Conquering the Top 5 IT Control Weaknesses
Cervello has identified the five key IT control weaknesses commonly revealed during IT audits. These findings have been validated by auditors, analysts, and customers. Database auditing, which provides for security assessment and activity monitoring for an organisation's sensitive data, helps companies to address these top IT control weaknesses in an automated, sustainable manner. The following is a summary of the top 5 IT Control weaknesses and how database auditing can help you address them.
It's widely acknowledged that the insider threat, i.e. the potential for internal employees to tamper with sensitive data is a significant issue. In fact PwC identifies direct access to data as a primary area that can result in a material weakness in IT controls. Advice to utilise the "least privilege" principle is a start, but DBAs, system administrators, and others must have super privileges in order to do their jobs.
How Cervello Helps
Audit DB uniquely addresses this problem by focusing at the database level. We can capture all database access, including privileged user activity. Other approaches, like those that simply monitor network traffic, can't capture direct database access.
Every day employees are hired, change functions or leave their company. As their role changes so should their rights and privileges to access company information, otherwise the organization is vulnerable to compromised data, business risk, and failed audits. The problem is the manual and labour-intensive nature of addressing this problem. For example, it can take a database owner several hours to evaluate the various roles, types and levels of entitlement, and objects, and reconcile them against an approved baseline.
How Cervello Helps
The Obsolete User Manager functionality available in Assessment Manager automates the management of database user accounts and entitlements made obsolete as a result of employee termination or transition. Automating this process brings operational efficiencies and allows redeployment of DBA resources to core responsibilities. More information on the Obsolete User Manager.
Ensuring that "the fox isn't guarding the hen-house" has long been a tenet of good business practice. Today this principle has implications for IT as they are responsible for the systems which manage sensitive information that's under regulatory scrutiny. IT must ensure that the people who manage the database audit reporting and monitoring controls are not the DBAs who manage and use the production database environment.
How Cervello Helps
Our database auditing solution is continuous, automated, and enables the auditing responsibility to be segregated from that of the DBA. Audit DB stores audit data in a separate and secure repository with access and privileges defined such that the capabilities of production DBAs and reporting staff can be restricted according to their role. This mitigates the risk of tampering with audit logs.
Until recently it was good enough to just collect audit logs, but now the Sarbanes-Oxley Act requires that auditors ask not only whether audit logs exist but also find proof that the logs are being adequately reviewed. At the same time management is seeking ways to gain business value from the collected audit data with relevant information vs. reams of data.
How Cervello Helps
We can deploy an automated solution that enables large amounts of low level audit data to be presented in a business-friendly and digestible format. Audit DB offers a console or dashboard presentation of data that delivers an "at a glance" understanding of activity and compliance. Problem areas can be further analyzed via drill down to root cause details without requiring the use of additional tools or requiring additional costly queries to the databases in question.
Organisations need to be able to identify database activity that doesn't conform to stated controls and policies or is unauthorised. Alerts and reports are needed to expedite the incident to management to determine whether a remedy is in order.
How Cervello Helps
Audit DB and Assessment Manager enable organisations to set policies and baselines that define acceptable activity as well as proper configuration. These policies and baselines serve as the basis against which ongoing activity and configurations are measured in order to surface violations or anomalies. Automated alerts and reports can also be triggered that may preclude or mitigate the damage from incidents that are expensive and embarrassing to the organisation
|