Restricting Access to Databases

Restricting Access to Databases

Restricting access to production databases is a requirement of Sarbanes-Oxley_Act sections 302, 404, and is included in the COBIT framework.

Restricting access

Steps to restrict database access within an organization:
#Implement Separation_of_duties (SOD) a preventive control.
#Establish test and production environments which is preventive control.
#Restrict user account and Database_administrator access which is a preventive control.
#Turn on audit trails, monitoring software, or exception reports which are detective controls.

Elements to restrict include:

#Data_access (Successful/Failed Selects)

#Data Changes (Insert, Update, Delete)

#System Access (Successful/Failed Logins; User/Role/Permissions/Password changes)

#Privileged User Activity (All)

#Schema Changes (Create/Drop/Alter Tables, Columns, Fields)

Controls

Compensating Controls:
#Exploiting technology known as triggers. Triggers are user-written code, or DBA-written code, that gets inserted into the database and gets executed whenever an insert or an update or a delete occurs.
Cons:
a.) Transaction performance could suffer.
b.) This solution does not provide 100% assurances of an incorruptible audit trail.
c.) Triggers can be modified by anyone who has the appropriate privileges.

#Implement application-based auditing.
Con:
Effective only if no other application or utility can access the database(s).

#Perform auditing on a per-database, per-table, per-column, or per-user basis.
Con:
Labor intensive for IT. Would require a manual review the audit report and verify (before/after) what was changed and sign-off that the change was authorized and acceptable.

Control evaluation considerations by Internal Audit: The overall control evaluation cannot be determined until after the compensating controls have been reviewed and tested within the environment. If the compensating controls fail or are deemed inadequate the control issue could potentially be classified as a Significant Deficiency due to its pervasive nature and inability to validate that no unknown or inappropriate adjustments have been executed.

The best control environment surrounding databases is to have the ability to track and review, any and all adds, deletes and modifications to the databases.

Deficiency

Deficiency and Material Weakness Definitions:
• Preventative/Detective Control is missing; or
• Control objective is not met, or the control is not operating as designed; or
• The individual performing the control is not qualified or not authorized to perform the control.

An internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements or errors in a timely basis.

Significant Deficiency is an internal control deficiency that adversely affects the entity’s ability to initiate, records, process, or report external financial data reliably in accordance with generally accepted accounting principles GAAP. A single or combination of deficiencies, that results in more than a remote likelihood that a misstatement of financial statements that is more than inconsequential in amount, and will not be prevented or detected.

Material Weakness is a significant deficiency that, by itself, or in combination with other significant deficiencies, results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

ee also

*Sarbanes-Oxley_Act
*COBIT

References

* [http://www.theiia.org The Institute of Internal Auditors]
* [http://www.isaca.org Information Systems Audit and Control Association]
* [http://www.itcinstitute.com IT Compliance Institute]
* [http://www.coso.org COSO]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Crystallographic database — A crystallographic database is a database specifically designed to store information about crystals and crystal structures. Crystals are solids having, in all three dimensions of space, a regularly repeating arrangement of atoms, ions, or… …   Wikipedia

  • MediaWiki — namespace redirects here. For help regarding the MediaWiki namespace on Wikipedia, see Help:MediaWiki namespace. For general information about Wikipedia namespaces, see Wikipedia:Namespace. Talk page and MediaWiki talk page redirect here. For… …   Wikipedia

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Open Data — is a philosophy and practice requiring that certain data are freely available to everyone, without restrictions from copyright, patents or other mechanisms of control. It has a similar ethos to a number of other Open movements and communities… …   Wikipedia

  • Identity theft — is a form of stealing another person s identity in which someone pretends to be someone else by assuming that person s identity, typically in order to access resources or obtain credit and other benefits in that person s name. The victim of… …   Wikipedia

  • MagicDraw — Class diagram in MagicDraw 17.0 Developer(s) No Magic, Inc …   Wikipedia

  • Database system — A database system is a term that is typically used to encapsulate the constructs of a data model, database Management system (DBMS) and database.[1] A database is an organised pool of logically related data. Data is stored within the data… …   Wikipedia

  • Computers and Information Systems — ▪ 2009 Introduction Smartphone: The New Computer.       The market for the smartphone in reality a handheld computer for Web browsing, e mail, music, and video that was integrated with a cellular telephone continued to grow in 2008. According to… …   Universalium

  • Global serializability — In concurrency control of databases, transaction processing (transaction management), and other transactional distributed applications, Global serializability (or Modular serializability) is a property of a global schedule of transactions. A… …   Wikipedia

  • OpenLink ODBC Drivers — OpenLink Drivers for Open Database Connectivity (ODBC) Developer(s) OpenLink Software Operating system Cross platform Type ODBC, Databases, Data Management, Database Management System, Data Architecture, Software …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”