Database Regulatory and Compliance Issues
Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley (GLB) Act were all enacted to help protect information. These acts require internal controls to protect information integrity, confidentiality, availability, and accountability. While accountants and auditors are familiar with internal controls, many IT departments lack the the knowledge and controls needed to safeguard information. Even sophisticated databases, managed by Database Administrators (DBAs), lack secure controls and and connectivity to information.
Many DBAs have complete access to all of your organization's data. While complete access helps manage and minimize downtime, it also puts your organization at risk as the DBA has access to all information and log files. Your management must determine the minimum amount of access needed to allow the DBAs to perform job duties. For example, must the DBA have access to confidential or sensitive data such as payroll, protected health information (PHI), or other types of confidential information?
Assessments help ensure your internal controls provide the appropriate reporting and procedures, detect unauthorized use of systems, and meet compliance requirements.