Regulatory compliance has become a critical aspect of the IT landscape, and is a special consideration for financial institutions that house sensitive data. More and more regulations are being passed that dictate increased effort be exerted to better secure and protect the accuracy and privacy of financial data.
The most valuable enterprise data is typically stored within a database, either on a mainframe or a server running Windows, Linux, or a variant of Unix. So financial institutions must implement more robust auditing capabilities into their database environments on multiple platforms. Reputation, brand and market share can take a steep dive if a bank experiences any breach in data security. Auditing access to data is the first step towards preventing and handling data breaches.
The Regulatory Environment
There are many regulations that impact data protection and auditing requirements. The highly visible regulations that affect financial institutions include Sarbanes-Oxley (SOX) and Payment Card Industry Data Security Standard (PCI DSS).
SOX, the most familiar to the average American, was put in place to regulate corporations to reduce fraud and conflicts of interest, improve disclosure and financial reporting, and strengthen confidence in public accounting. Section 404 of this act, the one giving IT shops the most problems, specifies that the CFO must do more than simply vow that the company’s finances are accurate; he or she must guarantee the accuracy of the processes used to add up the numbers.
PCI DSS was developed by major credit card companies to help prevent fraud, hacking and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card transactions. Given the availability and high-volume concerns of payment card transactions this information is typically stored in a mainframe database.
Simply put, financial and banking executives must ensure their databases are protected such that only properly authorized entities have access to only the specific data they need in order to do their jobs – and to be able to prove this.
Tracking who did what to which piece of data, and when they did it, is important because there are many threats to data security. External agents trying to compromise security and access company data are rightly viewed as a threat to security. But industry studies have shown that many security threats are internal – within an organization. Indeed, some studies have shown that internal threats comprise as much as 80 percent of all security threats. The most typical security threat comes from a disgruntled or malevolent current or ex-employee that has valid access to the mainframe. Auditing is the best way to find an unauthorized access emanating from an authorized user.
Tactics for Compliance
So how can financial institutions ensure they are in compliance with these regulations (and others)? Data access auditing, sometimes simply called database auditing, can track the use of database resources and authority. Each audited database operation produces an audit trail of information. The audit trail will show which database objects were impacted, what the operation was, who performed the operation, and when it occurred. This comprehensive audit trail of database operations produced can be maintained over time to show in-depth analysis of access and modification patterns against data in the mainframe.
But as with any technology, there are multiple considerations to understand and deliberate upon before implementation. The first step is to make a list of the regulations to be complied with, based on the types of data your institution holds. After you have created a compliance roadmap, determine what level of data access auditing is required, with input from an internal auditing group. A good database access auditing solution should answer at least the following questions:
- Who accessed the data?
- At what date and time was the access?
- What program or client software was used to access the data?
- From what location was the request issued?
- What command was issued to access the data?
- Was the request successful; and if so, how many rows of data were retrieved?
- If the request was a modification, what data was changed? (A before and after image of the change should be accessible)
When choosing a solution, consider one that delivers pre-canned compliance reports. For example, if you are looking to comply with PCI DSS, a database auditing solution that delivers out-of-the-box PCI reports will shorten your implementation timeline.
Furthermore, the method by which the audit trail is produced is a significant consideration. There are basically four options: deploying native DBMS traces, scanning database transaction logs, sniffing network traffic, or tapping requests at the source. Of these methods, the last one provides 100% visibility into database activities without becoming a performance drain. But depending upon your specific needs and requirements any of the other options may work for your organization.
Before choosing and implementing a database auditing solution for your database systems, you should investigate the methodology being used to ensure its comprehensiveness, performance, and usability. It is also important for you solution to be able to work across all of the platforms upon which you store sensitive data. The ability to gather and assemble auditing data from disparate source into a central console can greatly simplify regulatory compliance.
Ensuring compliance with tedious government and industry regulations is a daunting task. This, along with the growing need to protect databases from the increasing online and internal threats to sensitive data has resulted in financial executives being asked to be more personally responsible for the safety of corporate data. Data access auditing solutions can help financial institutions meet growing requirements safely and proactively.