Databases and Regulatory Compliance Challenges

Databases and Regulatory Compliance Challenges

The advent of technology has increased the popularity of database usage in firms, yet the legislation regulating the field has yet to be finalized. The changing nature of the IT sector, coupled with the legislative traits, creates several situations in which the companies find it difficult to comply with the regulations. This paper recognizes some of those difficulties, and also proposes some solutions.

Databases

Regulatory challenges for databases

No sector in the modern day society evolves as rapidly as the technologic domain. And the innovations developed at this level come to impact all aspects of life, from the spending of the leisure time to the completion of the most challenging professional tasks.

The applications of technology within the contemporaneous society are numerous and complex, one specific example in this sense being represented by superior capabilities for data management. The management of the information integrates the multitude of tools and process focused around the collection of information, its adequate usage and storage.

One notable application in the management of information is represented by databases, which are collections of information, preserved and presented so that they are easily accessible to the people needing the information stored in them. The usage of databases has been characterized by some challenges, such as the need to possess high technological skills of the need to respect legal regulations.

At the level of the skills, it is now noticed that the databases have been developed throughout the years and they are now more user friendly; they do not as such limit their usage to people with high technical skills. While this limitation has then been addressed, the challenge raised by compliance with regulations remains still valid. And the main reason for this is represented by the fact that the domain is a novel one, and the laws to regulating it are still uncertain and under continuous development. Furthermore, the database usage and management are focused on intellectual property issues, which have yet to be adequately regulated by the legislations.

2. Databases

In a general formulation, the database is understood as a collection of data, which stores information and the information can be accessed by the people authorized to access the database. According to Margaret Rouse,

"A database is a collection of information that is organized so that it can easily be accessed, managed, and updated. In one view, databases can be classified according to types of content: bibliographic, full-text, numeric, and images" (Rouse, 2006).

From a technological standpoint, databases can be classified based on their purposes within the entity in which they are utilized. For instance, there is the relational database, which is a tabular database that allows the users to reorganize the contained information in any way that is relevant for their queries. Then, there is the distributed database, which is a database that allows its users to disperse it or replicate it among various points in a network. Last, there are the object-oriented programming databases, which are congruent with the features of object oriented programming.

Within the organizational setting, the databases are normally controlled by the managers, who grant access to other employees; the employees usually have the right to retrieve information from the database and to put information in the database. Some examples of information which can be stored in databases include customer profiles, sales levels, product inventories and so on.

While the employees and the managers are essential in the management of the databases, it must also be noted that these individuals are integrant parties in a larger system of database management.

"Databases and database managers are prevalent in large mainframe systems, but are also present in smaller distributed workstation and mid-range systems such as the AS/400 and on personal computers. SQL (Structured Query Language) is a standard language for making interactive queries from and updating a database such as IBM's DB2, Microsoft's SQL Server, and database products from Oracle, Sybase, and Computer Associates" (Rouse, 2006).

Databases are as such complex constructions which help manage information in the modern day society in an effort to attain the pre-established business or non-business related objectives. Still, despite the benefits they generate for the entities, they also raise some notable challenges, viewed mostly at the level of regulations. These will be addressed throughout the following section.

3. Regulatory challenges for databases

Databases are relatively new tools used within the business and non-business communities, and this novelty is also revealed in terms of its regulations. In other words, similar to any other aspect of information technology, the legislation to manage it is still being developed and continually changed. This is due to the fact that not all dimensions of database usage are known, and not all implications are considered by law makers. These efforts are nevertheless occurring and they materialize in an ongoing process of legislative developments.

At this level then, the first regulatory challenge faced by database users is represented by legal uncertainties. For instance, a law regulating the usage of the databases could be ambiguous, as it was unclear for the policy makers how the technological dimensions of database usage are interrelated with the legal aspects. The database users then face uncertainties regarding what is legal and what is illegal in the usage of the database.

Aside from the challenges raised by legal uncertainties, the regulatory challenges also refer to the continually changing nature of the database regulations. As it has been mentioned before, this trend is due to the novelty of the topic and the need to continually research it, identify its dimensions and regulate them. Nevertheless, while this process is justified at the logical level, it also creates some notable shortages for the users of the databases. These include the following:

Uncertainties linked to the emergence of new laws, and the need for the firm to comply with legislations it did not even know existed

The need to implement new and continually changing regulatory compliance aspects, which may lead to operational inefficiencies as more time and resources are allocated to database regulatory compliance, in the detriment of the core activity within the firm

The need to constantly review the legislation and identify new changes, which often materializes in the need to employ -- or at least contract -- a legal specialist. This need also reduces operational efficiency and generates additional expenditures.

Currently, the database usage is regulated by three specific sets of legislations, namely the Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB). The scope of these legislations is that of protecting information and they essentially seek to attain this goal by instating the need for internal audits that safeguard the integrity, confidentiality, availability and accountability of the data. The table below reveals some of the more notable regulations addressed by the current legislation:

Regulation

Risk area

Sarbanes-Oxley Section 302

Unauthorized changes to data

Sarbanes-Oxley Section 404

Modification to data, unauthorized access

Sarbanes-Oxley Section 409

Denial of service, unauthorized access

Gramm-Leach-Bliley Act

Unauthorized access, modification, disclosure

HIPAA 164.306

Unauthorized access to data

HIPAA 164.312

Unauthorized access to data

Basel II -- Internal risk management

Unauthorized access to data

Code of Federal Regulation Sec 11

Unauthorized access to data

Source: Altius IT, 2012

These regulations are commonly known by the auditors and accountants within the firms -- who nevertheless are familiar with audit processes, but may not know the insides of database auditing. Still, the internal controllers and accountants are better informed from the legal standpoint than the IT specialists. This is a notable problem within the different institutions, as they may come to situations when their IT staffs are unaware of the legal dimension of their activities, and they even come to break the law.

In order to avoid such situations, it is necessary for management to ensure legal training to the staffs in the Information Technology department and to as such ensure that the database operations completed by the firm are in full accordance with the legislations. To achieve this however, the firms have to allocate and invest additional sums of money, which increases their spending and may reduce their profitability. Nevertheless, it would be much costlier for the entities to risk legal infringements and the lawful and financial repercussions that come with them.

In such a setting, the firms normally seek to conduct their internal controls through which to ensure that they respect the legal stipulations. The focus of the controls in database usage normally falls on the following issues, all generative of challenges for regulatory compliance:

The storage of the database, referring specifically to the hardware devices and software applications, as well as the external services which may be used to store the documents

The creation of the database, understood as the ability of the database users to participate with information in order to create new documents within the database

The capture of data, understood as the metadata information that includes the date and time of the document, as well as its storage

The filing of the documents in the database, specifically the mechanisms employed in their filling and organization

The retrieval of information from the database, referring specifically to the indexing of the documents, their location in the database, their response times and so on The workflow in the database, which ensures that the documents in the database are easily accessible to workgroups; this feature is not necessary for all databases

The distribution of the information in the database, to ensure that the documents contained in the database are accessible to the appropriate staff members

The security of the database, referring specifically to the protection of the information in the database against loss, theft, tempering and destruction, but also the ability to hide sensitive information

The encryption of the database, in order to protect it from being accessed and distributed by unauthorized personnel

The archival of the database in order to ensure protection against disasters, as well as readability of the data in the future

The retention of documents in the database, with emphasis on the duration of retention, the time when documents would be destroyed and so on Last, the authentication of the database, in order to ensure that the documents are original and they meet the standards for authentication (Altius IT, 2012).

As it has been mentioned before, the management and utilization of databases is regulated by several laws. Nevertheless, these laws had initially been created to regulate other aspects of organizational affairs. The Sarbanes-Oxley Act for instance has been created to standardize governance issues within firms, but it also makes several references to the operations of the IT department. This shortage of specifically created legislations to regulate databases usage and management in firms allows for interpenetrations of the available legislations. In such a setting then, another notable challenge to regulatory compliance is given by the interpretation of the laws, which leads to uncertainties. At this level then, there are five distinctive means in which the companies could fail to comply with the compliance regulations, as follows:

(1) The absence of security mechanisms within firms to limit the unauthorized access to the databases. This shortage could materialize in negative effects upon the integrity of the financial systems in firms, which would in turn lead to legal infringements at levels other than IT as well.

(2) The absence of controlled mechanisms which ensure the upgrading and updating of hardware components and software solutions; this could also generate negative impacts upon the databases, ultimately materialized in decreased quality of financial reporting.

(3) The absence of a well designed and implemented plan for data recovery, which impedes the company to adequately continue its operations in case of data thefts of loss

(4) Absence of reporting at the level of database, such as inaccessible database logging, insecure logs, lack of transactions reporting or the inability to demonstrate the audit of the database.

(5) Last, the absence of data backups for the movement of information onto the disk, tape or storage at third party sites; this leads to insecurity of data and inability to track information, which in turn makes the company sensitive to information thefts (Sandhill Consultants, 2006).

All these shortages lead to greater problems within the company, preventing it from operating at full capacity, and also preventing it from adequately complying with other regulations, such as governance or financial reporting.

4. Proposed solutions

The usage of the databases is a complex endeavor from a legal standpoint, due to the need to comply with complex and continually changing regulations. Nevertheless, despite this shortage, the usage of databases increases within the business and non-business sectors, due to the multitude of benefits generated by the databases. Some of the more notable of these advantages include the following:

The reduction of data redundancy, as this is easily spotted and eliminated through database employment

Increased consistency over data usage and preservation, combined with lower levels of errors due to information updating

Decreased dependence on application programs and increased data integrity

The usage of host and query languages, which in turn materialize in improved access to data by the appropriate users

Higher levels of data security

Decreases in the efforts of data entry, storage and retrieval

An improved development of new application programs (CL500 ).

In essence, the usage of the databases supports overall organizational efficiency, due to its ability to save time, support communications, increase data security and save costs (Thomas). In order to benefit from these advantages, the economic and other agents have to overcome the legal challenges of database usage. The editors at the Altius IT website propose the following solutions to mitigating the compliance risks of database usage:

Audit logs

Trend analysis

DBA access to information

Internal controls

Database audit trails

Database firewalls

Software tools.

(a) Audit logs

The audit tools are usually provided by database vendors, either as packages integrated with the original database, or as complementary solutions. They are used by the internal auditors within the firm and they can help identify several regulatory issues, such as unauthorized access to the database; they can also identify non-regulatory issues, such as log on attempts, which help gain more information on the ease of using the database.

The shortage with the audit logs is that the controls have to be conducted by parties within the firm, which may or may not possess the necessary skills to conduct the audits and identify any regulation infringement. Additionally, the audit logs require space to be stored, memory resources and archiving (Altius IT, 2012).

(b) Trend analysis

The employment of trend analysis virtually refers to the observation of the trends in accessing the database by authorized personnel. The audit logs will often provide useful information and will even prevent unauthorized access to the database, but regulatory challenges can also be raised from within the internal environment of the firm. At this level, the more relevant example is represented by the potential data theft by authorized personnel. With the aid of trend analysis, the database manager can identify suspicious activities by authorized personnel.

(c) DBA access to information

DBAs are database administrators, usually highly technical staffs, engaged in the management of sophisticated databases; they are normally tertiary parties, not employed by the firm, but contracted through collaboration agreements. The regulatory challenge raised by the database administrators is represented by the fact that they need access to the database in order to manage it. Nevertheless, it is also necessary for the company to protect itself against any potential illegal use of data from their database. At this specific level, emphasis should be placed on the identification of the data strictly needed for the DBAs to perform their maintenance operations, and the separation of other data in a confidential files, not accessible to the database administrators.

(d) Internal controls

The internal controls within the firms are focused on the early identification of any legal challenge regarding compliance with the issues regulations. The focus of the internal audits falls of the identification of unauthorized access to the database, the control and verification of the information in the database and its usage. The risk assessment efforts within the firm seek to identify the areas with the higher potential for risks, to analyze the potential risks, to respond to the risks and last, to respond to them. In other words, the focus falls on the protection of information through multiple levels of regulatory compliance. Some of the more notable efforts of risk assessment and internal control include the following:

"Auditing - turned on, log files secured, and reviewed in a timely manner

Authentication - user access to systems approved by management, passwords expire

Change Management - formal testing, approval procedures