Sitemap    Contact Info
Tizor Systems, Inc. - Data Protection and Compliance Auditing Solutions
About Us Solutions Products Services Partners News & Events Resource Center
Resource Center View Mantra
Resource Center Overview
Data Sheets
Whitepapers
On-Demand Events
Compliance Resources
SOX Perspective
The SOX Challenge
Beyond SOX Compliance
SOX 404
IT Controls for SOX
Background: Sarbanes Oxley
PCI Requirements
Data Security Resources
Data Breach Resources
Podcast
Bylines
SOX 404

Regulatory Roadblock or Roadmap for IT Excellence?

When the Sarbanes-Oxley Act (SOX) was passed in 2002, it heralded an important shift in how public companies would be managed—a shift that reverberated through boardrooms everywhere. Intended to assure the integrity of financial reporting in the wake of historic corporate scandals including Enron and WorldCom, SOX prescribes a range of business reporting requirements and management controls. The business implications of SOX reach across the enterprise and into the very core of the data center.

The area of SOX most relevant to IT professionals is Section 404, which requires that companies:

  • Evaluate the adequacy of internal controls as they relate to financial reporting
  • Institute new controls as necessary
  • Perform and report an annual assessment of these controls

Note that Section 404 requires not only that companies put in place appropriate, enterprise-wide controls to protect the integrity of financial data (and, by implication, systems that access that data), but also requires that they be able to show that these controls for are in place. SOX compliance, along with many other regulatory requirements, suggests that IT should view data management/protection from a holistic perspective – as part of an overall IT strategy, not merely as a single, isolated initiative.

How SOX Impacts IT

So how does SOX 404 affect IT operations? Consider that virtually all corporate information, including financial information, is inextricably linked to enterprise IT systems and data stores. Establishing robust controls over what happens to critical corporate information would have been relatively simple back in the days of monolithic mainframe and database “silos” effectively kept under lock and key. But those days are gone.

Today, the IT infrastructure is a hyper-networked environment of Web-enabled applications and APIs that open the door to external, third-party partners with authorization to access and manipulate data stores. This makes protecting data a complex challenge.

The data protection challenge is further complicated by the role of privileged users. Database Administrators (DBAs), system administrators and other privileged users have unfettered access to critical data stores, creating a significant potential vulnerability for the enterprise. Their privileges can be the key that opens the door to noncompliant or even malicious data activity – plus, they have the ability to cover their tracks. As with other corporate internal policies and standards, the spirit of SOX is that organizations should not blindly trust anyone, but have a “trust but verify” model for critical data access. Organizations must have the appropriate people, process and technology controls in place to allow for trust assurance.

This is especially crucial considering the criticality of the information contained in enterprise data stores. Today, databases contain the “crown jewels” of the business – from sensitive customer and employee information to inventory and corporate financial data. Protecting these data stores with robust IT controls is a key requirement in the SOX 404 directives. While databases are a central focus, these controls must also extend to mainframe applications and unstructured data. In addition, controls must address the risk posed by privileged users.

For IT, the core requirement imposed by SOX 404 is simply stated: know what is really going on with all SOX-regulated data. But how can IT managers achieve this far-reaching goal?

There are some fundamental operational policies and processes that should be in place to protect data integrity. Foremost among these is segregation of duties, ensuring separation of duties between Production DBAs (who control processes, trim table sizes, add/remove database layer users, etc.) and Application DBAs (who modify table structure and change data as necessary). Maintaining separation between those who build and maintain database applications, and those who maintain database content is critical.

But what about the data itself? How can IT managers know what is happening to data across their systems and databases?

Clear Data Visibility

To answer that question, forward-looking IT managers are turning to data auditing to gain new visibility into critical data stores – and to provide the all-important documentation of that activity.

To meet the demands of SOX 404, a data auditing and protection solution must enable IT managers to monitor and report on five key categories of critical data activity:

1. Monitoring database access by privileged users and “masqueraders”

Privileged user monitoring is a primary objective of SOX data auditing. Additional requirements generally relate to specific activities initiated by privileged users – and those masquerading as privileged users for malicious purposes. Companies must audit all data access activity by all privileged user IDs, and they must be able to retrieve, examine, analyze and report on this part of the audit trail. Enterprises working to comply with this requirement have met some daunting challenges along the way, including:

  • Monitored users typically have full administrator credentials, and can cover their tracks by modifying or deleting the logs being used to monitor them.
  • Privileged user credentials can be restricted to prevent log access, but this results in lowered productivity and can create an adversarial relationship with DBAs.
  • Many enterprises have databases from several different database vendors, requiring expertise on each database’s log capabilities and making the task of consolidating logs into useful reports nearly impossible.

A comprehensive database auditing solution must address all of these problems and provide transparent auditing unseen by privileged users across a variety of systems, applications and databases.

2. Monitoring changes in privileges

Privileged users often will only use privileged credentials on an as-needed basis to perform specific tasks. It is imperative to track when these privilege escalation events occur, and maintain and regularly view reports of this activity in order to verify the legitimacy of these events.

In order to attest to the integrity of critical data, you must know what is happening in the user community. Have new users been defined or has an existing user been de-provisioned? Have a user’s privileges been escalated or revoked? An effective database monitoring solution will provide the necessary visibility into these transactions, without requiring auditors to search through endless database log files.

3. Monitoring access failures

Failed access events are often an indication that something is not right. Application data access attempts, in particular, should never fail. Therefore, companies must know when login attempts fail and when data access attempts are unsuccessful.

The most common definition of invalid logical access attempts are unsuccessful attempts to access a resource and invalid or failed login. An effective data auditing solution must be capable of capturing both classes of failed access operation.

4. Monitoring schema changes

Ensuring data integrity requires the ability to track changes to compliance-related data structures. Monitoring, logging and reporting on data structure changes not only permits organizations to satisfy routine auditing requirements, but also to identify anomalous and unscheduled activity.

5. Monitoring direct data access

Another common requirement is to track any direct access to sensitive system and data tables. Since direct access operations are uncommon in procedural applications, it is important to capture an audit trail of these activities.

To combat some of these challenges, organizations should ensure they have the IT infrastructure in place to capture the necessary detail in the audit trail and show not only that a direct data access event occurred, but also which user ID initiated the event, what source IP address originated the event, and precisely what content was affected by the event (database, tables, columns and rows).

Data Auditing Checklist

So what should IT managers look for when considering a solution for enterprise data auditing? Look for the following attributes:

  • Pervasive – It must be able to monitor and record critical data activity across the full range of databases, applications and systems, regardless of vendor. A network-based approach to data auditing is a logical approach.
  • Transparent – It must be non-intrusive and invisible to users, especially privileged users. A transparent, agentless architecture has the added benefit of not impacting database, system or network performance.
  • Intelligent – It must be able to filter and collect only specified target activities as required to achieve compliance, discarding everything else. This enables an organization to efficiently manage compliance and data, reducing both storage costs and liability.
  • Scalable – It must be able to scale easily and cost-effectively to keep pace with changes in the enterprise IT environment. Agentless architecture is crucial to ensuring scalability, while simplifying management.
  • Flexible – It must allow an organization to easily tailor data auditing to its specific needs. Flexible, policy-based rules will enable easy customization. It should also allow you to create and modify policies to meet the data auditing needs of other regulations, handling multiple compliance challenges with a single solution.
  • Real-time – It must be able to isolate and identify unusual activity in real time to help detect, alert and stop non-compliant data activity rapidly to mitigate risk.
  • Historical – It must be able to document a comprehensive, easily searchable audit trail for monitored data activity. It should also provide rich reporting capabilities, in alignment with an organization’s own corporate business processes.

Finding a data auditing solution that satisfies each and every one of these requirements will provide an organization with the confidence that it is taking adequate steps to monitor SOX-regulated data activity in the most effective and efficient manner.

Achieving IT Excellence 

At its core, SOX is based on a deceptively simple three-part requirement: that compa ­nies track access to sensitive financial data, report on their controls in a comprehensive way, and respond quickly and responsibly when something goes wrong. A careful reading of virtually any information protection regulation reveals that if appropriate auditing technologies are applied, these underlying requirements will be met.  

 

As a general rule, adequate SOX auditing means tracking “the five Ws”: Who did What to Which data asset, When and from Where? Looked at in this way, SOX 404 really challenges IT managers to take full control over and responsibility for the data with which they are entrusted.  

 

Implementing a pervasive, transparent, intelligent data auditing strategy focused on delivering detailed and actionable audit information not only helps IT managers take a giant step toward SOX compliance; it also forms a framework for operational excellence that can have a positive impact throughout the organization. As this auditing framework builds momentum, it represents a solid IT foundation on which to built broader data governance programs. This helps IT demonstrate a higher return on investments supporting these critical enterprise initiatives.  

 

Seen in this way, data auditing becomes a crucial building block—not just for achieving SOX compliance, but for achieving the corporate integrity, trust and transparency that are the keys to corporate excellence.