Regulatory compliance has become a critical aspect of the IT landscape, and is a big component of every CIO’s job. Nowhere is compliance more crucial than in mainframe database management. A growing number of regulations dictate increased efforts be made to better secure and protect the accuracy and privacy of enterprise data. Regulatory compliance requires diligence from CIOs and their team.
The most valuable enterprise data frequently is stored in a mainframe database, so organizations must implement more robust auditing capabilities into their DB2 and IMS environments. CIOs can quickly lose their job, as well as credibility, if they don’t take responsibility for protecting and auditing this valuable corporate asset.
The Regulatory Environment
Let’s take a moment to review several of the high visibility regulations:
• The goal of the Sarbanes-Oxley Act (SOX) is to reduce fraud and conflicts of interest, to improve disclosure and financial reporting, and strengthen confidence in public accounting. Section 404 specifies that the CFO must guarantee the accuracy of the processes used to add up the numbers. Those processes are typically guided by computer programs that access and manipulate data in a database system.
• The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to protect an individual’s healthcare information; providers must be able to document everyone who even looked at their information. Think about that. Could you produce a list of everyone who looked at a specific set of rows or group of segments in any database under your control?
• The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies to help prevent credit card fraud, hacking, and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS-compliant or they risk losing the ability to process credit card transactions. Payment card transaction data is typically stored in an enterprise database such as IMS or DB2.
So CIOs have expanding requirements to be able to prove their databases are protected so only properly authorized entities have access to only the specific data they need to do their jobs.
The ability to track who did what to which piece of data and when is important because there are many threats to the security of your data. External agents trying to compromise your security and access your company data are rightly viewed as a security threat. But industry studies have shown that most security threats are internal. Some studies have shown that internal threats comprise 60 to 80 percent of all security threats. The most typical security threat comes from a disgruntled or malevolent current or ex-employee with valid access to the DBMS. Auditing is crucial because you may need to find an unauthorized access emanating from an authorized user.
How can organizations ensure they’re complying with these and other regulations? Data access auditing, sometimes called database auditing, can help you track the use of database resources and authority. When auditing is enabled, each audited database operation produces an audit trail. The audit trail will show which database objects were impacted, what the operation was, who performed it, and when it occurred. This comprehensive audit trail can be maintained over time to allow DBAs and auditors, as well as any authorized personnel, to perform in-depth analysis of access and modification patterns against data in the DBMS.
Data access auditing is promising, but as with any technology, there are multiple considerations to understand and consider before you move forward.