Auditing a Database Management System (DBMS)
There can be many types of database system.Some important types of database models are:
1. Simple Flat File Model
2. Hierarchical Model
3. Network Model
4. Relational Model
5. Object Oriented Relational Model etc.
An IS Auditor/ Database Auditor should broadly see following area while auditing a database ( mainly for Relational model):
1. Database consistency
2. Data Integrity
3. Data independence
4. Other ACID Properties
5. distinction of external view, conceptual view & internal view of database
6. Division of labor and Segregation of duties
7. Access Control
Most of the above topics have already been explained in my earlier posts.
Following are the minimum steps to be ensured for an IS auditor auditing a DBMS.
1. The OS user rights/privilege and database user rights should be based on the need.
2. IS auditor should verify the installation privilege /data file access privilege should be as per security policy and standards.
3. Segregation of duties among Database Administrator (DBA), Security Administrator & Programmer
4. Availability of separate Test Database & Live database should be there.
5. Testing of patch and modification before applying to live area and proper documentation should be available.
6. All database logs should be periodically verified.
7. Proper backup system should be in place.
8. Backup should be periodically tested.
9. The data should be consistent as there should not be any disparity in same data from two tables.
10. Password File/fields should be encrypted.
11. Documentation regarding database incidents should be complete.
12. Default user names and passwords should not be in use.
1. The OS user rights/privilege and database user rights should be based on the need.
2. IS auditor should verify the installation privilege /data file access privilege should be as per security policy and standards.
3. Segregation of duties among Database Administrator (DBA), Security Administrator & Programmer
4. Availability of separate Test Database & Live database should be there.
5. Testing of patch and modification before applying to live area and proper documentation should be available.
6. All database logs should be periodically verified.
7. Proper backup system should be in place.
8. Backup should be periodically tested.
9. The data should be consistent as there should not be any disparity in same data from two tables.
10. Password File/fields should be encrypted.
11. Documentation regarding database incidents should be complete.
12. Default user names and passwords should not be in use.
0 comments:
Post a Comment