News Analysis: Companies should look closely at how they manage their databases to make the compliance auditing process less painful and more cost-effective, analysts contend.
NEW YORKAnalysts in the field of regulatory compliance say enterprises should increasingly build their IT auditing processes around database governance efforts.
A panel of analysts, consultants and software vendors gathered here Nov. 9 for a discussion of IT security and regulatory compliance issues stumped hard for companies to increase their focus on better managing their databases.
Speaking at a compliance strategy event hosted by IBM and software maker Guardium, the experts said that the databaseone of the oldest, most complex pieces of enterprise infrastructuremust be tackled correctly to help ensure future compliance with regulatory guidelines such as the Sarbanes-Oxley Act.
Loosely defined, data governance involves work to improve the quality of information stored on databases and typically includes the creation of a team of IT professionals whose sole job is to boost the reliability of the data and improve access to the content.
Among the technologies utilized to help forward such efforts are software tools used for tracking the manner in which employees are looking at files, and how they behave while logged into databases.
In addition to increasing companies security by providing a method of detecting a potential misuse of database information, the technologies provide the type of detailed paper trail that compliance auditors demand when inspecting enterprise operations, said Paul Proctor, analyst with Gartner, in Stamford, Conn.
The expanded ability for enterprises to better control the level of access provided to individual workers, such as database administrators, provides another benefit to both security and compliance initiatives, according to the analyst.
Proctor said that setting up a data governance practice will help most firms realize additional benefits from the compliance projects they have already undertaken.
"Auditors, both internal and external, have been largely detested based on the challenges they present to IT and security teams, but enterprises need to foster better relationships between these people to be better prepared for compliance reviews," Proctor said.
"Starting in the database and bringing governance efforts to the top of compliance strategy is one way we believe that this can be achieved; risk managers, security workers and auditors must work together to find the right solution that actually manages risk."
While many companies have focused primarily on fixing compliance automation technologies onto their PCs, messaging systems and other faster-moving elements of IT infrastructure, creating smarter policies and controls for the database provides a baseline for all audit-related efforts, the panelists said.
Companies most valuable information is primarily stored on the database, such as financials and customer records, they said, and auditors are increasingly focused on reviewing the procedures employed by businesses to safeguard the systems.