Databases Reference
In-Depth Information
The bottom line is that because there are multiple parties with varying
knowledge levels involved in this exercise and because regulations are fairly
new and their interpretations are still evolving, auditing requirements are
dynamic and are constantly changing. If you are putting a solution in place,
make sure that you can adapt to changing requirements quickly and that
such changes will not drive you crazy or create the same amount of work
every time they change.
In flexibility-oriented architectural terms, there are two main categories
of database auditing:
1.
Auditing that is based on collecting all information and produc-
ing reports as defined by the requirements
2.
Auditing that collects information as defined by the requirements
Of the two, the first option is more resilient to changing requirements.
If you are collecting all the data, there is very little you need to do when the
requirements change—it is merely a change to the report definitions. You
can even support an exercise of exploration and trial-and-error to help affect
the requirements. The second option requires much more work because
you will have to change pretty much everything every time the require-
ments change, retest everything, redo the sizing estimates, and so on. The
tradeoff is that the second approach requires collecting less information.
Therefore, you can choose to use a combined approach where you collect
all information for audit categories that have not been solidified yet and the
second approach for areas with stable requirements.
13.11 Prefer an auditing architecture that is also
able to support remediation
Finally, remember that auditing is a means to an end, not a goal. No one
wants to collect a lot of data simply for the purpose of collecting data. No
one likes sifting through long logs and reviewing tedious reports. Moreover,
no one wants to uncover serious problems unless these problems can also be
resolved (preferably at the same time). In fact, most people would prefer
not knowing about their problems at all unless they have a simple and effec-
tive way to resolve the problems.
Therefore, an architectural solution that not only audits but can also
define and enforce a policy and that helps resolve problems that are identi-
Search WWH ::
Custom Search