|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Thought Leader
IT Controls and Data Governance
Looking Beyond SOX
By
Paresh Amin
|
|
Paresh Amin
Senior Director, Security and Compliance
Tizor Systems
|
When the Sarbanes-Oxley Act (SOX) was implemented in 2002, it created a significant, new compliance challenge that reached across the enterprise. Unfortunately, this challenge also reached deep into the IT department. That?s because virtually all corporate financial information is electronic, living in databases and other data stores throughout the data center. Ensuring the integrity of those data stores and the data they contain is crucial to SOX compliance.
The challenge for the IT department is not simply doing its part to achieve SOX compliance. In many cases, it?s understanding precisely what the role of IT is ? and how it fits into a larger corporate strategy of business integrity. Despite the intense focus on SOX, it really is part of a larger issue ? one that IT is integrally involved in: enterprise data governance.
It?s About Trust
While SOX provides the initial compelling argument for improving control around data integrity, it is only one facet of a larger question: Can the information provided by a company be trusted? From an IT standpoint, this means the way corporate data is housed, managed and shared either creates confidence in the integrity of that information, or it doesn?t. And that can have a huge impact that goes well beyond SOX. Enhancing this confidence benefits all stakeholders (including shareholders). Diminishing confidence in data integrity can hurt businesses in all kinds of ways ? both from a legal and a competitive standpoint. The value-add of delivering on the enterprise requirements for SOX compliance can fuel a higher level of enterprise contribution, leadership and visibility.
So, enhancing confidence in the integrity of corporate data just makes sense all around ? and it?s the driving force behind enterprise data governance. Viewed from this perspective, SOX is not merely a compliance headache, but part of a holistic, strategic initiative to instill confidence in every aspect of the business. Improving IT processes and controls is just one element of this larger corporate objective.
Seeing Data Differently
The first step toward achieving the objectives of data governance is looking at the data differently. Viewing data as the critical corporate asset it is helps in visualizing how it should be protected. After all, every public company has clear guidelines for how they should handle their money, including processes for who can access that money, and what they can and cannot do with it. In addition, they have processes for how those funds are tracked, documented and reported.
You wouldn?t let just anyone walk in, fiddle with the corporate accounts, and leave ? at least not without having the proper controls in place. And so it is with enterprise data. In the information age, data is the currency and data governance is focused on making sure there are processes and controls in place to protect it.
Sounds simple enough, but there is a catch that adds a whole, new layer of complexity to the IT challenge: While data must be protected, it must also be readily available to authorized users who need it to do business. Data cannot be kept in a ?lock box?; it must be easily accessible to the appropriate systems, applications and people, including trusted external partners, via the network.
Visibility and Control
With this in mind, the IT challenge for data governance is clear: To ensure the integrity of critical data without hindering business processes, companies must know what is happening to the data, who is doing it and when they did it.
Auditors and regulators are demanding that companies have a level of visibility into and control over their data assets that, frankly, they?ve never had before. Today, organizations must have the visibility to identify when something goes wrong with regulated data ? and have enough information to correct it and to document it.
The good news is that implementing controls that provide this visibility into critical data assets is an underlying requirement for the full range of information privacy, integrity and protection regulations impacting organizations across industries and globally ? from SOX and Gramm Leach Bliley, to HIPAA and the European Privacy Directive.
Implementation Challenges
Of course, establishing any new controls presents a host of business challenges. There is often a disconnect between IT and auditors, with IT unclear about what controls are expected. Even when they know what to monitor, data centers are filled with a wide range of data stores and systems from multiple vendors, including legacy systems. Staffing, time and resources are tight.
Perhaps most daunting is the challenge posed by privileged users responsible for key data center operations. In response to compliance concerns, some organizations have actually curtailed privileges of system administrators, database administrators (DBAs) and other privileged users. Yet this is clearly counter-productive to the operational efficiency of the data center. Instead, organizations need strategies that allow them to demonstrate to auditors that the integrity of data is being protected, without hindering privileged user access to the data they need to do their very important jobs.
Protecting the integrity of data is what SOX and other similar regulations are all about. And the risk of failing to implement adequate controls is substantial ? just ask the folks at Enron. Even beyond the legal risks, an organization can severely cripple its competitive advantage.
On the other hand, implementing effective controls for ensuring the integrity of financial and other critical corporate data (e.g. customer data) can provide significant business benefits. More effective controls lead to better security, more consistent business processes and improved documentation. In short, compliance helps demonstrate to customers and business partners that an organization can be trusted.
Two Control Frameworks
But where do organizations begin? What IT controls are most important for SOX compliance? A growing number of corporate IT organizations are finding at least some of the answers in recent iterations of two venerable standards frameworks: COBIT and ISO 17799:2005.
COBIT
Control Objectives for Information and related Technologies (COBIT) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). A new version recently published, COBIT 4.0, emphasizes regulatory compliance as it relates to IT governance. ISACA describes COBIT as ?an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.?
COBIT provides a best practice framework for how to control, manage and measure 34 key IT practices. This framework includes high-level and detailed control objectives for each process, management guidelines (including process inputs and outputs, roles and responsibilities, and metrics), and process maturity models. A core emphasis of COBIT is aligning IT operations with strategic enterprise objectives and priorities to improve IT value delivery, resource management, business performance, efficiency and risk management.
ISO 17799:2005
ISO 17799:2005 standard is the most recently published revision of ISO?s global security framework. This version significantly improves the already well-respected and comprehensive ?Code of Practice for Information Security Management.? It provides principles and guidelines for initiating, implementing, maintaining, and improving information security management throughout the enterprise. This includes best practices, control objectives and controls for a range of IT functions related to protecting information.
The ISO 17799:2005 standard includes extensions that strengthen controls designed to protect the integrity of information ? from asset management and access control, to human resources security, security incident management and business continuity management. An important new requirement encapsulated in Section 10.10 is an increased emphasis not only on the need to have good security controls, but also on the capability to validate the integrity of regulated information. It mandates validation through systematic auditing and monitoring of activity to prevent unauthorized access to sensitive corporate and customer information. Just as ISO 9000/9001 is used universally as a measure of production quality, ISO 17799:2005 is poised to play a similar role in the area of information integrity assurance.
Specific IT controls
Both COBIT and ISO 17799/2005 provide guidelines that are useful in helping companies determine how to think about the root requirements of compliance regulations and managing data risks. Developed specifically for IT organizations, these frameworks provide specific practices and guidelines for instituting controls aimed at ensuring the integrity of information assets.
But what specific controls should IT managers be focusing on to help ensure SOX compliance, while moving toward data governance? These will vary depending on the business, but the following IT controls consistent with both COBIT and ISO 17799:2005 are important building blocks for protecting and documenting the integrity of critical data.
1. Audit Trails
IT managers must be able to demonstrate that any and all modifications to regulated data are maintained in a clear audit trail. This includes a complete history of activity by privileged users (anyone with database access privileges), including changes to data and to the database itself.
This audit trail must show what was done, who did it and when. It must enable organizations to validate that they have monitored and properly addressed events that could impact data integrity. This includes potentially suspicious activity, such as failed logins and user management activities (adds, deletes, changes). The audit trail should be reviewed on a regular basis, typically quarterly.
2. Segregation of Duties
Ensuring separation of duties among IT systems administrators is crucial to ensuring the integrity of those systems and the data they contain. ISACA guidelines call for organizations to assign clear job roles and functions, and assign database and system permissions according to those roles and functions.
As a general rule, duties should be divided between two distinct classes of system and database administrators:
• Production administrators who control processes, trim table sizes, add/remove database layer users, etc.
• Application administrators who modify table structure and change data as necessary.
It is critical to maintain separation between those who build and maintain databases, and other critical data applications from those who maintain the data itself. User accounts and passwords should be reviewed on a regular basis to ensure that all permissions reflect actual user roles and responsibilities.
In addition, IT organizations should institute processes for independent verification of actions in relation to data, especially in those cases where strict segregation cannot be achieved due to a small IT staff. For example, processes should be in place to ensure the integrity of database logs through a review by an independent auditor.
Proper separation of duties enables IT organizations to demonstrate that integrity of data has been protected, while ensuring privileged users are able to fulfill their crucial tasks.
3. Change Control
IT organizations must be able to document changes to database and systems that house regulated data. Any physical upgrades, adding or removing columns, or modifications to a database schema, should be clearly monitored and recorded according to documented change management policies and processes. Even routine patches should be included in this monitoring and documentation regime.
Change control processes should produce evidence that all changes have been reviewed and approved, with corresponding logs that document all changes made. These records should be regularly ?spot checked? and validated by the IT manager.
4. Network Access Control
Controls over access to data should focus not just on users, but also on the systems that access regulated data. Network access to critical data stores should be limited only to certain defined systems, via strong firewall and IP restrictions. In addition, unnecessary service access should be blocked at the network access device.
Furthermore, the connection of systems to critical stores should be part of the comprehensive change review and approval policy and process, with appropriate oversight and documentation of any and all connectivity to regulated data.
Beyond Compliance
These fundamental IT controls should be viewed merely as a starting point for a more comprehensive approach to ensuring data integrity. As noted earlier, SOX is just the clarion call for greater control over data integrity. Companies focused solely on ?getting through the audit? are really missing a huge business opportunity: To adopt an overarching strategy of data governance that goes beyond mere compliance to create a culture of confidence ? both internally and externally in the marketplace.
Both COBIT and ISO 17799:2005 provide a framework for data governance strategies that extend well beyond the data center. These broad frameworks should be coupled with robust data auditing and integrity assurance processes that give companies the visibility of their electronic assets that is crucial to effective data governance.
In today?s corporate landscape, trust is among a company?s most valuable commodities. Most businesses have one chance to demonstrate information/data trust to their shareholders and customers, and once trust is lost ? it?s gone forever. Companies that take the long view, leverage data governance frameworks across the enterprise, and gain visibility of and control over their data assets, will enjoy a tremendous competitive advantage in this new world.
Paresh Amin
Senior Director, Security and Compliance
Tizor Systems
Paresh Amin is the Senior Director of Security and Compliance at Tizor Systems.
He has 17 years of experience in information technology and security program/project management, strategic planning, operations and product support.
He came to Tizor from State Street Corporation where he was Vice President, Security Architecture and Engineering in the Corporate Information Security (CIS) group. Paresh's experience includes planning and deploying strategic IT and Security projects and programs as well as working with offshore vendors dealing with technology, security and project-based management.
|
|
|
|
|
