Some of the regulations that needs to be considered while building an Enterprise Data Warehouse in North America are SOX and GLB of the US, Bill 198 and PIPEDA of Canada and PCI. A brief explanation and its implications are given below.
Sarbanes-Oxley (SOX) and Bill 198: According to SOX, the CEO and CFO need to certify that the financial statements and disclosures of an institution are fairly presented, in all material respects, the operations and financial condition of the issuer. The management of the institution is responsible for establishing and maintaining an adequate internal control structure. An assessment of the effectiveness of the internal control structure and procedures need to be done at the end of the issuer’s fiscal year.
Bill 198 creates civil liability for the first time for continuous disclosure in the secondary market in Ontario, creating personal liability for directors and experts for misrepresentations and failure to make timely disclosure
Gramm-Leach-Bailey (GLB) and Personal Information Protection and Electronic Documents Act (PIPEDA): These regulations insure the security and confidentiality of customer records and information. They mandate institutions to protect against any anticipated threats or hazards to the security or integrity of such records. Access controls needs to be in place to protect against unauthorized access to or use of such records or information
Payment Card Industry (PCI): This regulation has everything to do with credit cards. An institution needs to be concerned of this regulation if their business uses credit cards and related systems. Some of the highlights of the regulation are –
- Install and maintain a firewall configuration to protect data
- Protect stored data
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer acess
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Regulatory Compliance – Implications
The above regulations have a lot of implications that needs to be considered while designing an EDW.
- Evaluate data usage requirements for all users. Create a data usage control policy that defines what, where, when, and how each type of data may be used by each user.
- Record database activity and report on deviations from the data usage control policy.
- Alert (and where appropriate block) user activity when a deviation from usage control policy represents a threat to data privacy or integrity.
- Identify and prevent storage of sensitive data to demonstrate compliance.
- Application controls to ensure the completeness of financial transactions
- Provide comprehensive data security for databases used to generate financial reports.
- Assure secure, stable and reliable performance of the data warehouse environment.
- Ability to test security systems and processes.
- Ensure that complete detailed information about user activity is gathered and maintained.
- Ability to verify that only users with legitimate need have to data.
- Ensure that only appropriate individuals can alter or access critical information
- Access controls within networks or applications to ensure that that only appropriate individuals can access or alter financial data.
- Controls should be in place to examine live database traffic and create profiles of all legitimate activity for each user or application that accesses the database.
- Enforcement of need-to-know access policy based on business activities.
Incident Management & Disaster Recovery
- Incident management to address responses and initiates continuous improvement.
- The system should have the ability to implement controls by notifying administrators about suspicious activity in real time, and even preventing known malicious activity as it occurs in the IT environment.
- Network Controls
- Network firewall and IPS should be in place to protect data warehouse.
- Web Application firewall that provides a layer of defense to protect applications.
- Permit ongoing real-time monitoring and enforcement of corporate and IT controls.
- Logging permits ongoing real-time monitoring of systems, evidence of security vulnerabilities, evidence for forensic investigation (audit trails), and incident investigation.
- Ability to audit access of sensitive data and alert administrators of suspicious activities.
- Monitor and report shared user accounts and other potential user account violations.
- All notifications of security incidents to Information Security should be documented and contain explicit, clear and concise information.