Sarbanes-Oxley Act (SOX) and
Databases
The
Sarbanes-Oxley Act (SOX) and other similar global regulations were designed to
ensure the integrity of public companies’ financial statements. A key component
of this is ensuring sufficient control and security over the financial systems
and IT infrastructure in use within an organization. This has resulted in an
increased emphasis on understanding controls around information technology.
Given that the focus of SOX is on the integrity of financial statements, controls
around the databases and applications that are the source of these data is key.
The key focus of SOX audits is around three areas of control :
1. IT
change management
2. Logical
access to data
3. IT
operations
Most
audits start with a walkthrough - that is, a meeting with business owners (of
the data that fall under the scope of the audit) and technical architects of
the applications and databases. During this walkthrough, the auditors will try
to understand how the above three areas are handled by the IT organization.
IT Change Management
IT
change management refers to the process by which changes to operational systems
and databases are authorized. Typically any change to a production system or
database has to be approved by a change control board that is made up of
representatives from the business and IT organizations. Authorized changes must
then be put through a rigorous process (essentially a mini systems development
life cycle) before being put into production. From a database perspective, the
most common types of changes are changes to the database schema, changes to
database configuration parameters, and patches/updates to the DBMS software
itself.
A
key issue related to change management that was a top deficiency found by SOX auditors
was adequate segregation of duties between people who had access to databases
in the three common environments: development, test, and production. SOX mandates
that the DBAs who have the ability to modify data in these three environments be
different. This is primarily to ensure that changes to the operating
environment have been adequately tested before being implemented. In cases
where the size of the organization does not allow this, other personnel should
be authorized to do periodic reviews of database access by DBAs, using features
such as database audits.
Logical Access to Data
Logical
access to data is essentially about the security procedures in place to prevent
unauthorized access to the data. From a SOX perspective, the two key questions
to ask are: Who has access to what? and Who has access to too much? In response
to these two questions, organizations must establish administrative policies
and procedures that serve as a context for effectively implementing these
measures. Two types of security policies
and procedures are personnel controls and
physical access controls.
PERSONNEL CONTROLS
Adequate controls of personnel must be developed and followed, for the greatest
threat to business security is often internal rather than external. In addition
to the security authorization and authentication procedures just discussed, organizations
should develop procedures to ensure a selective hiring process that validates
potential employees’ representations about their backgrounds and capabilities. Monitoring
to ensure that personnel are following established practices, taking regular vacations,
working with other employees, and so forth should be done. Employees should be
trained in those aspects of security and quality that are relevant to their
jobs and encouraged to be aware of and follow standard security and data
quality measures.
Standard
job controls, such as separating duties so no one employee has responsibility for
an entire business process or keeping application developers from having access
to production systems, should also be enforced. Should an employee need to be
let go, there should be an orderly and timely set of procedures for removing
authorizations and authentications and notifying other employees of the status
change. Similarly, if an employee’s job profile changes, care should be taken
to ensure that his or her new set of roles and responsibilities do not lead to
violations of separation of duties.
PHYSICAL ACCESS CONTROLS
Limiting access to particular areas within a building is usually a part of
controlling physical access. Swipe, or proximity access, cards can be used to
gain access to secure areas, and each access can be recorded in a database,
with a time stamp. Guests, including vendor maintenance representatives, should
be issued badges and escorted into secure areas. Access to sensitive equipment,
including hardware and peripherals such as printers (which may be used to print
classified reports) can be controlled by placing these items in secure areas.
Other equipment may be locked to a desk or cabinet or may have an alarm
attached.
Backup
data tapes should be kept in fireproof data safes and/or kept offsite, at a
safe location. Procedures that make explicit the schedules for moving media and
disposing of media and that establish labeling and indexing of all materials
stored must be established. Placement of computer screens so that they cannot
be seen from outside the building may also be important. Control procedures for
areas external to the office building should also be developed. Companies
frequently use security guards to control access to their buildings or use a
card swipe system or handprint recognition system (smart badges) to automate
employee access to the building.
Visitors
should be issued an identification card and required to be accompanied
throughout the building. New concerns are raised by the increasingly mobile
nature of work. Laptop computers are very susceptible to theft, which puts data
on a laptop at risk. Encryption and multiple factor authentication can protect
data in the event of laptop theft. Antitheft devices (e.g., security cables,
geographic tracking chips) can deter theft or help quickly recover stolen
laptops on which critical data are stored.
IT Operations
IT
operations refers to the policies and procedures in place related to the
day-to-day management of the infrastructure, applications, and databases in an
organization. Key areas in this regard that are relevant to data and database
administrators are database backup and recovery, as well as data availability.
These are discussed in detail in later sections. An area of control that helps
to maintain data quality and availability but that is often overlooked is
vendor management. Organizations should periodically review external
maintenance agreements for all hardware and software they are using to ensure
that appropriate response rates are agreed to for maintaining system quality
and availability. It is also important to consider reaching agreements with the
developers of all critical software so that the organization can get access to
source code should the developer go out of business or stop supporting the
programs. One way to accomplish this is by having a third party hold the source
code, with an agreement that it will be released if such a situation develops.
Controls should be in place to protect data from inappropriate access and use
by outside maintenance staff and other contract workers.
Source
:
Hoffer,
Jeffrey A., Modern Database Management,
10th Edition, Pearson, 2011
Comments
Post a Comment