IT Controls for Data Governance

More than perhaps any other regulatory legislation in recent memory, the Sarbanes-Oxley Act (SOX) introduced compliance challenges that reached across the enterprise—and penetrated deep into the IT department. IT is inextricably linked with SOX because virtually all corporate information is electronic. This critical information lives in databases and other data stores throughout the data center. Ensuring the integrity of data in those stores is fundamental to SOX compliance.

One of the key challenges facing the IT department in meeting its obligations relative to SOX is, in many cases, understanding precisely what its role is in SOX compliance. IT managers must understand how the datacenter fits into a broader corporate strategy of business integrity. Seen in this way, the challenge of SOX is really just one part of a larger issue in which IT is integrally involved: enterprise data governance.

The Issue is Trust

While SOX provides a compelling argument for improving control around data integrity, it is only one facet of a larger question: Can the information provided by a company be trusted? From an IT standpoint, this means the manner in which corporate data is housed, managed and shared should promote confidence in the integrity of that information.

Clearly, the issue of trust has far-reaching implications that go well beyond SOX. Enhancing trust and confidence benefits all stakeholders, including shareholders. Undermining confidence in data integrity can hurt businesses in a number of ways—both legally and from a competitive standpoint. The value-add for delivering on the enterprise requirements for SOX compliance can fuel a higher level of enterprise contribution, leadership and visibility.

For these reasons, enhancing confidence in the integrity of corporate data makes good business sense—and it’s the driving force behind enterprise data governance. Viewed from this perspective, SOX is not merely a compliance headache, but part of a holistic, strategic initiative to instill confidence and trust in all aspects of the business. Improving IT processes and controls is just one aspect of this larger corporate objective.

A New View of Data

The first step toward achieving the objectives of data governance is viewing enterprise data as the critical corporate asset it is. Seeing data in this way helps in visualizing how such a valuable asset should be protected. After all, every public company has clear guidelines for how they should handle their financial assets, including processes for who can access the company’s money, what they can and cannot do with it, and how funds are tracked, documented and reported.

No company would let just anyone access and manipulate corporate accounts—at least not without having the proper controls in place. And so it is with enterprise data. In the information age, data is the currency and data governance is focused on making sure there are processes and controls in place to protect it.

So far, the challenge of data protection may sound simple. But there is a catch that adds a whole, new layer of complexity: While data must be protected, it must also be readily available to authorized users who need it to do business. Unlike your life savings, corporate data cannot be kept locked away in a safe; it must be easily accessible to the appropriate systems, applications and people, including trusted external partners, via the network, at a second’s notice.

Know the 3 W’s
With this reality in mind, the IT challenge for data governance is clear: To ensure the integrity of critical data without hindering business processes, companies must have a way of knowing the 3 W’s: what is happening to the data, who is doing it and when they did it. And that requires a new level of visibility into critical data assets.

Auditors and regulators are demanding companies have a level of visibility into and control over their data assets that, frankly, they’ve never had before. Today, organizations must have the visibility to identify when something goes wrong with regulated data – and have enough information to correct it and to document it.

The good news is that implementing controls that provide this visibility into critical data is an underlying requirement for a range of information privacy, integrity and protection regulations impacting organizations everywhere—from SOX and Gramm Leach Bliley to HIPAA and the European Privacy Directive.

Implementation Challenges

Establishing new controls always presents a host of business challenges. There is often a disconnect between IT and auditors, with IT unclear about what controls are expected. Even when they know what to monitor, data centers are filled with a wide range of data stores and systems from multiple vendors, including legacy systems. Staffing, time and resources are tight.

Then there is the challenge posed by privileged users, including system administrators and database administrators (DBAs) responsible for key data center operations. To address compliance issues, some organizations have actually curtailed privileges for privileged users. Yet this is clearly counter-productive to the data center’s operational efficiency. Instead, organizations need strategies that allow them to demonstrate to auditors that data integrity is being protected, without hindering privileged users’ access to the data they need to do their jobs.

Overcoming these challenges can pay significant dividends. Implementing effective controls for ensuring the integrity of financial information, sensitive customers and employee information, and other critical corporate data can provide enormous business benefits, including better security, more consistent business processes and improved documentation. In short, compliance helps demonstrate to customers and business partners that your organization can be trusted. And in today’s corporate world, trust is the coin of the realm.

Two Important Roadmaps

But where do organizations begin? What IT controls are most important for SOX compliance and for establishing a foundation for data governance? A growing number of IT organizations are finding at least some of the answers in recent versions of two venerable standards frameworks: COBIT 4.1 and ISO 17799:2005.

Control Objectives for Information and related Technologies (COBIT) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). The latest version recently published, COBIT 4.1, emphasizes regulatory compliance as it relates to IT governance. ISACA describes COBIT as “an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.”

COBIT provides a best practice framework for how to control, manage and measure 34 key IT practices. This framework includes high-level and detailed control objectives for each process, management guidelines (including process inputs and outputs, roles and responsibilities, and metrics), and process maturity models. A core emphasis of COBIT is aligning IT operations with strategic enterprise objectives and priorities to improve IT value delivery, resource management, business performance, efficiency and risk management.

ISO 17799:2005

The ISO 17799:2005 standard is the most recently published revision of ISO’s global security framework. It significantly improves upon the already well-respected and comprehensive “Code of Practice for Information Security Management.” ISO 17799:2005 provides principles and guidelines for initiating, implementing, maintaining, and improving information security management throughout the enterprise. This includes best practices, control objectives and controls for a range of IT functions related to protecting information.

The ISO 17799:2005 standard includes extensions that strengthen controls designed to protect the integrity of information—from asset management and access control, to human resources security, security incident management and business continuity management. An important new requirement is an increased emphasis on the capability to validate the integrity of regulated information. It mandates validation through systematic auditing and monitoring of activity to prevent unauthorized access to sensitive corporate and customer information. Just as ISO 9000/9001 is used universally as a measure of production quality, ISO 17799:2005 is poised to play a similar role in the area of information integrity assurance.

IT Best Practices for Data Integrity

Both COBIT 4.1 and ISO 17799/2005 provide guidelines that are useful in helping companies determine how to think about the root requirements of compliance regulations and managing data risks. Developed specifically for IT organizations, they provide specific best practices for controls aimed at ensuring the integrity of information assets.

What specific controls should IT managers be focusing on for achieving SOX compliance, while moving toward data governance? While these vary depending on the business, the following IT controls consistent with both COBIT and ISO 17799:2005 are important building blocks for protecting the integrity of critical data and documenting that protection.

1. Segregation of Duties

Ensuring separation of duties among IT systems administrators is crucial to ensuring the integrity of those systems and their data. Segregation of duties enables IT organizations to demonstrate that integrity of data has been protected, while ensuring privileged users are able to fulfill their crucial tasks.

ISACA guidelines call for organizations to assign clear job roles and functions, and assign database and system permissions according to those roles and functions. As a rule, duties should be divided between two distinct classes of system and database administrators:

· Production administrators who control processes, trim table sizes, add/remove database layer users, etc.

· Application administrators who modify table structure and change data as necessary.

In other words, maintain separation between those who build and maintain databases and those who maintain the data itself. User accounts and passwords should be reviewed on a regular basis to ensure that all permissions reflect actual user roles and responsibilities.

IT organizations should also institute processes for independent verification of data-related actions, especially in those cases where strict segregation cannot be achieved due to a small IT staff. For example, processes should be in place to ensure the integrity of database logs through independent audit and review.

2. Audit Trails

IT managers must be able to demonstrate that any and all modifications to regulated data are recorded and tracked in a clear audit trail. This includes a complete history of activity by anyone with database access privileges, including changes to data and to the database itself.

This audit trail must show the 3 W’s: what was done, who did it and when. It must enable organizations to validate that they have monitored and properly addressed events that could impact data integrity. This includes potentially suspicious activity, such as failed logins, as well as user management activities (adds, deletes, changes). The audit trail should be reviewed on a regular basis.

3. Change Control

IT managers must be able to document changes to databases and systems that house regulated data. This includes any physical upgrades, adding or removing columns, modifications to a database schema, and even routine patches—all must be clearly monitored and recorded according to documented change management policies and processes.

These change control processes should provide evidence that all changes have been reviewed and approved, with corresponding logs that document all changes. These records should be “spot checked” and validated by the IT manager on a regular basis.

4. Network Access Control

IT managers should ensure that controls on access to data focus not just on users, but also on the systems that access regulated data. Network access to critical data stores should be limited only to certain defined systems, via strong firewall and IP restrictions. In addition, unnecessary service access should be blocked at the network access device.

Furthermore, any connection of systems to critical stores should be part of the comprehensive change review and approval policy and process, with appropriate oversight and documentation of all connectivity to regulated data.

The Rewards of Data Integrity

These recommended IT controls should be viewed merely as beginning point for a comprehensive approach to data protection. Moreover, forward-looking organizations see SOX compliance not as a goal unto itself, but as part of a larger initiative to assure the integrity of its critical data assets. Companies focused narrowly on “passing the audit” are missing a business opportunity: To adopt an overarching strategy of data governance that creates a culture of confidence that permeates across the enterprise and extends out into the marketplace.

Both COBIT 4.1 and ISO 17799:2005 provide a framework for data governance strategies that extend well beyond the data center. These frameworks should be coupled with robust data auditing tools and processes that give companies a clear, real-time visibility into their critical data assets that is crucial to effective data governance.

In today’s global marketplace, trust is a valuable corporate asset. That asset must be earned—and once it is lost, it may be difficult or impossible to regain. Companies that view the issue of data integrity strategically, leverage data governance frameworks across the enterprise, and gain visibility of and control over their data assets, will be rewarded not just with regulatory compliance—but also with a powerful competitive advantage.