What Every Good CIO Needs to Know About Mainframe Database Auditing

by Craig S. Mullins
September 17, 2008

Regulatory compliance has become a critical aspect of the IT landscape, and is a big component of every CIO’s job. Nowhere is compliance more crucial than in mainframe database management. A growing number of regulations dictate increased efforts be made to better secure and protect the accuracy and privacy of enterprise data. Regulatory compliance requires diligence from CIOs and their team.

The most valuable enterprise data frequently is stored in a mainframe database, so organizations must implement more robust auditing capabilities into their DB2 and IMS environments. CIOs can quickly lose their job, as well as credibility, if they don’t take responsibility for protecting and auditing this valuable corporate asset.

The Regulatory Environment

Let’s take a moment to review several of the high visibility regulations:

• The goal of the Sarbanes-Oxley Act (SOX) is to reduce fraud and conflicts of interest, to improve disclosure and financial reporting, and strengthen confidence in public accounting. Section 404 specifies that the CFO must guarantee the accuracy of the processes used to add up the numbers. Those processes are typically guided by computer programs that access and manipulate data in a database system.
• The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to protect an individual’s healthcare information; providers must be able to document everyone who even looked at their information. Think about that. Could you produce a list of everyone who looked at a specific set of rows or group of segments in any database under your control?
• The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies to help prevent credit card fraud, hacking, and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS-compliant or they risk losing the ability to process credit card transactions. Payment card transaction data is typically stored in an enterprise database such as IMS or DB2.

So CIOs have expanding requirements to be able to prove their databases are protected so only properly authorized entities have access to only the specific data they need to do their jobs.

The ability to track who did what to which piece of data and when is important because there are many threats to the security of your data. External agents trying to compromise your security and access your company data are rightly viewed as a security threat. But industry studies have shown that most security threats are internal. Some studies have shown that internal threats comprise 60 to 80 percent of all security threats. The most typical security threat comes from a disgruntled or malevolent current or ex-employee with valid access to the DBMS. Auditing is crucial because you may need to find an unauthorized access emanating from an authorized user.