Iny my series of governance topics today I will go into the the key benefits of effective Change Management and key areas of the Audit process.
Audit is becoming the norm in most companies. Thanx to all the myriad regulatory requirements, SOX, HIPAA, PCI DS, Gramm-Leach-Biley Act (GLBA), California State, Japan SOX, IT Organizations across the world are spending enormous amounts of time and money in meeting the requirements.
In my discussion with a IT Manager at a billion dollar company with substantial sized IT Operations he was referring to the unrealistic set of demands he gets from his internal auditor. While some of them make sense, some of them were just outright ridiculous. While not trivializing the value of audits, he related an incident that happened at his company where a purchasing buyer was caught procuring personal stuff on the company account and having it delivered at work. He felt that with good audit capabilities in place, she would not have been able to continue with her illegal activities.
The problem in most cases is that there is no clear definition of what constitutes compliance and what is not. In the absence of clear mandates, auditors (internal and external) are just trying to cover all the bases as information director for security at Sony alludes to.
Onerous as it is, the benefits of implementing the compliance mandated controls are not challenged. With the huge array of applications, systems deployed in a company, the IT Organizations most often have scant idea of what is out there in the haystack. With the governance being forced via these mandates, the companies are getting to track and keep tabs on all the goings-on in their IT universe. Here is starter list of things for you to be well-prepared for an audit
- Application Access Controls: As a rule of thumb, any application should have ways to control what a user can see, do and when. The first thing any auditors would ask is for a report which outlines the access control. Special focus will be on the privileged users of systems (read your DBAs, System Administrators). You should not be surprised if you get request to curtail the privileges of “Super” users with unlimited privileges.
- Database Access Controls: Database access control is the most critical area to monitor. It goes without saying that someone with database access can do a lot of harm if they are not wired the right way. So regulating the access to the database and audit all the actions performed when connected is paramount. Oracle database allows you to control who has access database can be by restricting it to some IP address, known users, known applications. In this case, the most common mandate that comes from audit side is to grant access to only the must-have tables and not all of them, must-have users and not a free for all read only access.
- Password Policies: Auditors would be very interested in knowing the corporate password policies relating to frequency of changing them, complexity of passwords. If you know Oracle E-Business Suite you know, the password management is not one of their strong suit. It is not all that tough to decrypt a password in Oracle E-Business Suite. In most customer instances, this is addressed by delegating the credential management to their corporate identity management. Another key area of concern that auditors raise is around the cloning of production instance and the carry over of production passwords to the cloned test/dev instance. PCI and HIPAA compliance mandates require you to scramble data as part of replication of critical data. Have your operational policies around cloning, data scrambling ready for the auditors.
- Log Policies: Policies around managing log files would also be of interest to auditors. Log files are stores for critical information about servers, ports, account names and with inadequate error handling, error stacks could be divulging critical information. Log file locations, access control on those directories, purge policies, log file content etc all come into the discussion. Having some kind of log miner to constantly monitor contents of the log is one of areas of investments companies have made in recent years to tackle this challenge.
- Change Management Controls and Logs: Application Change Management is of lot of interest to the auditors. Here are some of the things you should certainly expect to be asked.
- Change Request Work flow and Approvals
- Impact and Risk Analysis process
- Backout process
- Review and Audit logs of the changes once their completed.
- Exceptions made to the process, reasons and approvals for the same
- Segregation of Duties – clear delineation of roles in the change lifecycle i.e., Requesters, Creators, Approvers, Implementer, Reviewer and Auditor
- Patch Management: Another critical thing that gets reviewed during audit is Patch Management process. Automation of the same would make life easier. Any manual patching would undergo scrutiny around access control, log management, reviews post implementation are guaranteed questions that come up.
- Software Updates: One of the other things that constantly comes up but does not have clear answer is if the system up to date on patches. While you should exercise discretion and do your due diligence in applying all the patches the vendor provides. But at a minimum an analysis has to be done and a decision had to have been made with sufficient substantiation.
Oracle E-Business Suite, as most of you know, comes with “SYSADMIN” responsibilities which are akin to the “keys-to-the-kingdom”. A user with this responsibility can grant herself any other responsibilities, change system wide settings and pretty much do everything. Due to the inherent design/architecture of the application this becomes a necessary evil. To address this limitation, one of the key things to do is to audit all the activities performed by a user assuming that responsibility. A report of Privileged User Activity is definitely something you should be monitoring. Another important thing that keeps coming up is the audit on the provisioning of user responsibilities.
If you have not been part of an audit so far, and have now started wondering, if this will mean a lot of reporting, you guessed it right. Audits have become part of life and companies that have invested in automation have stood to gain.
What are your thoughts? Shoot me an email if you think of anything I missed.