On the top of every CIO’s agenda these days is how to avoid falling foul of regulatory compliance and corporate governance.
Laws and requirements are evolving, and changing the way businesses gather, store and manage their data.
Jaroslav Cerny, CEO of RDB Consulting, says Database Administrators (DBAs) must keep abreast of what is happening in the regulatory environment, and understand how it impacts their role. Each new business cycle brings with it new challenges for providers of IT services to businesses. “You can count on the fact that one of the projects topping the list will be verifying compliance with the necessary regulations,” Cerny says.
Each year, publicly held organisations have an obligation to evaluate and report on their internal controls over financial reporting, and the effectiveness thereof, and require independent auditors to verify that effectiveness. Ensuring compliance is a collaborative effort between business users, IT, and the legal team, which can be challenging, as these groups are not known for their communication with each other.
“Business needs to understand what requirements, legally speaking, are imposed on their information by the regulatory environment. Legal needs to be kept in the loop, as it is their job to interpret the legalese of these regulations, and ensure that business is taking all required steps to effectively protect itself,” he explains.
“IT’s involvement goes as far as implementing and supporting the actual policies and procedures, to enable the relevant technologies used to support the regulatory requirements.”
All the business data needs to be mapped and categorised in accordance with how each group of data is affected by the regulations, and it must be understood which data falls under which directive, and what that law requires for the way in which that data is managed. Once this step is complete, says Cerny, controls and policies must be put in place to ensure compliance with the regulations, whether this is additional security measures, longer retention periods, stricter privacy or user group controls and suchlike.
Being compliant may start with the chief executive, but it has to filter its way down, he says, and will eventually impact on the DBA. Ultimately it is the DBA who ensures that data is protected and controlled, and everyone from the CEO, to the CIO, to the DBA manager relies on the DBA to do this properly.
It is the IT department’s job to ensure the underlying infrastructure – physical or virtual – supports the database, but they should not have access to the database itself. It is the DBAs job to make sure the applications run correctly, that users have the necessary permissions to do their jobs and that the controls used to secure the database are doing their job.
The less the number of users with access to these controls, the better, and the more likely a company can remain compliant.
Compliance-related duties that will also impact the DBA are duties such as metadata management, data masking and obfuscation, data quality, database and data access auditing, long-term data retention and database archiving, as well the more obvious change management, and backup and recovery.