Regulatory compliance and the DBA: What you need to know

At the top of business executives' minds today is how to meet new regulatory compliance and corporate governance rules. New laws are changing the way companies collect, retain and manage information. DBAs need to understand what is happening in the corporate business world and how it will directly impact their job role.

Complying to new regulations

Although the primary purpose of SOX is to assure corporate governance standards of financial reporting and auditing, wider interpretation can include IT operational processes that support a business. Company's executives are now reaching out to IT to access and provide record of policies, process and procedures that control access and protect the integrity of financial systems and business applications, across networks, servers and into databases where the data is stored. As IT organizations start to address SOX, questions are being raised on how far it reaches, what is affected and what should be reviewed and reported. Although there is guidance available from various sources, there has yet to appear a definitive set of guidelines that is not open to interpretation. Offered only as examples to assist in meeting compliance, here are five potential ways an organization might fail an upcoming audit if not properly prepared:

1. No security management or demonstration of security for systems of financial record or systems that could affect financial systems' integrity. Companies must assure that financial information is safe from unauthorized outside or internal influences.
2. Not having documented procedures, records or changes, or auditable demonstration of change management when system, database and network administrators make alterations or updates on systems of financial record or those systems that could affect financial systems' integrity. Proper change management must exist to ensure that software and hardware changes are controlled and recorded.
3. No documented disaster recovery plan or auditable verification of successful plan execution of recoverability of systems of financial record. This includes demonstrating recoverability of financial systems for reasonable business continuance with minor business impact. No matter the size or the complexity of the system, organizations must assure recovery within a period of time that ensures availability of financial data in a timely manner.
4. Database logging not enabled, logs not secured, no reporting of database transactions or demonstration of log audit reporting for financial systems of record or systems that could affect financial systems' integrity. Without database logging and log reporting, it is next to impossible to identify who changed what in the database. Database administration change management comparisons should be verified against database log reports to ensure all database alterations are recorded and verifiable.
5. Backups or data movement onto disk, tape or stored at third-party sites is not secured and tracked. Unsecured financial data can be vulnerable to theft, unauthorized viewing or alteration. For instance, a Transportable Tablespace of a database could potentially be moved and reattached to another database enabling unauthorized viewing. Database archival, backups, loading and unloading, administration change management and reporting should be performed and routinely verified to ensure that data is secured.

SOX section 404 requires an external auditor's opinion on the effectiveness of internal controls. For audit, and quarterly certification, companies need to demonstrate what control changes are implemented to attest to integrity, confidentiality and non-repudiation of financial reporting. If process controls can be bypassed, executive management cannot with certainty sign off on the adequacy of controls for financial data integrity.

As SOX legislation is relatively new and affects a majority of companies today, the SEC has identified guidelines provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in evaluating internal controls. IT control requirements are most often derived from SOX regulation internal controls sections 302, 404.

While COSO does provides a general framework for accounting internal controls, but not IT-specific ones, organizations can find IT-specific models available within the Control Objectives for Information and related Technology (COBIT) organization to assist with SOX compliance. Created by Information Technology Governance Institute (ITGI), the COBIT framework provides control objectives focusing on IT governance specific to the IT environment.

COBIT aligns with the general COSO framework with internal controls consisting of four domains, 34 processes and over 208 detailed control objectives aligning with the IT implementation cycle. The domains are planning and organization, acquisition and implementation, delivery and support, and monitor and evaluate. A few examples of the processes defined that address the enterprise data environment are:

• Acquire and maintain application software
• Acquire and maintain technology infrastructure
• Ensure systems security
• Manage the configuration
• Manage problems and incidents
• Manage data
• Manage operations

COBIT key controls and questions assist in measurement and assessment of current processes, process control objectives, success criteria for process implementation and metrics to evaluate and quantifying process improvement. Guidelines help drive IT governance and compliance by aligning IT decisions with business strategy.

Key controls in COBIT include such activities as:

• Separation of duties
• Effective change management
• Effective change documentation
• Release processes
• Control processes
• Resolution processes

Key questions a DBA should be prepared to answer/demonstrate

By no means a definitive list or one that assures compliance, these sample questions can help ascertain your data and database management knowledge on the subject matter in preparation for audit (database archival, backups, loading and unloading, administration change management and reporting).

• Have data integrity ownership and responsibilities been communicated to appropriate data/business owners and their acceptance of responsibilities?
• Are key database systems inventoried, owners identified and documented?:
  • Number of databases and instances
  • Type and version of the database software installed
  • Type and version of the underlying operating system
  • Database users and privileges compared with user system security
  • Related applications accessing or transacting with the database
  • Utilities and tools that can access, manage or change the database or data
  • Organization charts identifying system owners and maintainers
• Do you have change management so you can attest to any changes or alterations?
• Where are the risks to financial data stored in databases documented? How often are they reviewed and updated?
• Is the data that is extracted, archived or backed up properly secured and tracked?
• How is division of roles and responsibilities (segregation of duties) set up so that it prevents a database administrator (DBA) from unauthorized data viewing, alterations or deletions?
• What are the database management process controls? Where are they documented for review? What monitoring and reporting do you have in place? Can you demonstrate this (pick randomly) one to me now?
• When was the last time the database management control methods were tested, gaps identified and controls improved?
• Do you understand and accept the responsibility regarding internal controls for the databases you manage?

Before your executive management signs off on SOX, what processes has your IT department put in place to prevent authorized users from accessing, altering or accidentally or deliberately deleting data that could result in incorrect financial reporting? Are you prepared when an auditor asks, "Where are your documented processes and can you demonstrate them"? Are those processes just what it takes to pass an initial audit, or industry standard practices like COBIT that are repeatable and supportable when resources move on to other roles or depart the company? If not, then now is the time to kick off a project to have them addressed.

Preparing for audit

Auditors are seeking validation that the DBMS maintains accurate and reliable data, control of objects and data is by authorized users only, and proper backup and data restoration are provided. Organizations need to have controls to ensure that qualified DBAs:

• Are responsible for ensuring database retains financial data integrity and are accountable if a database is compromised.
• Track and approve all database modifications and manage the security of the database by the proper roles and access management.
• Validate database backup and recovery of the largest of databases within a "reasonable time" to meet business continuance audit criteria.

In preparation for a best practice review or audit, DBAs should:

1. Perform active discovery daily and maintain an inventory of all financial system databases, databases that exchange data and databases objects associated with financial data.
2. Establish and document repeatable best practices for database change management: for managing object permissions, schema changes, roles and privileges to eliminate risk of unauthorized viewing, altering or copying of data.
3. Ensure protection of database transaction logs from alteration and deletion, perform database log audit validation of database changes and implement proactive log analysis and rapid corrective action and when unauthorized changes occur.
4. Conduct database backups or exports, and routinely verify data is secured and can demonstrate recoverability within reasonable period of time for business continuance.

For those companies with large and complex databases or even a number of different database types, the four tasks could quickly overcome data or database administration staff if performed manually. If custom coding and scripts are considered for automation and not commercial off-the-shelf software, the extra time, resources and cost to support continuous development, code management and repudiation to auditors should be considered as part of budget planning.

Summary

SOX does not mandate software; however technology and automation can be used to ease the amount of work and cost of compliance as compared to manual or paper-based methods. Auditors will be seeking documentation and demonstration of consistent and repeatable processes and controls. Instead of taking the risk of a failed audit, the rising cost of maintaining manual controls as data volumes increase database size and complexity, or re-evaluations caused by business changes, you can instead choose to automate and improve controls in a consistent and efficient manner. DBAs need the right tools to meet requirements and help the various stakeholders in your organization understand and feel confident in their internal financial control sign-off.

For more information

• Industry organizations
  • www.isaca.org
  • www.coso.org
  • www.auditnet.org/sox.htm
  • www.itgi.org/
  • www.aicpa.org/news/2004/2004_0929.htm
• CA technology
  • www3.ca.com/technologies/subsolution.asp?id=4846
  • www.ca.com/databasemanagement

About the author

Steve Lemme is a director of database management solutions for CA, published author of "Implementing and Managing Oracle Databases" and columnist in Database Trends and Applications Magazine. Mr. Lemme is an Oracle Master DBA with over 15 years experience in mission-critical Oracle architecture and speaks on database management best practices to address regulatory compliance. Prior to CA, he managed critical computer and database systems for Allied Signal, Apple, GTE and Motorola, where downtime was $150,000+/hour. He holds the position of director in the Independent Oracle Users Group.