important year for compliance with a large set of regulations. Companies today must prove that they have a recorded audit trail of who has accessed (or even tried to access) specific information. Regulators, shareholders, board members, customers, and others now insist that companies prove they can determine who’s done what to their databases, and when.

Because there has traditionally been less focus on data access accountability—the auditing and reporting on data access and permissions management—enterprises continue to struggle with how they can develop effective audit trails and timely alerts about key events. The goal is to meet new government regulations, protect sensitive information, and improve business operations. In addition, C-level executives (such as CEOs and CFOs) are paying more attention to their organizations’ practices, including monitoring and auditing database access. They must insure that those who have direct and unlimited access to data—the DBAs and IT staff—do not accidentally or maliciously alter important corporate information.

Meeting these challenges requires an effective audit trail and timely key event alerts. This, in turn, requires a number of capabilities: recording data access and permissions changes, managing the data for lengthy periods, flexibly analyzing the data, producing reports, and detecting conditions of interest for timely notification, all while avoiding performance overhead on mission-critical systems.

Monitoring data access is an essential step, yet common approaches have important flaws that miss particular activities, introduce a false sense of security, and interfere with runtime database performance. Many organizations, aware of these shortcomings, choose not to implement these kinds of safeguards, leaving them unable to respond to business needs.

Goals of a Database Auditing Audit Solution—Beyond Government Compliance

Data auditing is a paramount concern for anyone responsible for corporate databases, beyond the need to satisfy government regulations. The task of safeguarding data assets is multi-faceted, but a central aspect is ensuring that data is changed only in intended ways and only the proper parties view the data.

Implementing suitable privacy and security policies and mechanisms is an important step, but it does not address two important realities. First, even authorized users will sometimes access data inappropriately, whether deliberately or accidentally. Second, flaws in policy and implementation can introduce vulnerability, enabling unintended data access or database changes.

A comprehensive data auditing solution allows enterprises to:

• comply with internal corporate policies and processes
• understand and improve internal business processes
• detect and analyze breaches in user and application behavior, intentional or accidental
• perform forensic analysis for detecting fraud, outsider intrusion, and employee misbehavior
• rapidly respond to violations and vulnerabilities
• verify strategic partner activities
• verify third-party application behavior
• answer ad hoc business questions
• satisfy external due diligence for strategic relationships or customer confidence
• comply with government regulations regarding the security and privacy of data

Developing a Data Auditing Solution

Technology is key to establishing a data auditing solution that can meet these challenges. An organization with any of these goals or requirements should engage in a problem analysis lifecycle similar to most of IT's other technology projects.

First, the team must identify applicable strategic and regulatory requirements, analyze existing policies and technologies to identify aspects of inadequate coverage, and update existing policies and procedures toward compliance.

The project team must identify changes that will be necessary to technology infrastructure to support the implementation and verification of new policies and procedures. A data-auditing plan will guide the implementation of the new systems. Once the data audit solution is installed, it is necessary to validate the behavior of the new systems to ensure that they are meeting the established goals. An essential step throughout this process is to educate employees, partners, customers, and others about the changes and new policies and procedures, and provide a high level of support and assistance through the transition period.

The Benefits of a Data Auditing Solution

Certain essential elements form the foundation for a data auditing solution. Whether the solution is developed internally by the IT staff or purchased from a software vendor, it should be able to produce very specific information, including records of:

• when someone changes database schema or permissions
• all changes to schemas and permissions
• what data was changed, when, and by whom
• who has viewed certain data and when
• who accessed certain tables
• login activity, both successful and unsuccessful
• suspicious behavior on certain tables
• who modified a set of tables over a period of time

This collected information enables DBAs and others trusted with the care of the corporate databases to have a complete record of access to those databases, letting them produce reports that are necessary to insure compliance with regulations or satisfy their own internal audit needs. Because an effective data auditing solution provides such a granular level of detail on data access, enterprises can be confident that they have collected the information that is required for auditors or to improve their business operations.

Required Capabilities

An effective solution providing data access accountability must include these capabilities:

• Capture Data Access: Automatically track whenever data is modified or viewed by any means on target databases, preferably with control over the granularity of data tracked
• Capture Structural Changes: Automatically track changes both to the permissions that control data access and to database schema (to ensure ongoing integrity of the structures storing data)
• Manage Captured Information: Automatically consolidate the tracked information from multiple databases into an easily managed, long-term common repository
• Centralize Configuration & Management of All Servers: Provide a straightforward way to configure auditing of all of the target servers, specify the activities of interest, the repository for managing the information, and the schedule for transferring data
• Flexible Information Access: Provide flexible and efficient means for processing the stored information to identify activities of interest
• Produce Reports: Ad hoc and periodic exporting of analysis results in a variety of formats, for display, printing, and transmission
• Detect Conditions of Interest for Notification: Automatically monitoring for conditions of interest and generating selected alerts
• Capture Login Activity: Automatically capture information on who has logged into certain database information, or who was unsuccessful in logging in

Next week I'll examine the data auditing options, from modifying applications to the preferred audit approach: non-trigger tracking at the data source. I'll also suggest the issues you need to consider before selecting a solution.