Database Journal caught up with Dr. Murray Mazer, co-founder of
and frequent speaker on compliance issues. Here is what Dr. Mazer
has to say about compliance, where it is going and how it will affect both
industry and individuals.
DBJ: What are the current trends in compliance?
There are four trends that are worth calling out:
The first is the pressure that people are under to comply with the various
regulations; expectations are increasing and will continue to increase.
People have been trying to get their head around all of the different
regulations that affect how they operate their business and what level of accountability
they will be held to. Part of the challenge is translating the regulation
into what it means for the internal controls for the business itself.
The second trend is the difference in how businesses respond to regulations
between year one and year two and beyond.
In year one, people spent almost all of their time documenting what they
already had and trying to get their head around what they needed to do to be
compliant with the regulation. They ended up doing a lot of ad hoc processes, a
lot of fire drills and they typically underestimated the cost, the effort and
scope, of what was required. The hope is that in year two, they can take
the lessons of year one and improve their processes and controls and build a
sustainable compliance model going forward. Year two and beyond is an
opportunity to create a sustainable, cost effective process that you can
maintain on an ongoing basis.
The third trend is that people are finding it very difficult to quantify the
costs and benefits of compliance.
The challenge for people is they have to adopt compliance without understanding
upfront what the costs are going to be or what the benefits are going to be and
so it is not solely a problem for any individual corporation, it is a problem
for everybody involved, whether it is the regulators, the companies that are
regulated or the legislators. None of them can really assess the costs or
benefits yet because it is just too early to understand what the costs are and
what the benefits will turn out to be.
The fourth thing that I would talk about as a trend or as a key issue is
Automation is the idea of introducing technology in a process to reduce manual
effort and improve the ability to do certain things related to
compliance. One of the potential benefits of automation is that you can
reduce the manual costs associated with maintaining and validating the controls
that you have inside of your organization. An internal control is just
the policies, procedures, processes and safeguards that you have in place to
make sure that your business objectives are met, and that unexpected events are
detected and managed. If you take a manual approach to implementing and
validating controls, it is much more expensive and much less effective than if
you take an automated approach. With automation, you can reduce your
manual costs and you can more effectively deploy your human resources.
The second essential benefit of automation is that fraud does not occur on a
schedule so automation allows you to do more effective, continuous
monitoring. Automation offers faster problem detection and a faster
The final point is that automation allows you to reduce the amount of testing
that an external auditor has to do on your controls because they trust
automated controls more than they trust manual controls. Therefore, by
reducing the amount of effort the external auditor has to do, you have reduced
the cost of the audit
DBJ: What direction do you see these trends taking in the future
I see them all continuing and getting more intense. I think the set of
regulations that people are going to have to abide by are going to continue to
increase. We see for example, the California law which requires disclosure if the personal
information of a California resident is breached. This law, SB1386, is likely to
be adopted federally and other states are talking about adopting it as
well. We see a group of regulations emerging that are sometimes consistent
with each other and sometimes partially overlapping and so I think the
pressures will continue to mount. Expectations are being set in various places;
customers expect that you treat their data properly; regulators expect that you
will have strong controls in place; auditors are going to be increasing the
baseline they will hold companies to, so it is all going to increase and
DBJ: How do the emerging financial and technology risks affect IT executives?
I think the key point is that these emerging financial and technological risks
bring to the forefront some issues that have generally been given less
attention than they may have deserved. For example, the fact that most
fraud and most unexpected activity occur by insiders has not been really
acknowledged and dealt with by most companies. Therefore, we are seeing a
trend away from devoting all of your attention to safeguarding the perimeter.
While it is important to safeguard the perimeter against outside attack, the
most important and the highest point of risk is inside and people have not
devoted enough attention to securing themselves, mitigating the risks against
insiders. And so we see people having to put into place stronger internal
controls, as a response to recognition that the risks are pretty high from
insiders. IT executives are now being brought into the risk management
and risk mitigation process far more than they ever were before, at the
DBJ: How will data auditing provide a solution for the next wave of compliance
If you look at all the different requirements, they include data access
accountability as one of the key elements. The reason that accountability
around data handling, and increased visibility into the way in which data is
used is so important is because while data represents one of the greatest
assets of any corporation, it also represents one of the greatest sources of
risk and the risk can come in many forms. The risk can be to your reputation
and we see examples in the paper fairly often now, of how companies mishandled
sensitive data, whether it's patient data, customer data, employee data,
personal data, and the reputation of those companies has suffered as has the
stock price and the brand image.
Another risk is somebody not being permitted to continue to pursue their
business plan or business objectives. We see examples where a lack of
proper controls has caused the regulators to prevent a business from doing
mergers and acquisitions for a period of time, until problems are fixed.
We see other examples of personal risk to the executives involved. For example,
if financial reports are based on fallacious data, and the CEO has attested to
that data, he can face personal liability, fines or jail time. So, the
cost, the risks to the company and individuals are varied, but at the end of
the day it all has to do with are you properly managing who is doing what to
the data, when.
All of these regulations, all of the compliance requirements are about data, so
the question is what is database auditing and how does it relate to what we're
talking about. The answer is pretty straightforward. Data auditing is the
ability to continuously monitor, record, analyze and report on database activity.
In other words, being able to answer the question 'Who did what to which data,
when and how'. If you can answer that question, you can be responsive to
these requirements and compliance, and if you cannot answer these questions,
you are just putting your organization at a greater risk.
DBJ: Will you share some best practices with us, as far as data auditing is
Best practices around data auditing go to a couple of different areas.
One is that you have to be able to cover all four of the characteristics I
covered earlier: monitoring, recording, analyzing and reporting. A solution is
not a complete solution unless it has all four of those characteristics.
You have to be able to monitor, on an ongoing basis, all of the activity on the
database. You need to be able to create a tamper resistant, trusted audit
trail that can be used for forensics, analysis and reporting. You need to
analyze what happened, look for exceptional activity that might have to
be reviewed and responded to and you need to be able to report, and to create
various kinds of reports for various kinds of stakeholders.
The other top-level goals are having a solution or technology, which is
flexible to evolving requirements and evolving organizations. Adopting a
solution that is flexible as those requirement changes is important. You
do not want to have a solution that is specific to a particular regulation
because the solution for that specific regulation is not going to necessarily
help you with all the other regulations you have to deal with.
Organizations change, we see a lot of mergers and acquisitions occurring, and
being able to take a new organization and apply the same technology and the
same processes as the organization evolves is a critical issue.
Having a single framework, a single approach, which can help deal with the
diversity of regulations and infrastructure, is a key.
Another key is having a solution that helps you be proactive in your
compliance activities--a solution that automates the creation of a continuous
audit trail, and provides alerting and allows you to do forensics.
Finally, having a trusted, evidentiary trail that can be relied upon to help
investigate fraud and help pursue whoever carried out the fraud, is also
critical in terms of a best practice.
DBJ: Would you give me a brief overview of how Entegra addresses regulatory
rules and mitigates risk associated with the access and use of corporate data
The various regulations and the various risk management frameworks require data
access accountability. Knowing who is doing what to the data when--and
that is precisely what Entegra helps people do. It provides them with a
complete ability to continuously monitor, record, analyze, and report on all data
activity. It provides the ability to configure across diverse infrastructures,
which databases, which tables, which users, which activities need to be
monitored. It provides comprehensive information about what operations
people performed, who did them, when they did it, what application they were
using and so on. It solves a complete set of requirements that you need
for data auditing solutions. Entegra provides built in separation of duty
support to ensure that you can have the audit system under the control of
separate people from those whose activities need to be monitored.
Entegra provides rich reporting capabilities, so you can have high level,
detailed, and other kinds of reports, on the database activity. It
provides alerting so that you can respond quickly to potentially exceptional
activity. It is flexible so that as your requirements change, you can
change what is being audited easily and leave your existing system in
place. It minimizes the impact on the infrastructure, it is easy to
deploy, non-disruptive to existing operations, and provides end to end
functionality from deploying, to maintaining, to collecting activity
information, consolidating it from multiple databases into a single repository,
reporting analysis and so on.
Dr. Mazer will lead discussions on compliance trends at RFG's thought
leadership summit in
New York on June 15 and 16.