Good Morning ACUA!
I'm interested in learning how other higher education institutions approach database activity monitoring and review responsibilities.
For institutions that generate database audit reports (e.g., privileged activity, INSERT/UPDATE/DELETE activity, schema changes, or other high-risk transactions):
- Who is responsible for reviewing the reports?
- How do reviewers determine whether activity is authorized and appropriate?
- Are reviews performed by technical administrators, data owners, data custodians, or a combination of stakeholders?
- How do you handle situations where the reviewer may not have sufficient business knowledge to determine whether a change was expected?
- Have you established thresholds, exception criteria, or workflows that help focus reviews on potentially unauthorized activity?
I'm particularly interested in understanding governance models that balance technical oversight with business ownership of the data.
Thank you for sharing any approaches, lessons learned, or best practices!
------------------------------
Shereese Thomas | IT Audit Manager | Wayne State University
|
ae7694@wayne.edu------------------------------