In managing risk and sustaining compliance around corporate databases, a key step is defining the appropriate policies. These provide clarity and serve as yardsticks against which to measure corporate performance. Enterprises typically do a good job at identifying policies for database protection (including security, change management and other operational issues) - but that is the easy part. The greater challenge is presented in turning those written guidelines into automated and actionable activities. Only then can database managers and C-suite executives have peace of mind that database users are doing what they're supposed to do. This also supports another major challenge - providing proof to auditors that users have in fact complied with policies (in order to show compliance with industry, federal or internal regulations).Why is it important to automate policies? For two reasons. First, validation: in order to provide assurance that policies are effective, all user activities must be examined against the associated policies. Second, reporting: different stakeholders need different views into the operation of the organization and the adherence to policies. Traditionally, both validation and reporting have been a manual affair akin to searching for the needle in the haystack based on whatever information the underlying system happened to provide. IT auditors and technical managers manually search through available security log files to verify that activity is legitimate or to identify abnormal activity. This approach often results in frustrated employees and C-level executives that are not comfortable with their compliance and security programs. Add to that the skepticism of auditors reviewing a manual validation process, which is typically slower, more cryptic and less reliable than an automated one.

Policies provide a framework for accountability (Who did what when? Was it approved?) and visibility (Are security and business policies being followed? Has anything significant changed?). How can enterprises institute the right IT tools to turn written security policies into automated, actionable policies? Here are things that every organization should remember when shaping and implementing data protection policies.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access