The Enron, Tyco, and WorldCom financial scandals led to the creation of the Sarbanes-Oxley (SOX) Act of 2002, guidelines closely related to proper database management. Today, SOX has become crucial in maintaining security standards, fighting fraudsters, and boosting user privacy.
The SOX Act of 2002 was passed by the United States Congress to safeguard shareholders and the American public from accidental privacy mishaps and malicious activity within organizations. Commonly referred to as the Sarbox, it also allows the imposition of penalties on violators (including executives).
This act does not directly define how Database Admins (DBAs) should store records with personal information or design their best practices, but it does explain how the aforementioned records must be handled (how long they should be stored, how they should be shared, etc.).
A key aspect of SOX compliance is Section 906. This is essentially a written document signed by the organization’s CEO and CFO, which has to be attached to a periodic audit. This essentially holds them accountable for any leak or theft caused by lack of compliance procedures or other malpractices.
There are other sections that also need to be taken seriously:
- Section 802 of the SOX Act of 2002 involves destruction/falsification of records, defines communication records and their storage period.
- Section 404 of the SOX Act of 2002 requires organizations to establish internal controls and reporting methods to create solid audit trails.
- Sections 302, 404, and 409 of the SOX Act of 2002 address procedures for advanced reporting, alerting, access control, and auditing features.
Did You Know?
Non-compliance with the SOX protocol can lead to 10 years of imprisonment and fines of up to 1 million USD.
Now that we have a detailed picture of what the SOX Act of 2002 exactly is, what does this mean for the DBA? What are the actions he needs to take?
The first step you will need to take is to perform a thorough analysis of your production environment and connected networks (this will require close collaboration with the IT management team). This includes databases, components, and schemas that are hosting the sensitive private information.
Once you are done analyzing and mapping your entire development ecosystem, you can start focusing on your development pipeline and database. Assessing asset usage is extremely crucial for creating a tight and secure set of controls and establishing a sound policy for achieving database SOX compliance.
Once you have completed your analysis and learnt who is accessing and modifying sensitive data, you can create SOX-centric audit and security controls that are based on this information. These controls need to be dynamic, just like development variables (URLs, queries, commands, etc.).
The next automatic step in the process is designing and implementing proper SOX-related policies within your organization. Developers, IT professionals, and other third-party stakeholders need to be onboard. But it doesn’t end there. All changes and alterations in policies need to be communicated as well.
Setting up this entire database SOX compliance mechanism is of no use if you are not monitoring it at all times. Achieving your goal requires a proactive approach, something that many organizations are failing to understand to this very day. This is a “one and done” operation.
One you have properly updated policies in place with real-time monitoring capabilities, you can effectively enforce database SOX compliance. Once automated, you can even block unauthorized access or malicious activity without requiring human intervention or actions.
As mentioned earlier, Sections 302, 401, as 409 of the SOX Act of 2002 require the organization to make sure that all stored financial data is accurate and complete. In a nutshell, the DBA needs to implement normalized database designs that eliminate data duplications and nullify errors.
Additionally, the DBA and his team should ideally make use of primary keys, unique indexes, foreign keys, triggers, defaults, and other types of constraints as necessary to ensure integrity. Developers can also help by verifying the code reviews are indeed covering all query-related issues that can create problems.
This checklist point is related directly to the organizations financial department, which should be able to receive on-demand reports, monitoring files, and internal control components. This is one of the DBAs biggest challenges today, since manual labor is required to get this done.
The DBA also needs to remember that hardware failures, natural disasters, and data corruption can wreak havoc when it comes to database SOX compliance.
Related: Sarbanes-Oxley (SOX) Compliance
No compliance is achievable without proper documentation and reporting activity. DBAs must make sure that all normal and abnormal incidents are being documented. SOX reports should ideally include adequate levels of audit data granularity, which can ideally be exported easily for offline scrutiny.
Sections 302 and 401 of Sarbox require the DBA to make sure that the perimeter around the relevant databases and infrastructure is always secured. Besides keeping all firewalls updated and applying patches, the DBA also needs to constantly be in touch with the organization’s security personnel at all times.
As evident from the database SOX compliance checklist, the modern-day DBA has his work cut out when it comes to creating a robust and secure database.
Unfortunately, cross-department collaboration is usually far from optimal, organizations are scaling up at a rapid pace, and DBAs don’t have enough manpower to finish their compliance duties along with their day-to-day tasks. This is where database security automation solutions are coming into play.
Integrating security and automation into your development pipeline can help you succeed in executing the 11-section SOX guidelines to perfection.
- Automated Controls and Policies – The dynamic nature of the modern organization can make it very difficult for the DBA to gain full control of who is actually accessing the database. This is further complicated by remote teams working on the same LOCs simultaneously.But having a comprehensive automated governance solution can help the DBA to manage all passwords and privileges from one dashboard.
- Clear Audit Trails – Manually documenting and recording all actions is becoming a thing of the past due to the massive investment it requires – time, resources, and manpower. Creating and enforcing SOX-related policies is much easier when every login is automatically recorded.
- Comprehensive Role Management – Once the DBA has a tool to bypass human intervention and manage roles seamlessly via a centralized location, there are fewer loopholes that can be exploited. Roles and permissions can now be modified or revoked with a click of a button.
Creating a sustainable SOX-compliant database is now achievable relatively easily, assuming you automate your pipeline for best results.