Skip to main content

Apply These 'Best Practices' to Protect Enterprise Data


From employees, to partners, to consultants, to customers, everyone needs increasingly more direct access to databases. A database's centrality to a company's operation is reason enough to consider auditing it. However, regulatory compliance and security are two other forces that drive companies to consider database auditing.

What is Database Auditing, Anyway?

Even when it's clear your company requires some sort of database audit, what actions to take may not be so obvious. You must consider database activity, usage, and security for auditing to be credible.

Activity and security auditing are the two primary functions of a database audit. Both types of auditing involve controls and measures that map to compliance requirements, such as:Sarbanes-Oxley (SOX); Graham Leach Bliley (GLBA); Health Insurance Portability and Accountability Act (HIPAA); security breach notification laws (such as California Senate Bill 1386); as well as security best practices defined by ISO 27001 (formerly 17799); the Federal Information Systems Management Act (FISMA); or the consolidated Payment Card Industry Data Security Standard (PCI-DSS). As a result, by defining activity and security auditing functions and mapping them to the appropriate compliance frameworks, companies can extend auditing to databases in a way that supports multiple requirements.

Auditing is an important component of a defense-in-depth approach to database security. More than merely tracking and monitoring user activity, database auditing encompasses all aspects of database information controls and counter measures, including monitoring authorized and un-authorized access to sensitive data; access control policies; configuration standards; and vulnerability management practices on a regular basis.

Database Audit Defensibility and Security

Current industry realities are causing a head-on collision between security best-practice and regulatory compliance requirements. On the one hand, compliance requirements are simply impossible to ignore. On the other hand, pursuing compliance at the expense of security best practice (and effectively documenting yourself out of a good security posture) ultimately undermines both objectives.

Compliance + Security

The vulnerability management methodology most companies use to manage network security can be applied to a company’s data to satisfy the requirements of both security and compliance efforts. Key steps in this approach include:

  • Inventory and assess present systems
  • Prioritize efforts based on business value and security exposure
  • Harden systems against known threats
  • Track suspicious activity with real-time monitoring

The security benefits of this approach are straightforward:

1. It decreases the likelihood of a breach because there are fewer ways to compromise databases.

2. It reduces the impact of a breach by providing prompt, intelligent notice of malicious or suspicious activity.

Create Defensible Audits

For a database audit to be useful, it must be demonstrable, defensible, and repeatable. In brief, the audit should be:

  1. Impartial -- Conducted by staff or a trusted third-party separate from the DBAs and others who manage the databases under audit
  2. Independent -- Based on third-party tools which are distinct from native database auditing functions, thus bolstering audit integrity
  3. Tamper-Proof -- Structured such that the results can’t be changed by DBAs or rogue insiders
  4. Recurring -- Conducted on a recurring and regular basis, not just as a one-time or ad hoc process

Determining Audit Credibility

As a practical matter, establishing credibility for compliance-driven database audits depends on the regulatory initiative. Some regulatory requirements, like PCI-DSS for retailers and the U.S. Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) for government agencies, specifically enumerate database applications in their language. For these requirements, whoever signs off on the compliance effort will determine audit credibility. Other regulations aren't nearly as explicit about what systems are covered and leave audit requirements open to interpretation. In these cases, a database audit may, or may not, be strictly required and the nature of the audit will be subject to interpretation.

In either case, however, a well-documented practice of database audits makes a remarkable impression by establishing a practice of due diligence which grounds compliance efforts in the systems where sensitive data spends the bulk of existence.


Popular posts from this blog

Here's How a Board of Directors Should Function (Family Business)

    Essentially a Board should include executives whom you respect and who have the business and personal experience relevant to the key issues that the business must address. Their only interest in your business is that the business is profitable, grows stronger and lasts longer. Here are some attributes to look for when selecting   people to serve on your Board:     Expertise   Every advisor should have specific experience in at least one area to benefit your business. Areas of expertise include technical knowledge of the product or service, manufacturing, distribution, marketing, human resources, finance or management.   It is often helpful to have someone with experience in the same industry.     Willingness to serve   Many business executives would be flattered to be asked to serve on your Board as they would consider it a personal and professional challenge and a way to give back to the business community. Others would not.     A highly qualified person may serve no useful p

'Make, Measure, Monitor' With Business Intelligence Systems - Business Intelligence Dashboards

  Business intelligence describes a toolset and process, which systematically organizes and displays your company data. Intelligence systems assist you in making strategic and operative decisions based on detailed analytic data and reports. Implementing a business intelligence solution not only requires programming qualifications but also necessitates a detailed understanding of business processes, business administration, and business economics.  With that being said, in developing your business intelligence solution, you do not have to “start from scratch”, but instead base it on well-established open-source products and adapt it to your specific requirements by adding additional custom components, interfaces, and modules.  Cornerstones of the Development Process:   - Analysis of your company-specific informational requirements.   - Analysis of existing core-data (e.g. in ERP systems and MDM systems).  - Visualisation of processes using flow charts.   - Decision, whether classic met

Set Policies Now to Solve Future Family Business Problems

    We believe that successful family businesses do a good job of anticipating future issues and talking about how to deal with them as a family before they become issues.   Some of the thorniest policy issues that family businesses must deal with include the divorce of a family member, alcoholism and drug abuse, unethical conduct, affairs of family members with employees, a break in trust or confidence, the loss   of rationality of a family member, moral differences, and poor work performance.     Discussing these and other potential issues in family meetings offers several benefits. First, agreeing on solutions to problems in advance helps prevent family members from taking issues personally; decisions can be more objective. Second, family communication and problem-solving skills get stronger.     One way to deal with potential problems is to develop a set of family business policies to guide future decisions and actions in a variety of areas. Here are some ideas that we’ve found