|
Many
companies rely on business applications built on the MS-Access
platform in order to respond quickly and flexibly
to new demands for management information, business analysis
and external reporting. These applications and their supporting
databases are generally developed, deployed and operated
without the knowledge of the organization(s) responsible
for securing corporate data assets.
While users may be able
to create these databases, they generally do not have the
specialized knowledge needed to understand
and fulfill the regulatory, information security and corporate
governance requirements that exist to protect data assets.
Significant risk can be introduced by these
applications particularly when they are integrated with
other corporate
data sources (databases, data warehouses, etc…) and
there is data shared among systems. This can lead to financial
loss, compliance failure and damage to the company's reputation
as well as potential legal and civil consequences for companies
under Sarbanes-Oxley and customer data protection laws.
Not
all databases are critical to the functioning of the business.
The first challenge is to identify those that do
support key business processes and are necessary for continued
operations. Typical characteristics of the databases would
include the one or more of the following:
- The data is used
for financial accounting, statutory, regulatory or
fiscal reporting and where any potential error could
be
material
- The database supports key financial controls
(Sarbanes-Oxley)
- Failure to operate in a consistent manner
could expose the company to a significant loss
- The database
contains data of a confidential nature about customers
or employees, or data of potential value to competitors
The work undertaken to comply with Sarbanes-Oxley
exposed End User Computing (EUC) as a serious issue.
Sarbanes-Oxley and similar regulations have been the
catalyst that
has
led many large organizations to evaluate their
dependence on
EUC applications in general and the MS Access platform
specifically.
To gain control of these applications and
ensure that your key MS Access-based applications continue
to function
as
expected, a systematic approach is required.
- Establish Control
Policy: Develop a policy and a definition
of what constitutes a business-critical
MS Access database.
Set standards of use and a timetable for compliance.
- Identify: Locate and conduct preliminary analysis of the MS
Access database population. Software
tools effectively
support this process step by providing a
detailed analysis of the complexity of each database
and
maping its dependencies.
This often leads to the discovery of databases
that management was unaware of.
- Quantify: Determine
which of these databases meet the criteria established
in the corporate
Control
Policy and
are business critical and require controlling
in line with the policy.
- Mitigate: Test that
each MS Access database falling within the control
policy is performing
as required.
Determine which
databases need to be repaired, redeveloped,
or migrated. All business-critical MS
Access databases
must be
baseline tested before change control
is implemented.
- Manage: Ensure that only authorized employees
can access and change data in a controlled
manner and that
all relevant
actions and changes are audit logged.
A good software tool is essential; it is not practical
to do this
manually for
more than a handful of databases.
- Prevent: Introduce a development life cycle for business critical
MS Access databases
that
does not
destroy business
flexibility. For most business critical
databases, consider using a software
tool that provides
a secure development
environment and automates the data
link with your IT systems.
Bringing MS Access databases under control
can be a big task, but it can be done
with the Integrity suite
of
products.
|
