Auditing
the DBA: What non-technical SOX managers should know.
In these days of SOX compliance, functional applications experts are being assigned to develop and maintain proper controls. These individuals are well suited to design and approve business process related controls, but are often ill equipped when it comes to understanding how to audit and control technical professionals, like DBAs and IT Staff, whose methods of access to enterprise data may be confusing or unknown to non-techies.
Nevertheless, steps must be taken to introduce appropriate and effective controls and support these controls by creating and maintaining a secure audit trail. To accomplish this, those managers and auditors tasked with compliance must gain a better understanding of the roles, privileges and capabilities of their DBAs, and how to effectively audit DBA activity in the database. They cannot simply rely on DBAs themselves to develop measures to audit themselves. This would violate basic segregation of duties principles.
It may be said by many DBAs that the DBA role is a trusted role, or that a good DBA could overcome almost any restrictions or audit trail deployed for control and compliance purposes, so why try. Whether that is true or not, is not the point. The reality is that external auditors are starting to scrutinize DBA access and requesting controls and systematic proof of such to attain compliance. Any particular approach may not be "bullet proof", but each hurdle or preventative measure deployed reduces the overall risk as assessed by the auditor.
Presenter Cam Larner - President, Absolute Technologies, Inc.
