Compliance Issues - Year one vs. year two

June 15, 2005

Database Journal caught up with Dr. Murray Mazer, co-founder of Lumigent Technologies and frequent speaker on compliance issues. Here is what Dr. Mazer has to say about compliance, where it is going and how it will affect both industry and individuals.

DBJ: What are the current trends in compliance?
Dr. Mazer:
There are four trends that are worth calling out:
The first is the pressure that people are under to comply with the various regulations; expectations are increasing and will continue to increase.

People have been trying to get their head around all of the different regulations that affect how they operate their business and what level of accountability they will be held to. Part of the challenge is translating the regulation into what it means for the internal controls for the business itself.

The second trend is the difference in how businesses respond to regulations between year one and year two and beyond.

In year one, people spent almost all of their time documenting what they already had and trying to get their head around what they needed to do to be compliant with the regulation. They ended up doing a lot of ad hoc processes, a lot of fire drills and they typically underestimated the cost, the effort and scope, of what was required. The hope is that in year two, they can take the lessons of year one and improve their processes and controls and build a sustainable compliance model going forward. Year two and beyond is an opportunity to create a sustainable, cost effective process that you can maintain on an ongoing basis.

The third trend is that people are finding it very difficult to quantify the costs and benefits of compliance.

The challenge for people is they have to adopt compliance without understanding upfront what the costs are going to be or what the benefits are going to be and so it is not solely a problem for any individual corporation, it is a problem for everybody involved, whether it is the regulators, the companies that are regulated or the legislators. None of them can really assess the costs or benefits yet because it is just too early to understand what the costs are and what the benefits will turn out to be.

The fourth thing that I would talk about as a trend or as a key issue is automation.
Automation is the idea of introducing technology in a process to reduce manual effort and improve the ability to do certain things related to compliance. One of the potential benefits of automation is that you can reduce the manual costs associated with maintaining and validating the controls that you have inside of your organization. An internal control is just the policies, procedures, processes and safeguards that you have in place to make sure that your business objectives are met, and that unexpected events are detected and managed. If you take a manual approach to implementing and validating controls, it is much more expensive and much less effective than if you take an automated approach. With automation, you can reduce your manual costs and you can more effectively deploy your human resources.

The second essential benefit of automation is that fraud does not occur on a schedule so automation allows you to do more effective, continuous monitoring. Automation offers faster problem detection and a faster remediation process

The final point is that automation allows you to reduce the amount of testing that an external auditor has to do on your controls because they trust automated controls more than they trust manual controls. Therefore, by reducing the amount of effort the external auditor has to do, you have reduced the cost of the audit

DBJ: What direction do you see these trends taking in the future
Dr. Mazer:
I see them all continuing and getting more intense. I think the set of regulations that people are going to have to abide by are going to continue to increase. We see for example, the California law which requires disclosure if the personal information of a California resident is breached. This law, SB1386, is likely to be adopted federally and other states are talking about adopting it as well. We see a group of regulations emerging that are sometimes consistent with each other and sometimes partially overlapping and so I think the pressures will continue to mount. Expectations are being set in various places; customers expect that you treat their data properly; regulators expect that you will have strong controls in place; auditors are going to be increasing the baseline they will hold companies to, so it is all going to increase and continue.

DBJ: How do the emerging financial and technology risks affect IT executives?
Dr. Mazer:
I think the key point is that these emerging financial and technological risks bring to the forefront some issues that have generally been given less attention than they may have deserved. For example, the fact that most fraud and most unexpected activity occur by insiders has not been really acknowledged and dealt with by most companies. Therefore, we are seeing a trend away from devoting all of your attention to safeguarding the perimeter. While it is important to safeguard the perimeter against outside attack, the most important and the highest point of risk is inside and people have not devoted enough attention to securing themselves, mitigating the risks against insiders. And so we see people having to put into place stronger internal controls, as a response to recognition that the risks are pretty high from insiders. IT executives are now being brought into the risk management and risk mitigation process far more than they ever were before, at the corporate level.

DBJ: How will data auditing provide a solution for the next wave of compliance requirements
Dr. Mazer:
If you look at all the different requirements, they include data access accountability as one of the key elements. The reason that accountability around data handling, and increased visibility into the way in which data is used is so important is because while data represents one of the greatest assets of any corporation, it also represents one of the greatest sources of risk and the risk can come in many forms. The risk can be to your reputation and we see examples in the paper fairly often now, of how companies mishandled sensitive data, whether it's patient data, customer data, employee data, personal data, and the reputation of those companies has suffered as has the stock price and the brand image.

Another risk is somebody not being permitted to continue to pursue their business plan or business objectives. We see examples where a lack of proper controls has caused the regulators to prevent a business from doing mergers and acquisitions for a period of time, until problems are fixed.

We see other examples of personal risk to the executives involved. For example, if financial reports are based on fallacious data, and the CEO has attested to that data, he can face personal liability, fines or jail time. So, the cost, the risks to the company and individuals are varied, but at the end of the day it all has to do with are you properly managing who is doing what to the data, when.

All of these regulations, all of the compliance requirements are about data, so the question is what is database auditing and how does it relate to what we're talking about. The answer is pretty straightforward. Data auditing is the ability to continuously monitor, record, analyze and report on database activity. In other words, being able to answer the question 'Who did what to which data, when and how'. If you can answer that question, you can be responsive to these requirements and compliance, and if you cannot answer these questions, you are just putting your organization at a greater risk.

DBJ: Will you share some best practices with us, as far as data auditing is concerned.
Dr. Mazer:
Best practices around data auditing go to a couple of different areas. One is that you have to be able to cover all four of the characteristics I covered earlier: monitoring, recording, analyzing and reporting. A solution is not a complete solution unless it has all four of those characteristics. You have to be able to monitor, on an ongoing basis, all of the activity on the database. You need to be able to create a tamper resistant, trusted audit trail that can be used for forensics, analysis and reporting. You need to analyze what happened, look for exceptional activity that might have to be reviewed and responded to and you need to be able to report, and to create various kinds of reports for various kinds of stakeholders.

The other top-level goals are having a solution or technology, which is flexible to evolving requirements and evolving organizations. Adopting a solution that is flexible as those requirement changes is important. You do not want to have a solution that is specific to a particular regulation because the solution for that specific regulation is not going to necessarily help you with all the other regulations you have to deal with. Organizations change, we see a lot of mergers and acquisitions occurring, and being able to take a new organization and apply the same technology and the same processes as the organization evolves is a critical issue.

Having a single framework, a single approach, which can help deal with the diversity of regulations and infrastructure, is a key.

Another key is having a solution that helps you be proactive in your compliance activities--a solution that automates the creation of a continuous audit trail, and provides alerting and allows you to do forensics.

Finally, having a trusted, evidentiary trail that can be relied upon to help investigate fraud and help pursue whoever carried out the fraud, is also critical in terms of a best practice.

DBJ: Would you give me a brief overview of how Entegra addresses regulatory rules and mitigates risk associated with the access and use of corporate data assets?
Dr. Mazer:
The various regulations and the various risk management frameworks require data access accountability. Knowing who is doing what to the data when--and that is precisely what Entegra helps people do. It provides them with a complete ability to continuously monitor, record, analyze, and report on all data activity. It provides the ability to configure across diverse infrastructures, which databases, which tables, which users, which activities need to be monitored. It provides comprehensive information about what operations people performed, who did them, when they did it, what application they were using and so on. It solves a complete set of requirements that you need for data auditing solutions. Entegra provides built in separation of duty support to ensure that you can have the audit system under the control of separate people from those whose activities need to be monitored.

Entegra provides rich reporting capabilities, so you can have high level, detailed, and other kinds of reports, on the database activity. It provides alerting so that you can respond quickly to potentially exceptional activity. It is flexible so that as your requirements change, you can change what is being audited easily and leave your existing system in place. It minimizes the impact on the infrastructure, it is easy to deploy, non-disruptive to existing operations, and provides end to end functionality from deploying, to maintaining, to collecting activity information, consolidating it from multiple databases into a single repository, reporting analysis and so on.

Dr. Mazer will lead discussions on compliance trends at RFG's thought leadership summit in New York on June 15 and 16.