Privilege User Monitoring For Sox Compliance
Páginas: 14 (3282 palabras)
Publicado: 18 de octubre de 2012
White Paper
Privileged User Monitoring for SOX Compliance
Privilege escalation, 12:28 p.m. Failed login, 6:45 a.m.
Financial data breach, 11:32 p.m. Financial data access, 5:48 p.m.
1
Privileged User Monitoring for SOX Compliance
Privileged User Monitoring for SOX Compliance
Many enterprises are facing the SOX compliance challenge of monitoring all of the data activity oftheir most privileged users. This paper highlights several of these challenges and how they can be addressed by a comprehensive database activity auditing solution. Sarbanes-Oxley (SOX) IT controls address the integrity of databases that store sensitive financial and business information. In particular, new SOX requirements have shifted the focus from merely understanding who has access to informationto continuous monitoring of database activity. These requirements target high risk database activities— privileged user behavior, direct access to sensitive data stores, user privilege escalation, failed login and failed database operations, and so on. Finally, while database applications like DB2, Oracle, SQL Server, and Sybase rightly attract most of the attention, the problem invariablyextends to other sensitive data stores—file server-resident financial, legal, strategic, and spreadsheet documents being the foremost examples. SOX Section 404 demands that companies (a) evaluate the adequacy of internal controls as they relate to financial reporting, (b) institute new controls as necessary, and (c) perform and report an assessment of these controls on an annual basis. In short, Section404 says, "Management must ensure that appropriate internal controls for financial reporting are in place." Furthermore, Section 404 requires not only that corporate and IT officers immediately put in place internal controls to protect the integrity of financial data (and, by implication, all systems that access that data), but also that the organization must be able to demonstrate thatappropriate controls are in place. At first glance it is quite obvious that the full access credentials accorded to DBAs and system administrators creates a significant vulnerability for an enterprise’s data simply because these privileged users have access to all or a significant fraction of your data. However, privileged users are normally highly valued and trusted individuals who are indispensable tothe day-to-day workings of your data environment, and they generally do not respond well to being told by an IT auditor that they are a threat that must be monitored. In reality, with most enterprises working to enforce segregation of duties, most DBAs and System Administrators expect their activity to be monitored and have no issue with this simply because they don’t intend to do anything wrong.The problem with this approach is that it is of critical importance for DBAs to have access to database log facilities, so curtailing their privileges effectively curtails their productivity and makes their job more difficult. This is precisely the challenge that enterprises are facing with the SOX section 404 mandate to monitor the activity, particularly database activity, of their DBAs and otherprivileged users. The problem arises because it makes no sense to monitor a DBA with full privileges by using the log facilities within the database applications, because their privileges will allow them to cover their tracks by deleting or otherwise altering the logs. So many enterprises are resorting to curtailing their DBAs’ privileges to prevent them from having any access to the logfacilities. The problem with this approach is that DBAs use the database log facilities as a debug tool in order to do their job, so curtailing their privileges effectively curtails their productivity and makes their job more difficult. Corporate officers, IT auditors, and database administrators find a variety of challenges in the requirement to audit all privileged user activity, which typically ranges...
Privileged User Monitoring for SOX Compliance
Privilege escalation, 12:28 p.m. Failed login, 6:45 a.m.
Financial data breach, 11:32 p.m. Financial data access, 5:48 p.m.
1
Privileged User Monitoring for SOX Compliance
Privileged User Monitoring for SOX Compliance
Many enterprises are facing the SOX compliance challenge of monitoring all of the data activity oftheir most privileged users. This paper highlights several of these challenges and how they can be addressed by a comprehensive database activity auditing solution. Sarbanes-Oxley (SOX) IT controls address the integrity of databases that store sensitive financial and business information. In particular, new SOX requirements have shifted the focus from merely understanding who has access to informationto continuous monitoring of database activity. These requirements target high risk database activities— privileged user behavior, direct access to sensitive data stores, user privilege escalation, failed login and failed database operations, and so on. Finally, while database applications like DB2, Oracle, SQL Server, and Sybase rightly attract most of the attention, the problem invariablyextends to other sensitive data stores—file server-resident financial, legal, strategic, and spreadsheet documents being the foremost examples. SOX Section 404 demands that companies (a) evaluate the adequacy of internal controls as they relate to financial reporting, (b) institute new controls as necessary, and (c) perform and report an assessment of these controls on an annual basis. In short, Section404 says, "Management must ensure that appropriate internal controls for financial reporting are in place." Furthermore, Section 404 requires not only that corporate and IT officers immediately put in place internal controls to protect the integrity of financial data (and, by implication, all systems that access that data), but also that the organization must be able to demonstrate thatappropriate controls are in place. At first glance it is quite obvious that the full access credentials accorded to DBAs and system administrators creates a significant vulnerability for an enterprise’s data simply because these privileged users have access to all or a significant fraction of your data. However, privileged users are normally highly valued and trusted individuals who are indispensable tothe day-to-day workings of your data environment, and they generally do not respond well to being told by an IT auditor that they are a threat that must be monitored. In reality, with most enterprises working to enforce segregation of duties, most DBAs and System Administrators expect their activity to be monitored and have no issue with this simply because they don’t intend to do anything wrong.The problem with this approach is that it is of critical importance for DBAs to have access to database log facilities, so curtailing their privileges effectively curtails their productivity and makes their job more difficult. This is precisely the challenge that enterprises are facing with the SOX section 404 mandate to monitor the activity, particularly database activity, of their DBAs and otherprivileged users. The problem arises because it makes no sense to monitor a DBA with full privileges by using the log facilities within the database applications, because their privileges will allow them to cover their tracks by deleting or otherwise altering the logs. So many enterprises are resorting to curtailing their DBAs’ privileges to prevent them from having any access to the logfacilities. The problem with this approach is that DBAs use the database log facilities as a debug tool in order to do their job, so curtailing their privileges effectively curtails their productivity and makes their job more difficult. Corporate officers, IT auditors, and database administrators find a variety of challenges in the requirement to audit all privileged user activity, which typically ranges...
Leer documento completo
Regístrate para leer el documento completo.