I have to admit that I was very pleasantly surprised by the clarity of the information provided by the FFIEC and its availability.
For those that don’t know what the FFIEC is, it is The Federal Financial Institutions Examination Council (FFIEC). The FFIEC was established by Congress in 1979 to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, to make recommendations to promote uniformity in the supervision of financial institutions, and to conduct schools for examiners.
Guidance offered by the FFIEC is to be followed by financial institutions and is enforced by the examiners the FFIEC trains. It, for example, FFIEC would require databases to be audited, financial institutions should follow. So I dug a little through the FFIEC guidance to see just how explicit the requirement is. While I’m certain that there are many pages in the guidance requiring database auditing, here are a few that I found.
Database Management is a very short page dealing with databases and covers some basic security principles. If you work in a financial institution and deal with databases or security, I recommend spending 5 minutes to read this page.
First, I would like to correct a statement made in that page: “It is possible to control, monitor, and log access to data … but there is a systems performance cost.” Core Audit provides Full Capture of all database activity at less than 3% overhead. The Full Capture technology developed by Blue Core Research is the only one that allows for such low overhead, so there is some truth to the statement. But while other tools would impact system performance, It is not an imperative.
The following quote from the same page explicitly requires monitoring of DBA activity via a database auditing tool:
“The primary risk associated with database administration is that an administrator can alter sensitive data without those modifications being detected. A secondary risk is that an administrator can change access rights to information stored within the database as well as their own access rights. As a preventive control against these risks, the institution should restrict and review access administration and data altering by the administrator. Close monitoring of database administrator activities by management is both a preventive and detective control.“
The page about Database Management Systems also explicitly requires database auditing:
“organizations should employ automated auditing tools, such as journaling, that identify who accessed or attempted to access a database and what, if any, data was changed.“
Another page requiring database auditing is about access rights:
- “Formal access rights administration for users consists of four processes: … A monitoring process to oversee and manage the access rights granted to each user on the system.”
- “Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include: … Logging and auditing the use of privileged access …”
- “Default user accounts should either be disabled, or the authentication to the account should be changed. Additionally, access to these default accounts should be monitored more closely than other accounts.”
The last statement clearly suggests that while certain accounts should be monitored more closely, all accounts should be monitored.
The Activity Monitoring page is focused more on host and network activity monitoring, but has short list of security events that applies to databases as well: “Examples of security events include operating system access, privileged access, creation of privileged accounts, configuration changes, and application access.”
I honestly think the FFIEC guidance couldn’t be any clearer, but to understand the value of activity monitoring have a look at the Security Monitoring page.