Compliance, George Clooney and the Camera in the Vault (http://bit.ly/6OHXhb)
Snapshots don't ensure the integrity of critical business information. Neither does monitoring transactions or applications or users or the database itself. You have to be inside the database, continuously monitoring the data and controls themselve
Online, December 8, 2009 (Newswire.com) - By Paul Campaniello
December 8, 2009 - In the world of compliance, George Clooney's the man. As Danny Ocean in the movie "Ocean's Eleven," he and his crew managed to steal over $160 million from a Las Vegas casino, reminding finance departments everywhere of the value of having a camera in the vault for audit and compliance reporting purposes.
Remember, controls monitoring lies at the heart of compliance (as well as governance and risk). And to provide effective compliance, you need continuous monitoring of application controls and data as well as business rules and policies. Automating that process helps control audit and compliance costs, mitigates financial risk and provides informed decision making.
Think of continuous monitoring as the camera. The database underpinning key business applications is the vault. Now, the most significant yet most easily overlooked point is that you want the camera in the vault. Here's why.
There are a lot of ways to monitor controls. You can take a snapshot of them, sample them or report them. You can monitor at the transaction level or at the database level. You can monitor using the facilities within the primary business application - e.g., your financial application - or using a complementary, independent application.
Similarly, there are a lot of ways that a lot of people (and processes) can get to application data. Legacy applications may have interfaces directly to the data. Privileged users can access the database directly to make changes. ERP managers, project managers and other users could go through an application control to the database.
Now, the problem is that most controls monitoring methods make it too easy for too many people (and processes) to make undetected changes in application controls and data. Let's say a privileged user changes a check register or vendor address on Monday, so company merchandise or checks are sent to a friend's house. The user then reverses that change on Tuesday. If the auditor samples on Sunday and Wednesday, the change would never be discovered.
The only way to ensure that each and every change is recorded is with a camera in the vault - continuous monitoring at the database level (the database recovery log, specifically). Such monitoring will catch changes regardless of who or what made them and how they were made. In the example above, even if the privileged user changed a control for just a few seconds and then changed it back, continuous monitoring would record the change. Nothing goes undetected.
For compliance purposes, that last point is worth emphasizing. In addition to recording what has changed, continuous monitoring can prove that something did not change. That's a big deal when it comes to audits. Companies spend a lot of money manually testing and reviewing unchanged data and controls to prove the integrity of their data. Continuous monitoring provides a complete and trusted audit trail that the Committee of Sponsoring Organizations considers persuasive information. By continuously monitoring the controls, you "prove" that all of your standard exception reporting was, in fact, working for the entire reporting period.
Imagine that Danny Ocean has somehow managed to get around the guards and biometric security devices and motion-detectors and steel doors and the rest of the measures taken to secure your business applications. Even if he managed to defeat everything in your security arsenal and enter the vault, he'd be greeted by a continuous monitoring camera that cannot be turned off. It would track his every move.
Snapshots don't ensure the integrity of critical business information. Neither does monitoring transactions or applications or users or the database itself. You have to be inside the database, continuously monitoring the data and controls themselves. It may not be the sexiest technology alive, but for business, continuous monitoring is one of the most valuable.
###
Paul Campaniello is vice president of marketing for Lumigent Technologies, Inc., the GRC business apps company driving down the cost of regulatory compliance. Learn more about Lumigent at http://www.lumigent.com, and contact Paul at paul.campaniello@lumigent.com. Follow the company on Twitter at @Lumigent.
Please feel free to publish the above commentary in full or in part with attribution according to the Creative Common license, or link to http://bit.ly/6OHXhb .