Chapter 7 Database Auditing Models

Slides:

Advertisements

Similar presentations

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Advertisements

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

More CMM Part Two : Details.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

The Islamic University of Gaza

Database Management System

Security Controls – What Works

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

Chapter 7 Database Auditing Models

Computer Security: Principles and Practice

First Practice - Information Security Management System Implementation and ISO Certification.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Introduction to Systems Analysis and Design

Network security policy: best practices

Understanding Active Directory

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

CSIS Database Security, Dr. Guimaraes Adapted from Afyouni, Database Security and Auditing Database Auditing (Ch. 7) Overview of Auditing Overview.

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Internal Auditing and Outsourcing

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

SEC835 Database and Web application security Information Security Architecture.

How To Apply Quality Management

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Security Architecture

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Module 9 Configuring Messaging Policy and Compliance.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Module 9 Configuring Messaging Policy and Compliance.

FSA - The Financial Supervision Authority Nele Piir, Marge Laan, Kadri Toks.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

A university for the world real R © 2009, Chapter 9 The Runtime Environment Michael Adams.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Academic Year 2014 Spring Academic Year 2014 Spring.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

ISO Registration Common Areas of Nonconformances.

Generally Accepted Recordkeeping Principles: The Principle of Transparency Alaska Chapter of ARMA International Presented by: Tara Carey, ARMA Board Member.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The Demand for Audit and Other Assurance Services Chapter 1.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.

Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.

Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

The Demand for Audit and Other Assurance Services

Internal Control Principles

CPA Gilberto Rivera, VP Compliance and Operational Risk

Software Project Configuration Management

The Demand for Audit and Other Assurance Services

Systems Implementation,

Session 11 Other Assurance Services

SYSTEMS ANALYSIS Chapter-2.

Chapter 9 Control, security and audit

Description of Revision

PLANNING A SECURE BASELINE INSTALLATION

Configuration Management

{Project Name} Organizational Chart, Roles and Responsibilities

Presentation transcript:

Chapter 7 Database Auditing Models Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models

Objectives Gain an overview of auditing fundamentals Understand the database auditing environment Create a flowchart of the auditing process List the basic objectives of an audit Database Security and Auditing

Objectives (continued) Define the differences between auditing classifications and types List the benefits and side effects of an audit Create your own auditing models Database Security and Auditing

Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices, conduct Audit measures: compliance to policies, procedures, processes and laws Database Security and Auditing

Definitions Audit/auditing: process of examining and validating documents, data, processes, procedures, systems Audit log: document that contains all activities that are being audited ordered in a chronological manner Audit objectives: set of business rules, system controls, government regulations, or security policies Database Security and Auditing

Definitions (continued) Auditor: person authorized to audit Audit procedure: set of instructions for the auditing process Audit report: document that contains the audit findings Audit trail: chronological record of document changes, data changes, system activities, or operational events Database Security and Auditing

Definitions (continued) Data audit: chronological record of data changes stored in log file or database table object Database auditing: chronological record of database activities Internal auditing: examination of activities conducted by staff members of the audited organization External auditing Database Security and Auditing

Auditing Activities Evaluate the effectiveness and adequacy of the audited entity Ascertain and review the reliability and integrity of the audited entity Ensure the organization complies with policies, procedures, regulations, laws, and standards of the government and the industry Establish plans, policies, and procedures for conducting audits Database Security and Auditing

Auditing Activities (continued) Keep abreast of all changes to audited entity Keep abreast of updates and new audit regulations Provide all audit details to all company employees involved in the audit Publish audit guidelines and procedures Act as liaison between the company and the external audit team Database Security and Auditing

Auditing Activities (continued) Act as a consultant to architects, developers, and business analysts Organize and conduct internal audits Ensure all contractual items are met by the organization being audited Identify the audit types that will be used Database Security and Auditing

Auditing Activities (continued) Identify security issues that must be addressed Provide consultation to the Legal Department Database Security and Auditing

Auditing Environment Auditing examples: Financial auditing Security auditing Audit also measures compliance with government regulations and laws Audits take place in an environment: Auditing environment Database auditing environment Database Security and Auditing

Auditing Environment (continued) Components: Objectives: an audit without a set of objectives is useless Procedures: step-by-step instructions and tasks People: auditor, employees, managers Audited entities: people, documents, processes, systems Database Security and Auditing

Auditing Environment (continued) Database Security and Auditing

Auditing Environment (continued) Database Security and Auditing

Auditing Environment (continued) Database auditing environment differs slightly from generic auditing environment Security measures are inseparable from auditing Database Security and Auditing

Auditing Process Quality Assurance (QA): Ensure system is bug free and functioning according to its specifications Ensure product is not defective as it is being produced Auditing process: ensures that the system is working and complies with the policies, regulations and laws Database Security and Auditing

Auditing Process (continued) Performance monitoring: observes if there is degradation in performance at various operation times Auditing process flow: System development life cycle Auditing process: Understand the objectives Review, verify, and validate the system Document the results Database Security and Auditing

Auditing Process (continued) Database Security and Auditing

Auditing Process (continued) Database Security and Auditing

Auditing Objectives Part of the development process of the entity to be audited Reasons: Complying Informing Planning Executing Database Security and Auditing

Auditing Objectives (continued) Top ten database auditing objectives: Data integrity Application users and roles Data confidentiality Access control Data changes Database Security and Auditing

Auditing Objectives (continued) Top ten database auditing objectives (continued): Data structure changes Database or application availability Change control Physical access Auditing reports Database Security and Auditing

Auditing Classifications and Types Industry and business sectors use different classifications of audits Each classification can differ from business to business Audit classifications: also referred as types Audit types: also referred as purposes Database Security and Auditing

Audit Classifications Internal audit: Conducted by a staff member of the company being audited Purpose: Verify that all auditing objectives are met Investigate a situation prompted by an internal event or incident Investigate a situation prompted by an external request Database Security and Auditing

Audit Classifications (continued) External audit: Conducted by a party outside the company that is being audited Purpose: Investigate the financial or operational state of the company Verify that all auditing objectives are met Database Security and Auditing

Audit Classifications (continued) Automatic audit: Prompted and performed automatically (without human intervention) Used mainly for systems and database systems Administrators read and interpret reports; inference engine or artificial intelligence Manual audit: performed completely by humans Hybrid audit Database Security and Auditing

Audit Types Financial audit: ensures that all financial transactions are accounted for and comply with the law Security audit: evaluates if the system is as secure Compliance audit: system complies with industry standards, government regulations, or partner and client policies Database Security and Auditing

Audit Types (continued) Operational audit: verifies if an operation is working according to the policies of the company Investigative audit: performed in response to an event, request, threat, or incident to verify integrity of the system Product audit: performed to ensure that the product complies with industry standards Database Security and Auditing

Benefits and Side Effects of Auditing Enforces company policies and government regulations and laws Lowers the incidence of security violations Identifies security gaps and vulnerabilities Provides an audit trail of activities Provides means to observe and evaluate operations of the audited entity Database Security and Auditing

Benefits and Side Effects of Auditing (continued) Benefits (continued): Provides a sense of security and confidence Identifies or removes doubts Makes the organization more accountable Develops controls that can be used for purposes other than auditing Database Security and Auditing

Benefits and Side Effects of Auditing (continued) Performance problems Too many reports and documents Disruption to the operations of the audited entity Consumption of resources, and added costs from downtime Friction between operators and auditor Same from a database perspective Database Security and Auditing

Auditing Models Can be implemented with built-in features or your own mechanism Information recorded: State of the object before the action was taken Description of the action that was performed Name of the user who performed the action Database Security and Auditing

Auditing Models (continued) Database Security and Auditing

Simple Auditing Model 1 Easy to understand and develop Registers audited entities in the audit model repository Chronologically tracks activities performed Entities: user, table, or column Activities: DML transaction or logon and off times Database Security and Auditing

Simple Auditing Model 1 (continued) Database Security and Auditing

Simple Auditing Model 1 (continued) Control columns: Placeholder for data inserted automatically when a record is created or updated (date and time record was created and updated) Can be distinguished with a CTL prefix Database Security and Auditing

Simple Auditing Model 1 (continued) Database Security and Auditing

Simple Auditing Model 2 Only stores the column value changes There is a purging and archiving mechanism; reduces the amount of data stored Does not register an action that was performed on the data Ideal for auditing a column or two of a table Database Security and Auditing

Simple Auditing Model 2 (continued) Database Security and Auditing

Advanced Auditing Model Called “advanced” because of its flexibility Repository is more complex Registers all entities: fine grained auditing level Can handle users, actions, tables, columns Database Security and Auditing

Advanced Auditing Model (continued) Database Security and Auditing

Advanced Auditing Model (continued) Database Security and Auditing

Historical Data Model Used when a record of the whole row is required Typically used in most financial applications Database Security and Auditing

Historical Data Model (continued) Database Security and Auditing

Auditing Applications Actions Model Database Security and Auditing

C2 Security Given to Microsoft SQL Server 2000 Utilizes DACLs (discretionary access control lists) for security and audit activities Requirements: Server must be configured as a C2 system Windows Integrated Authentication is supported SQL native security is not supported Only transactional replication is supported Database Security and Auditing

Summary Audit examines, verifies and validates documents, procedures, processes Auditing environment consists of objectives, procedures, people, and audited entities Audit makes sure that the system is working and complies with the policies, standards, regulations, and laws Auditing objectives established during development phase Database Security and Auditing

Summary (continued) Objectives: compliance, informing, planning, and executing Classifications: internal, external, automatic, manual, hybrid Models: Simple Auditing 1, Simple Auditing 2, Advanced Auditing, Historical Data, Auditing Applications, C2 Security Database Security and Auditing