Databases Reference
In-Depth Information
For research purposes
To avert a serious threat to health and safety
If related to military personnel, inmates in corrections facilities, or
other specialized government functions
If related to worker's compensation
In these cases you must ensure that the security and audit provisions you
make support these processes as exceptions.
11.2.3
Example: SOX and Excel
Excel and other spreadsheets have become the focus of many SOX imple-
mentations, because spreadsheets are extensively used in financial reporting
and form the user interface layer in many financial applications. In some
cases, Excel actually bypasses the real financial application that usually has
more security, audit, and control mechanisms than Excel and forms a
“rogue” financial application.
Many companies are investing in better controls related to the use,
development, and maintenance of spreadsheets. The focus is both in terms
of the formulas and correctness of the models implemented within the
spreadsheets as well as the data that is accessed and updated using spread-
sheets. This focus on what seemingly is just another application accessing
the data is justified, because there have been many real cases in which
more damage was done using a spreadsheet than you could imagine. A
well-known case (without naming names) involves a major financial insti-
tution that, as a result of a flawed change control process, allowed the
introduction of an error that resulted in a $1 billion financial statement
error. Another true example is of a trader who committed fraud by chang-
ing spreadsheet macros and updating data in a database that was not being
audited for changes.
All in all, because spreadsheets are so ubiquitous, open in terms of func-
tionality, and do not have robust auditing and control mechanisms, most
Section 404 implementations will include a specific task that directly
focuses on the use of spreadsheets and the data that is being accessed and
changed from spreadsheets. This maps very well to various techniques you
have learned that allow you to monitor, audit, alert on, and block access to
operations that are initiated from a spreadsheet. For example, monitoring
source programs (as shown in Figure 11.1) will give you a clear indication
of which applications are accessing the database. Baselining access (dis-
Search WWH ::
Custom Search