Your Stake in Data Auditing - Part 2 of 2
What auditors and database administrators need to know
Data auditing is a paramount concern for anyone responsible for ensuring that corporate databases are protected organizational assets and that such protection satisfies government regulations. Businesses are at a higher risk for fraud, data theft, non-compliance, lost customers, and loss of brand or reputation when corporate data is unguarded. Providing a record of all data access is one step companies can take as part of a comprehensive program to assure that their corporate data is secure.
Before an organization selects a data auditing methodology, it’s important to understand the different roles people across department lines play in developing a solution that fits the company's needs.
This week we'll examine the roles of the auditor and database administrator in a comprehensive corporate risk-management strategy through data auditing.
What Are the Stakes for the Auditor?
There are, of course, different types of auditors. Internal auditors work within a company, with finance or IT, or both. External audit firms specialize in data auditing, too. Most companies engage two outside audit firms -- one to consult on how to conduct the audit; another to perform the audit. This separation of duties among audit entities is necessary to retain independence throughout the audit process and ensure untainted results.
Internal auditors must audit all database access, including access by trusted or authorized users. If they cannot produce a record of who has accessed data, when this access occurred, what data was seen or altered, and what changes were made (if any), then the auditor must disclose that the company has an incomplete audit record. This puts the company at risk for non-compliance (and exposes them to all the associated costs and penalties).
Internal auditors typically are concerned about having a comprehensive capability to perform their audit responsibilities, but rely on the CIO and the IT staff to determine and provide the technical tools that will make the required data records available to them.
External auditors have a different role. The primary function of auditors consulting with corporations on conducting audits is to examine the business and advise the enterprise on potential risks and the weaknesses in the company's auditing process. Auditors are called upon to complete a thorough risk analysis so the company can develop the necessary policies, procedures, and solutions to avoid the identified risks. If external auditors miss anything in their risk assessment, their client may face penalties for non-compliance.
Likewise, the external auditors who perform the audit are fully responsible for conducting a thorough, complete audit that produces all of the documentation and information necessary to satisfy corporate and government requirements (be they SEC-related, Sarbanes-Oxley, or other regulations that affect public or private companies). An audit that is incorrect or incomplete puts the client company at risk.
What Does (Or Should) the Auditor Care About?
All auditors, whether internal or external, are concerned about whether the audit records are complete and accurate. They must trust that all access data has been captured and there are no back doors through which a DBA or other trusted employee can secretly gain access to a corporate database.
Unfortunately, some data-auditing methods do not close the “back doors.” For example, application modification, which entails changing the source code of every application that might be used to access data, often misses certain access points to data. Also, access outside of the modified applications (e.g., via a database administrative console) is not captured, and changes to permissions and schema cannot be captured by this means.
Reporting is the second major concern of auditors. With higher volumes of data to audit in shorter time periods, auditors don’t have time to sift through reams of data; they need summary reports for clear insight. A database-auditing solution must produce summary reports tailored to the level of information required by the auditor, the CIO, the CFO, and others throughout the corporation. The data audit should also provide ad hoc reports quickly on emerging questions and issues that arise during the course of changing business conditions.
What Should the Auditor Do?
Internal auditors must verify that all controls in place are actually working. The only way to do this is to look at the underlying data. For example, in a situation where there is data that only one person is authorized to access, the auditor could look at a report that details access over a given time period. If the report is blank, then they know that there has been no unauthorized access and the controls are working.
One of the challenges facing auditors who work both with finance and IT is to fully understand the needs and requirements of both groups. However, auditors must remember that theirs is an independent function that reports to the Board of Directors. Although they may be assigned to sit within one of these departments and work with executives in both, their position must remain independent.
The Database Administrator
What are the Stakes for the Database Manager?
DBAs are responsible for the integrity of all underlying data upon which the business relies. All pressures for managing data integrity, complying with regulations, and avoiding corporate risks related to data trickle down to the database manager. The DBA can be a hero (by making sure the company doesn’t get into trouble because of data issues) or a villain (should anything go awry).
What Does (Or Should) the Database Administrator Care About?
Efficiency and productivity are the major concerns for DBAs, who try to perform multiple jobs and are pressed for time. Any tools that can automate otherwise manual processes will increase productivity and assure that time pressures do not foster errors or heighten the risk of data corruption.
One enterprise estimated that each of four DBAs spent 1.5 hours each day on data auditing functions. By deploying an automated data auditing solution, the company saved the equivalent cost of a three-quarter time DBA employee and allowed its DBAs to focus on other priorities.
To improve efficiency and productivity, DBAs in large enterprises want a solution that is easy to administer and maintain, preferring a single auditing solution for multiple platforms. They may look for solutions with a single console for configuration and scheduling across multiple platforms. A multi-platform solution reduces training requirements and the time to manage the data audit process, and eliminates the need for different employee skill sets.
The performance impact of data auditing solutions is a second issue for DBAs. Most dread the traditional means, using triggers (special-purpose application logic) on the database. Triggers are often hard to write correctly; they add substantial runtime performance overhead (because they execute in line with transactions, reducing throughput); and they cannot capture data views or changes to schema and permissions.
Alerting capabilities are a third matter for DBAs, who want to quickly know about anomalies in data access to minimize the potential for risk of data loss or theft; such knowledge can prevent costly damage to the corporation or its customers. Corporations, especially financial services enterprises, maintain extremely sensitive customer data-like Social Security numbers, bank accounts, or credit card records. These companies must know immediately if there has been unauthorized access to a database. DBAs want to determine quickly what individual(s) inappropriately breached security, and respond rapidly to prevent the data from falling into potentially criminal hands. DBAs want a data auditing solution that allows them to prescribe and manage alert notices on a changing basis.
What Should the Database Administrator Do?
As with the CIO, the DBA should participate from the outset in developing a data auditing process and insure that certain criteria are met by the solution. Their checklist includes the most essential aspects of a data auditing solution:
- Complete data-access capture
- Elimination of back doors through which users can access data without detection
- Alerts for unauthorized access
- Detail level summary and ad hoc reporting
- No performance impact
- Cost-effective, especially across multiple servers
- Flexible approach to meet evolving requirements from regulators and changing business conditions
Once these minimum considerations are met, the DBA will tailor the solution to the company. Because DBAs are the first line of defense when it comes to data integrity, it is imperative that they ensure that data-auditing processes are comprehensive in collecting all relevant audit data. That means a DBA must fully understand the needs of departments outside of IT (finance, operations, HR, and so on) and recommend or select a solution that satisfies both functional and technical requirements.