Sarbanes-Oxley Act (SOX), passed in 2002, spells out requirements for internal controls. Some organizations have turned to the standards published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). These do not, however, provide specific guidelines for organizations that deal with databases, a key area of concern for SOX compliance, but instead provide an excellent conceptual architecture for organizations to build a compliant IT Control framework for the enterprise. Others are relying upon the best practices set forth by COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library). However, these frameworks are incomplete with regards to the concerns set forth under SOX relating to databases. Databases are at the center of SOX control issue. Ensuring effective controls over database activity—writes, deletes, changes, and administration—is absolutely crucial to maintaining data integrity. Control must also extend to server and mainframe applications and unstructured data. Meeting SOX compliance centers on four areas: audit trails, segregation of duties, change control, and patch management.
Companies need to answer who changed a record, who deleted a record, changes to a schema, with particular detailed attention to privileged users. These audit logs are usually a normal by-product of most database and application tools. There needs to be a process to regularly review patterns and to store the logs for at least 5 years.
Segregation of Duties
The Information Systems Audit and Control Association (ISACA) has issued guidelines calling for IT organizations to assign clear job roles and functions, and to assign database and system permissions according to those roles and functions. Please refer to www.isaca.org and the publication titled Control Objectives for Sarbanes-Oxley 2nd Edition for additional detail.
Organizations need to document changes to their technical environment and adoption of ITIL’s Change and Release Management play a crucial role in satisfying this area.
Applications and associated databases should be patched on a predefined schedule that takes into account the peak usage periods for these systems, while providing substantial review of the patches with adequate testing. There are some other internal controls over financial reporting (ICoFR) that relate to database auditing and include:
Network access should be limited only to certain defined systems (via strong firewall and IP restrictions).
Unnecessary service access should be blocked at the network access device. This would be satisfied by “hardened” proxy servers.
Frequent review of user accounts and passwords should regularly verify that all permissions reflect actual user roles and responsibilities. This has given rise to a number of products associated with Identity Management (IM) and Network Access Control (NAC).
These should be performed several times a year, in alignment with HR systems and general identity management solutions.
- Financial transactions are properly recorded by authorized users
- Data has not been compromised by unauthorized or authorized means
- All changes to the financial data are monitored
Achieving these controls presents IT managers with the challenge of auditing (and maintaining an audit history) for a variety of SOX-related activity, including all:
- privileged user activity
- changes to user privileges
- failed login attempts
- logical access failures
- database schema changes
- direct data access events