Public Company Sails through SOX Audit
S.O.S Review uncovers hidden loopholes and provides cutting edge security practices

The Problem
Multiple Databases & Need for Clear, Independent Review

Database security audits are part of the annual audit process for all publicly traded companies. In facing the unknowns of their own audit, the experienced management and IT team of this public company wanted a clear picture of how well they were prepared. The team was distinctly interested in remediation items that might be outside of their experience. They were also interested in how to comply with the sometimes contradictory requirements of each piece of legislation - especially in the context of Sarbanes-Oxley.

Although compliance is a new challenge, a proactive approach to information security is the norm for this company. The strong IT Team always strives to achieve a best practice environment but faces several challenges when protecting databases and the sensitive information they contain. The team manages several Oracle databases with multiple versions. Some of these databases are completely internal with no external interfaces while others are used for EDI with third parties.

External Auditors have requested that the team standardize their operating procedures without direction on what is required of them to do so.

The Risk
Data Loss & Unseen Loopholes

Even the most skilled and diligent IT team runs the risk of becoming complacent and uninformed when facing so much change. The team recognized this danger and realized that their viewpoint was not objective enough to uncover hidden loopholes or to be on the cutting edge of industry security practices. In addition, the potential for data loss, noncompliance with Sarbanes-Oxley, or an unfavorable audit was increased by the number and variety of databases.

The Goals
SOX Compliance and Forward Thinking Best Practices

The director of IT set goals to prepare for his company’s external audit that would:

• Obtain an independent review of the current state of database security
• Gather a list of remediation items to tackle before the audit
• Outline a strategic roadmap that achieves and sustains a best practice environment
• Create a standard operating environment document that would be foundational to new/future databases
• Procure best practice advice specific to their environment from technical security and compliance experts
• Learn from other organizations within their industry

The Consequences

• The technical team could not keep up with the change and conflicting requirements of each piece of legislation in addition to their other responsibilities.
• The team needed security and legislation expertise in addition to their technical knowledge.
• The auditors did not supply the information to create a standard operating environment document that would comply with Sarbanes-Oxley
• The team had no way of attaining industry experience – they did not know what other companies are doing in terms of best practices.
• Independence – the members of the team who have the appropriate experience to create best practice standards are those creating and maintaining the databases, thereby jeopardizing objectivity.

• This approach does not take their unique situation or industry into account, with great potential to miss security issues.
• The team maintained multiple versions of several databases - best practice guides are available generally for current versions and recommendations for one version do not apply across versions.
• Independence is again an issue, as the review would be managed internally.

The Solution – SOS (State of Security)
An Expert, Cross Legislation Best Practice Strategy

MENTIS SOS (State of Security) is an expert solution that successfully prepares companies for ongoing audits and develops a far-reaching security strategy of cross industry best practices. SOS is a strategic review coupled with an in-depth, automated scan of all items within the database infrastructure (such as listener configuration, database parameter setup, disaster recovery planning, etc.). The SOS process takes into account the unique company and industry quirks that “canned” best practice products cannot. SOS maintains a best practices library and provides results that are specific to each company’s business conventions, environment and industry. Results include a list of tactical remediation items that enable companies to pass their upcoming audit, a strategic roadmap that realizes ongoing and healthy security architecture, best practices that can easily adapt to legislative changes and a standard operating environment document that serves as the DBA blueprint for audit-ready version control.

The SoS Results
A Passed Audit & an Ongoing Best Practice Strategy

This public company hired MENTIS, the security and compliance experts, to independently review their state of database security. Throughout the SOS review process, the IT team was able to streamline their tasks with a list of action items that both exposed security loopholes and gave instructions on how to fix each problem. The company had many databases with multiple access and maintenance methods. The auditors had requested that the IT team create a standard operating system without direction on how to accomplish this within the audit requirements. On top of this, the team wondered how they could respond to the auditors and continue to respond to the demands of the business. Mentis furnished the IT team with a step by step standard that is audit ready and that meets the company’s complex requirements for their database set up. The IT team has the confidence that they are following a successful, organizational-wide standard each time a new database is created.

The tactical remediation that SOS provided helped the IT team pass their audit with flying colors. The team then worked over the next 18 months to surpass audit requirements with a more strategic plan to secure the databases into complete best practice. The team can now adapt easily to the many changes in technology and legislation.
Long time experts in security and compliance, Mentis has gathered a breadth and depth of business and industry experience that the internal team could find no where else. Mentis is continually gathering new knowledge and new problem solving approaches that keep their clients in front of security and compliance issues. The quick turn around that SoS provided was a bonus for the company, allowing IT to easily meet the goals of their timeline.
This team was able to see a much bigger picture by using SOS, feeling confident that they were always on the cusp of audit preparedness; and that they now have the cutting edge best practice environment they demand.