Minimize
Blogger List

Johannes Ahrends
Toad and Oracle

Ben Boise
Toad SC Discussions

Kevin Dalton
Benchmark Factory

Steven Feuerstein
PL/SQL Obsession

Devin Gallagher
Toad SC discussions

Stuart Hodgins
JProbe Discussions
  Henrik "Mauritz" Johnson
Toad Tips & Tricks on the "other" Toads
  Mark Kurtz
Toad SC discussions
  Michael Lumbard
Toad SC discussions
Daniel Norwood
Toad for Data Analysts,
Toad Extension for Visual Studio
Debbie Peabody
Toad for Data Analysts
Gary Piper
Toad Reports Manager
John Pocknell
Toad for Oracle, JProbe
Kuljit Sangha
Toad SC discussions
Bert Scalzo Indicates Oracle ACE status
Toad for Oracle, Data Modeling, Benchmarking
Jeff Smith
Toad product family
Richard To
SQL Optimization
Jim Wankowski
DB2 - LUW and z/OS
John Weathington
  Toad Data Modeler Opens in a new window
Data Modeling		  
  Real Automated Code Testing for Oracle
Quest Code Tester blog
 
Minimize
Blog Categories
 
Minimize
Blog Tags
toad for oracle (122)
oracle (62)
plsql (46)
sql optimization (37)
toad for data analysts (28)
code tester (19)
toad for ibm db2 (13)
automation (11)
batch optimizer (10)
virtualization (10)
schema browser (9)
toad for sql server (9)
data grid (8)
sql (8)
sql editor (8)
toad data modeler (8)
benchmark factory (7)
excel (7)
query builder (7)
report manager (7)
toad extension (7)
visual studio (7)
11g (6)
configuration (6)
freeware (6)
health check (6)
vmware (6)
connect (5)
dba module (5)
er diagrammer (5)
F4 (5)
linux (5)
refactoring (5)
spotlight (5)
unicode (5)
compare (4)
debugger (4)
export (4)
formatter (4)
make code (4)
rman (4)
strip code (4)
benchmark (3)
bfscript (3)
bulk collect (3)
code templates (3)
code xpert (3)
database browser (3)
db2 (3)
notebook (3)
oem (3)
RAC (3)
session browser (3)
speed (3)
sql optimizer (3)
toad for mysql (3)
tpc-c (3)
9.7 (2)
alert log (2)
app designer (2)
awr (2)
code insight (2)
code snippets (2)
collection (2)
compare and sync (2)
compliance (2)
data generator (2)
data warehouse (2)
database explorer (2)
database monitor (2)
explain (2)
forall (2)
ftp (2)
group execute (2)
handbook (2)
installation (2)
job scheduler (2)
multi-task (2)
nested table (2)
os command (2)
profiler (2)
recovery (2)
release history (2)
save as (2)
schema compare (2)
sql recall (2)
stats pack (2)
subversion (2)
team coding (2)
trace file browser (2)
while loop (2)
10g (1)
64 bit (1)
7zip (1)
action (1)
addm (1)
alter (1)
ansi join (1)
array (1)
ccleaner (1)
code coverage (1)
code road map (1)
CRON (1)
cursor for loop (1)
data browser (1)
data subset (1)
database probe (1)
dbms_flashback (1)
dbms_profiler (1)
ddl (1)
feuerstein (1)
filezilla (1)
flash drive (1)
flow control (1)
for loop (1)
group policy manager (1)
hints (1)
import (1)
index (1)
inheritance (1)
invoker rights (1)
ipad (1)
java (1)
latency (1)
log switch (1)
logical model (1)
ltrim (1)
master-detail browser (1)
monitor (1)
multi-select (1)
naming standards (1)
network (1)
object explorer (1)
OEBS (1)
package (1)
parser (1)
partitioning (1)
performance (1)
pragma (1)
project manager (1)
RAT (1)
revo (1)
REXEC (1)
schema report (1)
script manager (1)
search (1)
set operator (1)
sga (1)
slow (1)
sonarsource (1)
source control (1)
space projection (1)
sql monitor (1)
sql navigator (1)
sql script (1)
sql tracker (1)
sql*plus (1)
standards (1)
statistics (1)
stored procedure (1)
string parser (1)
sub-model (1)
sub-type (1)
synch (1)
synchback (1)
TELNET (1)
toad (1)
trace (1)
unit test (1)
unix (1)
usb (1)
utility (1)
v10 (1)
v9.5 (1)
version control (1)
waits (1)
workload replay (1)
workspace (1)
xml (1)
 
WELCOME, GUEST
 
 

Blogs
Toad and Database Commentaries

Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies.  Have some views of your own to share?  Post your comments!  Note:  Comments are restricted to registered Toad World users.

Do you have a topic that you'd like discussed?  We'd love to hear from you.  Send us your idea for a blog topic.

How to Correct a Bad Situation

Jul 10

Written by: JohnWeathington
Thursday, July 10, 2008  RssIcon

I’m doing sort of a skip series here on control architectures. A few weeks back, we discussed the golden child of controls – the Preventive Control. Then, a couple of weeks ago we tackled the second best option – the Contingent Control. Now, let’s take a look at the Corrective Control.

I’m not going to say it’s the third best option, because by the time we get this far down the road, it’s not worth ranking anymore. If you’ll remember our discussion on contingent controls, the reason why we preferred contingent over anything else, was because it’s dealing with a situation before a risk event occurs. Therefore, any proactive activity you can take to get risk under control is the best course of action.

So you might think we’re entering a loop in logic, because we’ll be discussing a type of control that is reactive. Meaning, the risk event has already happened. And, since we’re discussing architecture, that in itself implies that we’re planning for something. So how can this be reactive? I recognize this upfront, and I promise you that things will clear up before the end of the article.

So, in the reactive category of controls, we have corrective and adaptive. The difference between the two is the risk property that we’re dealing with. Corrective controls deal with the cause of the risk, and adaptive controls deal with impact. In our previous fraud example, the corrective control would be the huge fines and penalties inflicted on the evil-doers that caused the mess.

Building a Case for Corrective Controls

But before we jump into architecture, let’s answer a question that might be on your minds right now. If we have good, preventive controls in place and maybe even some contingent controls, do we even need to worry about corrective controls?

The answer is, “Absolutely,” and here are three reasons why:

  1. You need to control for the risk that your preventive control is not effective. You can and should do this with a corrective control. This is actually the most common reason for installing corrective controls.  I did an article one in my newsletter Flawless Compliance(tm), where we talked about the college campus shootings. The college thought they had good preventive controls in place, but it turns out those controls failed. A corrective and / or adaptive control is the only thing to consider at this point.
  2. In some situations, you cannot install preventive or contingent controls. Think about an earthquake taking out your only data center. You cannot prevent an earthquake, and you don’t have enough money to install a mirror site outside of California for disaster recovery.
  3. In some situations, you will purposely decide not to control a risk ahead of time. In your initial risk analysis, you may have determined that the risk was either improbable, low impact, or both. Consider a risk with a very low probability but a somewhat high impact. If you decided to ignore this risk, and it shows up in spite of the low probability, then you have an issue.

I hope I’ve presented a strong enough case for you to at least consider the importance of corrective controls. I have three design considerations that you might want to put in place.

For Starters – How About a Detection System

If you compare my view of controls to others’ like Oracle GRC, you’ll find I’m a little more particular in the classification. That’s because I’m looking at it from a different point-of-view, and I feel the distinctions are very important. In the Oracle GRC world, you have controls that are classified for prevention and for detection. I believe detection is good, but you should not stop there. Oracle’s definition of detection is actually a subset of what I would consider a full corrective control.
Nonetheless, I like the idea. A detection system will attempt to flag assertion violations. When things are supposed to be a certain way, an assertion is made. For instance, Balance A should match Balance B. A detection system will try to identify situations where this isn’t true. In Keep it Under Control with Reconciliation, we discuss some great architectures for controlling situations like this.

You may argue at this point, that building a system upfront is a planning activity, which disagrees with our definition of a corrective control. As promised earlier, I’ll clear that up for your right now.
It is important to separate the act of reaction, with the infrastructure that adequately supports the capability of reacting. Remember, in our detection system, if a violation is identified, there’s nothing you can do to undo that. You are catching the violation after the fact, and hopefully you will do something about it, so it still falls under the category of corrective. The key is knowing that something like this might happen, and enabling your business users to react properly.

A detection system is the first enabler, but what else can we do?

Uh Oh, Now What? – How About a Tracking System

Your business now needs a way to track what happens after the violation occurs. Consider a ticketing system, similar to a help desk. This will be different from a contingent control, in that there is no predefined process that should be taken. So, instead of making sure a contingent plan is followed, we want to make sure a generic plan is followed. Once again, you can leverage what we discussed in Automated Process Auditing, or develop something simple purely for this purpose.
Like a help desk application, the system should track the violation that created the ticket, who it’s assigned to, who’s ultimately responsible for the corrective process, when actions are taken and by whom, and some comments on resolution. You can use your corporate practices and common sense to fill in the rest, but you get the idea.

How Well Did We Do? – Ask Your Metrics System

The purpose of any corrective action is to improve your compliance metrics. That implies that you have compliance metrics that are religiously being tracked. Of course the best way to do that is in a data system. I suggest a Compliance Metrics System.

Track metrics that demonstrate how well your compliance is doing. Metrics such as # of violations per day, are key in the visibility and transparency of your compliance operation. To enhance the metric system, also track when corrective controls were executed, and how they ( hopefully ) improved your compliance picture. Objective analysis like this can unequivocally demonstrate that responding to your violation with your corrective control made a significant difference to your company’s operation.

Corrective controls are another area of consideration, when designing your compliance data system. Don’t overlook their necessity, as they may be required in cases where other types of controls are not possible or feasible. Architecture considerations include detection systems, tracking systems, and metric systems that demonstrate improved compliance. A detection system is a great initial step. You can start designing one today.

Trackback Print
Tags:
Categories:
Location: Blogs Parent Separator John Weathington's Blog
Minimize
Most Popular
 
Search Blog Entries
 
Blog Archives