The Complete Guide to DBA Practices & Procedures - Regulatory Compliance & DBA - Part 15

Database Administration:
The Complete Guide to Practices and Procedures
Chapter 15
Regulatory Compliance and Database
Administration

SOX: Sarbanes-Oxley Act
• The U.S. Public Accounting Reform and Investor Protection Act
of 2002 (aka Sarbanes-Oxley or simply, SOX)
– “…to use the full authority of the government to expose corruption,
punish wrongdoers, and defend the rights & interests of American
workers & investors.”
– The primary objectives of SOX:
• To strengthen and restore public confidence in corporate accountability and
the accounting profession;
• To strengthen enforcement of the federal securities laws;
• To improve executive responsibility;
• To improve disclosure and financial reporting; and
• To improve the performance of “gatekeepers.”
– Section 404 is the largest driver of SOX projects
• It is the most important section for IT because the processes and internal
controls are implemented primarily in IT systems;
• …and much of the data is stored in a DBMS.
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/the-complete-guide-to-dba-practices-and-procedures-regulatory-compliance-and-dba-part-15-586

FISMA:
Federal Information Security Mgmt. Act
• The E-Government Act was passed in 2002 as
a response to terrorist threats
– Title III of the act is named the Federal
Information Security Management Act (FISMA).
– FISMA basically states that federal agencies,
contractors, and any entity that supports them,
must maintain security commensurate with
potential risk.
– Officials are graded on the potential effect a
security breach would have on their operations.

Other Regulations & Issues?
• And, there are more regulations to consider, for
example:
– the USA Patriot Act
– Can SPAM Act of 2003
– Telecommunications Act of 1996
– The Data Quality Act
• Additional regulations may be imposed on your
partiuclar company or applications depending
upon your industry, location, etc.
• And do not forget that new regulations will
continue to be written by government/industry
and imposed over time…

Management Visibility
• Impact: upper-level management is keenly aware of the
need to comply, if not all of the details that involves.
• Prosecution: being successfully prosecuted (see next
slide) can result in huge fines and even imprisonment.
• Cost: cost of complete compliance can be significant, but
so can the cost of non-compliance. No longer easier just
to ignore problems.
• Durability: although there have been discussions about
scaling back some laws (e.g. SOX), increasing regulations
and therefore increasing time, effort, and capital will be
spent on compliance.
– That is, the issue will not just disappear if you ignore it long
enough!
• But, at the end of the day, ensuring exact compliance can
be a gray area.

The DBA and Regulatory Compliance
Compliance-related tasks that impact database
administration include:
• Metadata Management and Data Quality
• Database and Data Access Auditing
• Data Masking and Obfuscation
• Long-Term Data Retention and Database
Archiving
• Closer Tracking of Traditional DBA Tasks
– (e.g. Change Management, Backup & Recovery)

Data Quality
• Poor data quality costs the typical company at
least ten percent (10%) of revenue; twenty
percent (20%) is probably a better estimate.”
Source: Thomas C. Redman, “Data: An Unfolding Quality Disaster”,
DMReview Magazine, August 2004
Valid &
Accurate?

Database Auditing and
Data Access Tracking
• Organizations today have to go well beyond
just securing their data.
• Companies have to perpetually monitor their
systems in order to know who did exactly
what, when and how -- to their data.
• This can be accomplished with database
auditing software
– Also known as Data Access Tracking and Data
Activity Monitoring

How to Audit Database Access?
There are five techniques that can be used to
audit database access:
1. Adding columns to tables
2. DBMS traces
3. Log based
4. Network sniffing
5. Capture requests at the serverThis document is a partial preview. Full document download can be found on Flevy:

Limitations of Database Audit Traces
Typically, the audit trace doesn’t record everything:
– Auditing takes place only when the audit trace is on.
– The trace does not record old data after it is changed (the log records
old data).
– If an agent or transaction accesses a table more than once in a single
unit of recovery, the audit trace records only the first access.
– The audit trace does not record accesses if you do not start the audit
trace for the appropriate class of events.
– The audit trace does not audit some utilities. The trace audits the
first access of a table with the LOAD utility, but it does not audit
access by the COPY, RECOVER, and REPAIR utilities. The audit trace
does not audit access by stand-alone utilities, such as DSN1CHKR and
DSN1PRNT.
– The trace audits only the tables that you specifically choose to audit.
– You cannot audit access
Internal DBMS audit traces drain performance
– Starting traces can “dim the lights”
– DBAs don’t like them

Auditing Has to be at the Server Level
• If you are not capturing all pertinent access
requests at the server level, nefarious users
can sneak in and not be caught.

Should Be Able to Answer
These Questions
• Who accessed the data?
• At what date and time was the access?
• What program or client software was used to access
the data?
• From what location was the request issued?
• What SQL was issued to access the data?
• Was the request successful; and if so, how many rows
of data were retrieved?
• If the request was a modification, what data was
changed?
– A before and after image of the change should be
accessible

Data Masking and Obfuscation
Data masking is the process of protecting sensitive and personally
identifiable information (PII) in non-production databases from
inappropriate visibility.

Data Masking Techniques
• The substitution technique replaces existing data with random values from
a pre-prepared data set.
• The shuffling technique uses the existing data and moves the values
between rows in such a way that the no values are present in their original
rows.
• The number and date variance technique varies the existing values in a
specified range in order to obfuscate them. For example, birth date values
could be changed within a range of plus or minus 90 days.
• The encryption technique scrambles the data algorithmically. This
technique will not produce realistic looking data and can make the data
larger.
• The nulling out technique simply removes the sensitive data by deleting it.
• The table-to-table synchronization technique masks data assuring that the
results are referentially intact.
– If two tables contain columns with the same data values and those columns
are masked in one table then the second table is updated with the changed
value, too.

Data Retention Drives Archiving
• Data Retention Requirements refer to the length
of time you need to keep data
– Determined by laws – regulatory compliance
• More than 150 state and federal laws
• Dramatically increasing retention periods for corporate data
– Determined by business needs
• Reduce operational costs
– Large volumes of data interfere with operations: performance,
backup/recovery, etc.
• Isolate content from changes
– Protect archived data from
modification

The Scope of Archiving

Closer Tracking of Traditional
DBA Tasks
• Regulatory compliance also can help to
improve the focus on traditional DBA
procedures and processes.
• The accounting and regulatory demands of
the regulations often require DBA practices to
be strengthened and formalized.
– Change management
– Database backup and recovery.

What is COBIT?
• COBIT is a framework of IT best practices that companies can use to
improve management over their IT organizations, to improve the
value of IT, and to ensure that the goals of the IT organization are
aligned with the goals of the business.
– The current COBIT guidelines are available from the IT Governance
Institute
• ISACA (the Information Systems Audit and Control Association)
• Following COBIT accomplishes the following:
– Links IT and business goals
– Identifies responsibilities of business and IT owners
– monitors performance, evaluating it against metrics and maturity
models.
• The COBIT framework consists of 34 specific control objectives,
organized into 4 domains.
• Best practice frameworks like COBIT are vital tools for ensuring
compliance with regulations such as Sarbanes-Oxley (SOX).
http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx.

1
Flevy (www.flevy.com) is the marketplace
for premium documents. These
documents can range from Business
Frameworks to Financial Models to
PowerPoint Templates.
Flevy was founded under the principle that
companies waste a lot of time and money
recreating the same foundational business
documents. Our vision is for Flevy to
become a comprehensive knowledge base
of business documents. All organizations,
from startups to large enterprises, can use
Flevy— whether it's to jumpstart projects, to
find reference or comparison materials, or
just to learn.
Contact Us
Please contact us with any questions you may have
about our company.
• General Inquiries
support@flevy.com
• Media/PR
press@flevy.com
• Billing
billing@flevy.com

The Complete Guide to DBA Practices & Procedures - Regulatory Compliance & DBA - Part 15

Recommandé

Recommandé

Contenu connexe

Plus de Flevy.com Best Practices

Plus de Flevy.com Best Practices (20)

Dernier

Dernier (20)

The Complete Guide to DBA Practices & Procedures - Regulatory Compliance & DBA - Part 15