Your database is perhaps one of the most sensitive targets for cybercriminals as they are your company’s primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to manage and protect your databases from unauthorized access, whether intentional or otherwise.
Several weeks ago I sat down with journalist Ericka Chickowski from Dark Reading to discuss getting your databases ready for an IT audit. I wanted to share a few more details that I discussed with Ms. Chickowski as one of the initial steps an auditor will do once the database audit has been announced, and that is to request access to the organization’s IT policies, standards and procedures.
Policies should be authorized at the highest level in an organization which establishes the tone that IT management requires for business practices and technology controls throughout the organization. Correct policy development aligned with the business strategies helps ensure the proper alignment of security controls and also drive what the technology standards and procedures look like. Policies are defined by the organizations or departments senior management and once developed and approved typically require minimal updates and/or enhancements; however, they should be reviewed and refreshed on an annual basis to incorporate new business and technology risks.
Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers, and that must be written and communicated to groups of people inside and outside the organization.
Standards are the required expectations for technology systems’ database technologies’ configuration and parameter settings which ensures consistency for security including encryption, file and field synchronization, integrity, logging, backups, replication and naturally security access controls. Standards like policies require compliance; however, standards provide specific technical requirements, such as system design concepts, software interface mechanisms, and/or specific steps to be followed. Generally speaking, policies are intended to last for many years, while standards are intended to last for only a few years.
Procedures are the granular measures taken by people on the day-to-day jobs like recycling a database, making a backup or whatever else it takes to administer database technologies efficiently and securely. Procedures are specific, and sometimes detailed, operational actions and/or methods that personnel must follow to achieve and complete a certain goal, while working under the established policies and/or standards defined by management.
If these documents are not in order and periodically refreshed to address evolving business and technology risks; an organization may be failing to meet regulatory and compliance requirements. The failure to adhere to industry regulatory standards and requirements increase the risk to the organization of penitential penalties and fines and also negative publicity that may impact the company’s brand and client satisfaction. Weekly there are many news stories of examples of database breaches where credit cards were compromised, electronic healthcare records disclosed and financial records accessed.
Compliance is only the starting point when it comes to securing your systems and the databases where your critical data resides. Once you have completed an audit, the next step is to conduct a database assessment and/or an automated security configuration test so I will follow soon with a discussion about these topics.