Microsoft® SQL Server® Database

Audit/Assurance Program
 Microsoft® SQL Server® Database Audit/Assurance Program

ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®),
Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and
Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT ®,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Disclaimer
ISACA has designed and created Microsoft ® SQL Server ® Database Audit/Assurance Program (the “Work”) primarily
as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will
assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, audit and assurance professionals should apply
their own professional judgment to the specific circumstances presented by the particular systems or IT environment.

Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.isaca.org

ISBN 978-1-60420-184-0
Microsoft ® SQL Server ® Database Audit/Assurance Program

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.

Microsoft ® SQL Server ® Database Audit/Assurance Program is an independent publication and is not affiliated
with, nor has it been authorized, sponsored or otherwise approved by, Microsoft Corp.

© 2011 ISACA. All rights reserved. Page 2

 Microsoft® SQL Server® Database Audit/Assurance Program

ISACA wishes to recognize:

Researchers
Rene Aguero, CISSP, MCSE, Foothill FCU, USA
Christopher Bolton, CISA, CISSP, GSEC, Newegg Inc., USA
Dave Jones, CISA, CIA, Independent, USA
Ray Parrish, InSight Consulting Partners, USA
Tony Partida, GSG Associates Inc., USA
Cheryl Santor, CISA, CISM, CGEIT, CISSP, Los Angeles Metropolitan Water District, USA
Christina Tsang-Reveche, CISA, CISM, PMP, The Capital Group Companies, USA
Mike Villegas, CISA, CISSP, GSEC, Newegg Inc., USA

Expert Reviewers
Anjay Agarwal, CISA, CGEIT, CRISC, AAA Technologies P. Ltd., India
Shawna M. Bang, CGEIT, CRISC, Smart Business Information Technology, USA
Madhav Chablani, CISA, CISM, TippingPoint Consulting, India
Milthon J. Chavez, Ph.D., CISA, CISM, CGEIT, Integral Centre of Organizational Resilience, Venezuela
Yves M. Dorleans, CISA, Charles River Laboratories, USA
Luis Fuente, CGEIT, Junta de Castilla y Leon, Spain
Gbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, IT Governance Consult, Nigeria
Curt Hartinger, CISA, CISM, CPA, GSNA, MSIA, Office of the State Treasurer, USA
Abdus Sami Khan, Sami Associates, Pakistan
Prashant A. Khopkar, CISA, CA, Grant Thornton, LLP, USA
Stephen C. Lau, CISA, CISSP, PricewaterhouseCoopers, USA
Lucio Molina Focazzio, CISA, CISM, ITIL, Colombia
Philippe Rivest, CISA, CEH, CISSP, TransForce, Canada
Megah Santio, CISA, Australia
Vipin Sehgal, CISA, Sun Life Financial, Canada
Vinoth Sivasubramanian, ABRCCI, CEH, ISO 27001 LA, ITIL V3, UAE Exchange Center LLC, UAE
John G. Tannahill, CISM, CGEIT, CA, J. Tannahill & Associates, Canada

ISACA Board of Directors

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, Forfa AG, Germany, Vice President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management, USA, ITGI Trustee

Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France

© 2011 ISACA. All rights reserved. Page 3

 Microsoft® SQL Server® Database Audit/Assurance Program

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA

Guidance and Practices Committee

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand

ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors

American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.

The ISACA Los Angeles (CA, USA) Chapter for its support

© 2011 ISACA. All rights reserved. Page 4

 Microsoft® SQL Server® Database Audit/Assurance Program

Table of Contents Page

I. Introduction 5
II. Using This Document 6
III. Controls Maturity Analysis 8
IV. Assurance and Control Framework 10
V. Executive Summary of Audit/Assurance Focus 11
VI. Audit/Assurance Program 13
1. Planning and Scoping 13
2. Preparatory Steps 17
3. Access and Authorization 18
4. Security Processes and Monitoring 21
5. Backup and Recovery 23
6. Encryption 24
7. Trusted Relationships 25
8. Network Security 26
VII. Maturity Assessment 28
VIII. Assessment Maturity vs. Target Maturity 32
IX. References and Resources 33
X. Technical Appendix 33

I. Introduction

Overview
ISACA has developed the IT Assurance Framework™ (ITAF™) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and that are the guiding
principles under which the IT audit and assurance profession operates. The guidelines provide
information and direction for the practice of IT audit and assurance. The tools and techniques provide
methodologies, tools and templates to provide direction in the application of IT audit and assurance
processes.

Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT
audit and assurance professionals with the requisite knowledge of the subject matter under review, as
described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF
section 4000—IT Assurance Tools and Techniques.

Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT ® framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US

© 2011 ISACA. All rights reserved. Page 5

 Microsoft® SQL Server® Database Audit/Assurance Program

Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. They seek to integrate control framework elements used by the
general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it
has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these
columns to align with the enterprise’s control framework.

Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program identifies the
control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance has the necessary subject matter expertise
required to conduct the work and is supervised by a professional with Certified Information Systems
Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work
performed.

II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.

Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft® Word. The IT audit and assurance
professional is encouraged to modify this document to reflect the specific environment under review.

Step 1 is part of the fact-gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential
to a successful and professional review, the steps, or audit procedures, have been itemized in this plan.
The first level steps, e.g., 1.1, are in bold type and provide the reviewer with a scope or high-level
explanation of the purpose for the substeps. In addition, some program steps require the performance of
several audit procedures, identification of several specific points, issues, etc. (For an example, see step
3.9.) The document breaks down this kind of lengthy process into individual points to ease referencing
the individual audit procedures or other work papers. The audit/assurance professional should treat the
parent step, e.g., 3.9, as a “roll up” that includes the set of subordinate steps.

Beginning in step 2, the steps associated with the work program are itemized. To clarify purpose, the
audit/assurance program describes the audit/assurance objective—the reason for performing the steps—in
the topic area; the specific audit steps then follow in substeps. Each review step is listed after the control.
These steps may include assessing the control design by walking through a process, interviewing,
observing or otherwise verifying the process and the controls that address that process. In many cases,
once the control design has been verified, specific tests need to be performed to provide assurance that the
process associated with the control is being followed.

© 2011 ISACA. All rights reserved. Page 6

 Microsoft® SQL Server® Database Audit/Assurance Program

The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.

The audit/assurance program does not include typical audit wrap-up steps, including, but not necessarily
limited to those processes associated with completing and reviewing work papers, preparing issues and
recommendations, and writing and clearing reports. The Research Team presumes that each
audit/assurance function will have identified and defined standards that address each of these processes in
accordance with the needs and standards its individual enterprise.

COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that the audit/assurance step addresses. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Some subprocesses in the work program address the same COBIT standards identified in the
parent rollup step; or the subprocesses are too granular to cross-reference to specific COBIT steps. The
audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to
the development process. COBIT provides in-depth control objectives and suggested control practices at
each level. As the professional reviews each control, he/she should refer to COBIT 4.1 or the IT
Assurance Guide: Using COBIT for good-practice control guidance.

COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their reports, and summarize assurance activities to the audit committee of the board
of directors.

For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.

The original COSO internal control framework contained five components. In 2004, COSO was revised
as Enterprise Risk Management—Integrated Framework and extended to eight components. The primary
difference between the two frameworks is the additional focus on ERM and integration into the business
decision model. Large enterprises are in the process of adopting ERM. The two frameworks are compared
in figure 1.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, management’s operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
ERM Integrated Framework
Internal Environment: The internal environment encompasses the
tone of an organization and sets the basis for how risk is viewed and
addressed by an enterprise’s people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
enterprise’s mission and are consistent with its risk appetite.

© 2011 ISACA. All rights reserved. Page 7

 Microsoft® SQL Server® Database Audit/Assurance Program

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Event Identification: Internal and external events affecting
achievement of an enterprise’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channelled back to management’s strategy or objective-setting
processes.
Risk Assessment: Every enterprise faces a variety of risks from Risk Assessment: Risks are analyzed, considering the likelihood and
external and internal sources that must be assessed. A precondition to impact, as a basis for determining how they could be managed. Risk
risk assessment is establishment of objectives, and thus risk areas are assessed on an inherent and residual basis.
assessment is the identification and analysis of relevant risks to
achievement of assigned objectives. Risk assessment is a prerequisite
for determining how the risks should be managed.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing, or sharing risk—developing a set of actions to
align risks with the enterprise’s risk tolerances and risk appetite.
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure that management directives are carried out and that implemented to help ensure that the risk responses are effectively
necessary actions are taken to address risks to achievement of the carried out.
enterprise's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorisations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured, and communicated in a form and timeframe that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across,
communication must ensure that information flows down, across and and up the enterprise.
up the organization. Effective communication should also be ensured
with external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a Monitoring: The entirety of enterprise risk management is monitored
process that assesses the quality of the system’s performance over and modifications made as necessary. Monitoring is accomplished
time. This is accomplished through ongoing monitoring activities or through ongoing management activities, separate evaluations, or both.
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.

The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for its audit/assurance
programs. As more enterprises implement the ERM model, the additional three columns can be added, if
relevant. When completing the COSO component columns, consider the definitions of the components as
described in figure 1.

Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.

Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).

© 2011 ISACA. All rights reserved. Page 8

 Microsoft® SQL Server® Database Audit/Assurance Program

Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper that describes the work performed.

III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.

IT Assurance Guide Using COBIT Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model that shows the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.

Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organization’s culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.

1 Initial/ad hoc There is some recognition of the need for internal control.
The approach to risk and control requirements is ad hoc and
disorganized, without communication or monitoring.
Deficiencies are not identified. Employees are not aware of
their responsibilities.
There is no awareness of the need for assessment of what is
needed in terms of IT controls. When performed, it is only on
an ad hoc basis, at a high level and in reaction to significant
incidents. Assessment addresses only the actual incident.

2 Repeatable but Controls are in place but are not documented. Their operation
Intuitive is dependent on the knowledge and motivation of individuals.
Effectiveness is not adequately evaluated. Many control
weaknesses exist and are not adequately addressed; the
impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not
be aware of their responsibilities.
Assessment of control needs occurs only when needed for
selected IT processes to determine the current level of control
maturity, the target level that should be reached and the gaps
that exist. An informal workshop approach, involving IT
managers and the team involved in the process, is used to
define an adequate approach to controls for the process and to
motivate an agreed-upon action plan.

3 Defined Controls are in place and adequately documented. Operating
effectiveness is evaluated on a periodic basis and there is an
average number of issues. However, the evaluation process is
not documented. While management is able to deal
predictably with most control issues, some control
weaknesses persist and impacts could still be severe.
Employees are aware of their responsibilities for control.
Critical IT processes are identified based on value and risk
drivers. A detailed analysis is performed to identify control
requirements and the root cause of gaps and to develop
improvement opportunities. In addition to facilitated
workshops, tools are used and interviews are performed to
support the analysis and ensure that an IT process owner owns
and drives the assessment and improvement process.

4 Managed and There is an effective internal control and risk management
Measurable environment. A formal, documented evaluation of controls
occurs frequently. Many controls are automated and regularly
reviewed. Management is likely to detect most control issues,
but not all issues are routinely identified. There is consistent
follow-up to address identified control weaknesses. A
limited, tactical use of technology is applied to automate
controls.
IT process criticality is regularly defined with full support and
agreement from the relevant business process owners.
Assessment of control requirements is based on policy and the
actual maturity of these processes, following a thorough and
measured analysis involving key stakeholders. Accountability
for these assessments is clear and enforced. Improvement
strategies are supported by business cases. Performance in
achieving the desired outcomes is consistently monitored.
External control reviews are organized occasionally.

© 2011 ISACA. All rights reserved. Page 9

 Microsoft® SQL Server® Database Audit/Assurance Program

Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
5 Optimized An enterprise wide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet business
monitoring with full accountability for control monitoring, needs and they consider maturity attributes to find ways to
risk management and compliance enforcement. Control make controls more efficient and effective. The organization
evaluation is continuous, based on self-assessments and gap benchmarks to external best practices and seeks external
and root cause analyses. Employees are proactively involved advice on internal control effectiveness. For critical processes,
in control improvements. independent reviews take place to provide assurance that the
controls remain at the desired level of maturity and continue
operating as planned.

The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in
the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to management.

At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided in section
VIII, based on sample assessments.

Note that this assessment addresses the Microsoft SQL Server database only; there are generally other
operating systems (OSs) in the enterprise.

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

ITAF section 3630.14—Operating Systems (OSs) Management and Controls—is relevant to Microsoft
SQL Server Database security.

ISACA has long recognized the specialized nature of IT assurance and strives to advance globally
applicable standards. Guidelines and procedures provide detailed guidance on how to follow those
standards. IS Auditing Standard S15 IT Controls and IS Auditing Guideline G38 Access Controls are
relevant to this audit/assurance program.

ISACA Controls Framework

COBIT is a framework for the governance of IT and a supporting tool set that allows managers to bridge
the gap among control requirements, technical issues and business risks. COBIT enables clear policy
development and good practice for IT control throughout enterprises.

© 2011 ISACA. All rights reserved. Page 10

 Microsoft® SQL Server® Database Audit/Assurance Program

Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.

The COBIT IT process DS9 Manage the configuration, from the Deliver and Support (DS) domain,
addresses good practices for ensuring the integrity of hardware and software configurations. This requires
the establishment and maintenance of an accurate and complete configuration repository. DS5.3 Identity
management and DS5.4 User account management address user identity, and the IT process AI6 Manage
changes, from the Acquire and Implement (AI) domain, specifically addresses change management.

Relevant COBIT control objectives are:

 AI6.1 Change standards and procedures—Set up formal change management procedures to handle in
a standardized manner all requests (including maintenance and patches) for changes to applications,
procedures, processes, system and service parameters, and the underlying platforms.
 AI6.2 Impact assessment, prioritisation and authorisation—Assess all requests for change in a
structured way to determine the impact on the operational system and its functionality. Ensure that
changes are categorised, prioritised, and authorised.
 AI6.4 Change status tracking and reporting—Establish a tracking and reporting system to document
rejected changes, communicate the status of approved and in-process changes, and complete changes.
Make certain that approved changes are implemented as planned.
 DS5.3 Identity management1—Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure that user access rights are
requested by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures, and keep them current to establish user identification,
implement authentication and enforce access rights.
 DS5.4 User account management2—Address requesting, establishing, issuing, suspending, modifying
and closing user accounts and related user privileges with a set of user account management
procedures. Include an approval procedure outlining the data or system owner granting the access
privileges. These procedures should apply for all users, including administrators (privileged users)
and internal and external users, for normal and emergency cases. Rights and obligations relative to
access to enterprise systems and information should be contractually arranged for all types of users.
Perform regular management review of all accounts and related privileges.
 DS9.1 Configuration repository and baseline—Establish a supporting tool and a central repository to
contain all relevant information on configuration items. Monitor and record all assets and changes to
assets. Maintain a baseline of configuration items for every system and service as a checkpoint to
which to return after changes.
 DS9.2 Identification and maintenance of configuration items—Establish configuration procedures to
support management and logging of all changes to the configuration repository. Integrate these
procedures with change management, incident management and problem management procedures.
 DS9.3 Configuration integrity review—Periodically review the configuration data to verify and
confirm the integrity of the current and historical configuration. Periodically review installed software
against the policy for software usage to identify personal or unlicensed software or any software
instances in excess of current license agreements. Report, act on and correct errors and deviations.

1
Scope limitation: Identity management as it relates to superusers having access to the OS
2
Scope limitation: User account management as it relates to users accessing system functions

© 2011 ISACA. All rights reserved. Page 11

 Microsoft® SQL Server® Database Audit/Assurance Program

Refer to the ISACA publication COBIT® Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk
drivers.

V. Executive Summary of Audit/Assurance Focus

Microsoft SQL Server Database Configuration
The review of the Microsoft SQL Server database provides the basis for an assessment of the
effectiveness of internal controls and operating efficiency.

In the enterprise, Windows is one of the underlying computing platforms for servers that execute essential
business applications (both centralized and distributed), database servers that manage the massive
databases used to store business data, and web servers that provide the public face of the business on the
Internet and process transactions. Generally accepted standards of control—including but not limited to,
COBIT—recognize that the source of the Microsoft SQL Server database distribution be known and that
controls provide reasonable assurance that only authorized and tested functions, processes and
configuration changes enter the production environment.

Business Impact and Risk

Microsoft SQL Server is widely used in the enterprise operating environment. The failure to properly
configure the Microsoft SQL Server and its related database instances could result in the inability of the
business to execute its critical processes. Unless Microsoft SQL Server and its database instances are
controlled and managed, dangerous processes could be introduced into the OS.

Microsoft SQL Server database risks resulting from ineffective or incorrect database configuration
settings could permit the restricted tables, databases and data to become compromised, resulting in, but
not necessarily limited to, the following:
 Disclosure of privileged information,
 Loss of physical assets,
 Loss of intellectual property,
 Loss of competitive advantage,
 Loss of customer confidence,
 Violation of regulatory requirements,
 Disruption of the computer infrastructure, resulting in the inability to perform critical business
functions.

Objective and Scope

Objective—The objective of the Microsoft SQL Server database audit/assurance review is to provide
management with an independent assessment relating to the effectiveness of configuration and security of
the Microsoft SQL Server database systems within the enterprise’s computing environment.

Scope—The Microsoft® SQL Server® Database Audit/Assurance Program is designed to provide a

relatively complete guide to the audit of SQL Server. This audit/assurance program focuses on
configuration of the relevant Microsoft SQL Server database implementations. The selection of the
applications/functions and specific servers will be based on the SQL-Server-related risks to which these
systems expose the enterprise.

The authors recognize that each audit team will customize this audit/assurance program to fit the specific
circumstances of the project and enterprise. Some enterprises will choose to audit SQL Server in phases;
some may address SQL Server in a single project. Perhaps most important, the authors recognize that

© 2011 ISACA. All rights reserved. Page 12

 Microsoft® SQL Server® Database Audit/Assurance Program

SQL Server will probably change somewhat more frequently than this audit guide and program. Thus,
each audit team that uses this audit/assurance program must perform its own research to gain reasonable
assurance that it addresses the most relevant and current SQL Server risks.

Some sections of this audit/assurance program address ancillary functions such as access control,
computer operations and physical security. The authors attempted to limit this audit/assurance program to
risks unique to or introduced into those areas by SQL Server. Thus, this audit/assurance program does not
purport to act as a comprehensive guide to auditing those other areas, some of which could require a
project as large as the audit of SQL Server itself. Example resources, current as of August 2010, include,
but are not limited to the ISACA:
 Information Security Management Audit/Assurance Program—For the review of processes associated
with governance, policy, monitoring, incident management and management of the information
security function; the implementation of security configurations; and the selection and maintenance of
security technologies
 Network Perimeter Security Audit/Assurance Program—For the review of network perimeter
security, including associated policies, standards and procedures and the effectiveness of the security
implementation
 Change Management Audit/Assurance Program—For the review of change management process and
incident management

Minimum Audit Skills

This review is considered highly technical. The IT audit and assurance professional must have an
understanding of the Microsoft SQL Server and Windows processes and requirements and must be highly
conversant with Microsoft SQL Server database tools, exposures and functionality.

© 2011 ISACA. All rights reserved. Page 13

 Microsoft® SQL Server® Database Audit/Assurance Program

VI. Audit/Assurance Program

The purpose of this audit/assurance program is to provide the audit, control and security professional with a methodology for evaluating the Microsoft
SQL Server database. It examines key issues and components that need to be considered for this topic and was developed and reviewed with regard to
COBIT. Note: The professional should customize the audit/assurance program to address constraints, policies and practices of each specific enterprise.

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
1. PLANNING AND SCOPING THE AUDIT
1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assur-
ance program.
1.1.2 Modify the audit/assurance objectives, and align them with the audit/assur-
ance universe, annual plan, charter and specific objectives of the current pro-
ject.
1.2 Define boundaries of review.
The review must have a defined scope. Gain an understanding of the operating en-
vironment; prepare a risk assessment of the SQL Server environment; and, subject
to management approval and budgetary constraints and considering historical audit
results, prepare a proposed scope document.
1.2.1 Obtain and review the Microsoft SQL Server database system security and
management policies.
1.2.2 Obtain and document the following information about the Microsoft SQL
server database environment.
1.2.2.1 Version, release and Microsoft support status of the underlying OS.
1.2.2.2 A list of Microsoft SQL Server database servers, version numbers,
server locations, and applications each server processes or supports
and whether the database versions are current and supported by
Microsoft.
1.2.2.3 Total number of named users (for comparison with logical access se-
curity testing results)
1.2.2.4 Number of database instances. For each instance, or for a sample of
instances, determine the following.

© 2011 ISACA. All rights reserved. Page 14

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
1.2.2.4.1 The applications and related versions accessing the data-
base (e.g., enterprise resource planning [ERP], web ap-
plication, data warehouse)
1.2.2.4.2 Utilities used to log on to and manage the database (e.g.,
Rapid SQL)
1.2.3 For any servers hosted by third-party vendors, obtain and review:
 Vendor management policies
 Service level agreements (SLAs)
 Statements on Standards for Attestation Engagements (SSAE 16) previ-
ously referenced as Statement of Auditing Standard No. 70 (SAS 70) Re-
ports
 Vendor contracts
1.2.4 Establish preliminary boundaries of the review. Include references for issues
such as:
 Areas to be audited
 High-level objectives and scope of work
 Budget, resource allocation schedules
 Report deliverables

1.2.5 Identify any known constraints that could or would limit the audit of specific
systems, processes or functions.
1.3 Define assurance.
The review requires at least two sources of standards:
a. Corporate standards, as defined in the policy and procedure documentation, that
establish corporate expectations. At a minimum, the enterprise should have imple-
mented standards.
b. One or more best-practice references, which can help define generally accepted
control standards (best practices).

If gaps exist between enterprise standards and best practices, consider proposing en-
hancements.

© 2011 ISACA. All rights reserved. Page 15

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
1.3.1 Obtain and review Microsoft SQL Server database security and configuration
best practices. Microsoft generally publishes a security guide for SQL Server;
however, the auditor may want to determine whether better sources exist.
1.3.2 Obtain and review corporate Microsoft SQL Server database configuration
policies, procedures and standards.
1.3.3 Identify any potential gaps between, or conflicts with, corporate policies, pro-
cedures, or standards and best practices.
1.4 Identify and document risks.
The risk assessment can help in evaluating where audit resources should be focused.
In most enterprises, audit resources are not available for all processes. The risk-
based approach helps ensure an effective utilization of audit resources.
1.4.1 Using the list of servers identified in step 1.2.2, assign each server to a risk
category and create a prioritized list of servers to assess.
1.4.2 Review any previous audits or other assessments of the Microsoft SQL
Server databases and the underlying OS for the potential impact of any find-
ing on the SQL Server environment.
1.4.3 Determine the status of any agreed-on corrective actions for issues identified
in earlier audits.
1.4.4 Evaluate the overall risk factors affecting the various SQL Server functions,
including, but not limited to:
 Areas or business functions to be audited
 Amount of time and resources allocated to the review
 Audit procedures in this guide
1.4.5 Discuss the risks with IT, business and audit management, and adjust the risk
assessment as necessary.
1.4.6 Discuss possible changes in the scope of the review based on the final risk as-
sessment, with audit management and adjust the scope accordingly.
1.5 Define the audit change process. ME2.7
The initial audit approach depends on the reviewer’s understanding of the operating
environment and associated risk. Further research and analysis may lead to changes
in the scope and approach.
1.5.1 Identify the senior IT assurance resource responsible for the review.

© 2011 ISACA. All rights reserved. Page 16

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
1.5.2 Establish the process for suggesting and implementing changes to the audit/
assurance program and authorizations required.
1.6 Define the audit/assurance resources required. ME2.1
The required resources are defined in the introduction to this audit/assurance pro-
gram.
1.6.1 Determine estimated total resources (personnel, staff-hours) and time frame
(start and end dates) required for review.
1.6.2 Determine the audit/assurance skills necessary for review. Propose changes to
management if currently assigned resources appear inadequate.
1.7 Define deliverables. ME2.1
The set of deliverables is not limited to the final report. Communication among the
audit/assurance teams and the process owner is essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports,
draft reports, due dates for response and the final report.
1.8 Communicate ME2.1
The audit/assurance process is clearly communicated to the customer/client. Com-
munication among the audit/assurance teams and the process owner is essential to
assignment success.
1.8.1 Conduct an opening conference in accordance with audit/assurance standards
to discuss the review objectives with the executive responsible.
2. PREPARTORY STEPS
2.1 Define the Microsoft SQL Server database environment. PO8
Gain an understanding of the Microsoft SQL Server database environment. PO9
AI1 to 7
DS1 to 5
DS7 to 9
DS11
ME2
2.1.1 Conduct an independent survey of the environment.
2.1.2 Interview system administrators, database administrators (DBAs) and secur-
ity administrators to determine the level of overall security awareness and

© 2011 ISACA. All rights reserved. Page 17

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
knowledge of corporate policies and procedures.
2.1.3 Assess key risks and determine key controls or control weaknesses with re-
gard to the following factors:
 The controls culture of the enterprise (e.g., a just-enough-control philo-
sophy)
 The need to exercise judgement to determine the key controls in the pro-
cess and whether the control structure is adequate
2.1.4 Identify SQL Server configurable controls to test
2.1.5 Obtain a list of triggers in the database, and discuss with the DBA and secur-
ity administrator how they are used. If an external package is used to monitor
changes to the tables, review the external package settings. (Note: A trigger
is a stored procedure that executes when specified rows or fields in a table are
modified. Triggers are often created to enforce referential integrity or consist-
ency among logically related data in different tables. Triggers can also alert
management to rare and highly risky actions.)
2.1.6 Verify the existence of a database maintenance plan. Obtain any SLAs and
support contracts (SLAs executed by the DBAs with end user clients). Re-
view the SLAs to determine whether they include the following provisions:
 Maintain documentation for the secure configuration of the system.
 Actively monitor systems for security violations, and report any potential
or proven violations to the enterprise.
 Test and load security patches within the period defined by enterprise
standards for the type of release in question, e.g., standard maintenance vs.
High-security risk.
 Maintain system uptime as defined by business requirements.
 Document evidence of maintenance performed.
 Maintain registers of history of changes and test results to perform future
evaluations.
2.2 Physical facilities and access to database systems are secured. DS4
Control: Physical facilities should restrict access to authorized personnel only. DS5
DS11

© 2011 ISACA. All rights reserved. Page 18

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
DS12
ME2
2.2.1 Tour the data center and identify the location of key database systems. Ensure
that the systems are housed in a secure environment and that console settings
specify password-protected screen savers. Refer to the latest audit of physical
security and/or data centre environmental controls if available.
2.2.2 Verify the existence of a physical security audit.
3. ACCESS AND AUTHORIZATION
3.1 Appropriate access and authorisations are in place.
Control: Ensure that all users (internal, external and temporary) and their activity on IT systems are uniquely identifiable.
Recommended Additional Resource: ISACA Information Security Management Audit/Assurance Program
3.1.1 Discuss procedures used to log on to SQL database systems with the DS5
DBA. Determine whether users logon to SQL databases using SQL Au-
thentication, Active Directory accounts or both.
3.1.1.1 Obtain copies of approval documentation for users who can access
the SQL databases directly.
3.1.1.2 Identify all users/members mapped to the db_owner role, and verify
that only the privileged users identified as authorized have direct ac-
cess to the database. Determine the reasons for any variances found.
3.1.2 Obtain a list of users who can access the SQL database(s) by executing the DS5
following SQL command from MS SQL Server Management Studio:
sp_helplogins;
3.1.3 Review the list of SQL Server users to ensure that generic accounts are not DS5
used (e.g., test, guest or shared accounts).
3.1.4 Verify that default accounts and default passwords are not used by at- DS5
tempting to log on to the database using known defaults.
3.1.5 Review a sample of user accounts, and evaluate the appropriateness of ac- DS5
cess profiles assigned to each sample item.
3.1.6 Discuss the process for establishing an initial password with the DBA. DS5

© 2011 ISACA. All rights reserved. Page 19

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
Determine whether generic passwords or passwords that can be easily
guessed are used.
3.1.7 Password attributes DS5
Control: Password attributes (frequency of change, length of password, DS9
reuse of passwords) are established according to policy and according to
the sensitivity of the information available to the user.
3.1.7.1 Review the following profile settings to verify that password
controls conform to current best practices and that resource lim-
its exist and appear reasonable.
3.1.7.1.1 Enforce password history (recommend 24).
3.1.7.1.2 Maximum password age (recommend 42).
3.1.7.1.3 Minimum password age (recommend 1)
3.1.7.1.4 Minimum password length (recommend 8)
3.1.7.1.5 Password must meet complexity requirements (recom-
mend Yes)
3.1.7.1.6 Store password using reversible encryption for all
users in the domain (Disabled)
3.1.8 Discuss the processes for obtaining emergency access to SQL Server data- AI6.4
bases with the DBA and the security administrator. Determine whether DS4
procedures meet the following criteria. DS10
3.1.8.1 Define methods and controls over emergency access.
3.1.8.2 Require documentation for each use of emergency access.
3.1.8.3 Require access termination after the business issue is resolved.
3.1.8.4 Require a manager’s post-access review and approval if prior
authorization is not feasible.
3.1.8.5 Procedures are included in the disaster recovery plan.
3.2 Remote Access to the Database
Control: Remote access to the database(s) should be well defined and managed.
3.2.1 Determine if remote access to the SQL Server database is enabled (see ap- AI4
pendix 1 for suggested steps as of the last update of this audit/assurance DS5
program). If remote access is enabled, discuss the business requirements
with the DBA, information security officer and business owner.

© 2011 ISACA. All rights reserved. Page 20

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
3.3 Access for Third Parties
Control: Access for third parties should be properly managed.
3.3.1 With the DBA, discuss the processes in place to grant and terminate access PO4
for vendors, contractors and consultants. PO6
AI6
DS5
DS13
ME2
3.3.1.1 Verify that access is granted only when it is commensurate with
job responsibilities.
3.3.1.2 Verify that the controls provide reasonable assurance that access is
terminated in a timely manner after it is no longer needed.
4. SECURITY PROCESSES AND MONITORING
4.1 Users' access is commensurate with their job responsibilities. PO2
Control: Processes exist to ensure that access granted to both general and priv- PO4
ileged users is appropriate and is removed when no longer needed. PO7
Recommended Additional Resource: ISACA Information Security Management DS5
Audit/Assurance Program DS7
DS9
DS11
4.1.1 Review processes for granting, updating and terminating user access.
4.1.2 Obtain a list or file containing information on current database users
and administrators and their roles.
4.1.3 Obtain a list or file containing information on current local Windows
Server groups and the members of each group.
4.1.4 Determine if privileges to access objects or statements are assigned dir-
ectly to users, then if appropriate:
 Obtain a list or file containing information on users with individual
privileges and the related objects to which they have access.
 Evaluate the access based on job descriptions and the access gran-
ted.
 Examine related access requests for reasonableness and proper au-

© 2011 ISACA. All rights reserved. Page 21

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
thorization.
 Discuss possible excessive access rights with DBAs, information se-
curity officers and business owners as dictated by the circumstances.
4.1.5 Review privileges assigned to users and roles. Discuss with the DBA
and data owner any privileges directly assigned to users rather than to
roles.
4.1.6 Select a sample of user access requests and verify that access is ap-
proved by the appropriate data owners.
4.1.7 Review the roles and privileges assigned to a sample of users. Ensure
that the users’ access is commensurate with their job responsibilities.
4.1.8 Obtain a list or file of terminated employees from human resources .
(HR). Compare the terminated employee list or file to the list or a table
of database users to ensure that accounts are terminated in a timely
manner.
4.1.9 Review the assignment of fixed server roles (sysadmin, serveradmin,
etc.) to provide reasonable assurance that procedures specify these roles
are used only in support of DBA activity.
4.1.10 Review any roles and/or user accounts that are assigned create, alter or
drop privileges. Discuss the business requirements for these types of
highly privileged access with the DBA and other affected manager(s).
4.1.11 Review accounts that are assigned highly privileged roles such as
sysadmin. Discuss the requirement for this type of access with the DBA
and information security officer. Assess each for possible segregation
of duties (SoD) issues.
4.1.12 Verify that the guest user is removed from or disabled in all databases.
Discuss any exceptions with the DBA.
4.1.13 Verify that public or guest user IDs that remain in the database and are
enabled, do not grant access to any objects.
4.1.14 Verify that the database owner (dbo) owns all user-created database
schemas.
4.1.15 Review the security over access to OS executables (cmd.exe, explorer-
.exe, etc.) on the SQL Server and the SQL Server install directories.

© 2011 ISACA. All rights reserved. Page 22

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
Ensure that users’ unique or group permissions do not grant full con-
trol.
4.1.16 Review assignment of the grant object permission to verify that it is not
assigned to users or roles. Discuss any of these existing privileges with
the DBA.
2 Resolve instances of inappropriate access and SQL Server processing prob- DS1
lems and anomalies. DS5
Control: Processes exist to provide reasonable assurance that DBAs, security per- DS12
sonnel or system administrators would discover, investigate and resolve instances ME1
of apparent inappropriate access and SQL Server processing problems and anom- ME4
alies.
4.2.1 Evaluate procedures and processes for monitoring key database functions
and security-related events to determine the adequacy and frequency of
system activity monitoring. The evaluation would normally include, but
not be limited to the following.
4.2.1.1 Compare existing practices to best practices.
4.2.1.2 Gather a sample of important reports, queries, alarm settings and
monitoring tool outputs used by the DBA, the information se-
curity staff or other operating personnel.
4.2.1.2.1 Report deficiencies, if appropriate.
4.2.1.2.2 Discuss with the DBA.
5. BACKUP AND RECOVERY
5.1 A backup and recovery strategy exists and is tested.
Control: A regularly reviewed and approved backup and recovery strategy should exist.
5.1.1 Gather the Microsoft SQL Server database application SLAs. Verify that DS1
Microsoft SQL Server database implementations and/or systems are included DS4
in the SLAs. DS11

© 2011 ISACA. All rights reserved. Page 23

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
5.1.2 Gather the Microsoft SQL Server business continuity plan. Verify that the DS1
business continuity plan includes backup and restoration procedures for DS4
Microsoft SQL Server database implementations and systems. Verify that the DS11
backup and restoration procedures cover access authorisation and system
configuration files.
5.1.3 Determine for a sample of database instances if a reasonable database backup DS4
recovery model is being used. Verify that SLAs match the model for either
full simple or bulk-logged.
5.1.4 Ensure that backup file copies are stored at a location separate from the loca- DS11
tion of the servers.
5.1.5 Discuss the strategy with the DBA for backup and recovery of the database. DS11
Confirm with the DBA that the backup procedures and data are tested regu-
larly. Review procedure documents, and discuss the results of the most recent
test.
5.1.6 Review offsite backup and recovery procedures. Ensure that offsite backups DS4
are part of disaster recovery testing. DS11
5.1.7 Review the most recent backup history, and verify that backups are recover- DS11
able within the acceptable data loss timeframe defined in the SLA.
5.1.8 Verify that system master and model server database (MSDB) databases are DS11
being backed up.
5.1.9 Verify that transaction log files are being backed up. DS11
5.1.10 Discuss procedures for regularly backing up transaction logs to offline me-
dia with the DBA. Determine procedures for securely protecting and dispos- DS11
ing of offline media.
5.1.11 Determine whether procedures require encrypting sensitive and confidential DS11
data on backup media.
5.1.12 Obtain the path of the Microsoft SQL Server data and log files for each DS11
database. Ensure that these files are protected and do not exist on the same
physical disk to which backups were saved.
5.1.13 Obtain copies of backup schedules. Verify that log backups are scheduled DS11
before full backups; this improves recovery time.
5.1.14 Verify that scheduled backups are performed when database activity is low; DS11

© 2011 ISACA. All rights reserved. Page 24

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
this will improve backup performance.
5.1.15 Check to see if Page_Verify option “S” is set to Checksum or if DS11
Torn_Page_Detection mode is being used. For databases with these settings,
ensure backups are run using the Checksum option to verify the integrity of
the backup.
6. ENCRYPTION
6.1 An encryption strategy exists and is implemented to protect confidential information where appropriate.
Control: Encryption is used whenever there is a business need for securing privileged information.
6.1.1 Discuss the use of encryption within the database with the DBA. Determine if AI2
a third-party package or the native package is used to implement encryption. AI2
DS5
DS11
DS11
6.1.2 Review and evaluate enterprise data classification standards and encryption PO2
requirements. DS11
6.1.3 Discuss with the DBA any application, information security or database de- AI2
velopment standards that mandate the use of encryption to protect informa-
tion.
6.1.4 Review a sample of records that contain sensitive information to determine
that the information is encrypted.
7. TRUSTED RELATIONSHIPS
7.1 Trusted Relationships are restricted and protected.
Control: Trust relationships are established only if there is an approved business need.
7.1.1 Obtain a list of any database link server services used within the database DS5
from the DBA. For each service, conduct the following.
7.1.1.1 Discuss the business purpose of each link with the DBA.
7.1.1.2 Confirm the business need of each link with the business owner(s).
7.1.1.3 Obtain any available documentation or other information about the
use and purpose of each trusted database from the DBA.
7.1.1.4 Verify the validity and business purpose of each user’s access to the
table(s).
7.1.2 Obtain and review the procedures and processes for managing trusted rela- DS5

© 2011 ISACA. All rights reserved. Page 25

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
tionships. Verify that there is an appropriate process in place for granting and
changing trust processes. In general, only people who have a DBA or system
administrative role should have access to add or update trusted connections.

7.1.3 Verify that procedures provide reasonable assurance that Windows Active DS5
Directory is in sync with both the domain servers and SQL Server when
building trusted relationships, based on business need.
7.1.4 Verify that SQL Server maintains its list of authorized users who can connect DS5
to the server if trusted connections are used.
7.1.5 Verify that the SQL Server maintains its list of authorized application servers DS5
that can connect. Check the application server, or a sample of application
servers, to ensure that those in scope have the codes to establish the trust.
8. NETWORK SECURITY
8.1 Database information communicated over a network is protected.
Control: Configuration settings follow sound control practices.
Recommended Additional Resource: ISACA Network Perimeter Security Audit/Assurance Program
8.1.1 Obtain or create and then evaluate a network architecture diagram that de- PO2
picts the logical relationship between the database and other systems and net- AI2
works within the enterprise. AI2
AI3
DS5
DS5
DS9
ME1
ME1
ME2
8.1.1.1 Determine whether the database is protected by a firewall from any
third-party or Internet-access points.
8.1.1.2 Determine whether the database is protected from any external net-
works by network segmentation using ingress and egress filters or
an equivalent technology.
8.1.2 Determine whether master key creation and key management meet the fol-

© 2011 ISACA. All rights reserved. Page 26

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
lowing.
8.1.2.1 Follow written procedures.
8.1.2.2 Encrypt sensitive fields with documented encryption functions.

8.1.3 Discuss with the DBA, procedures for applying critical and noncritical
patches and service packs including, but not limited to, controls to provide
reasonable assurance that patches are installed in a timely manner. Identify
the business need for not applying service packs and patches that Microsoft
has identified as important or critical. Verify proper management review and
approval of unapplied patches.
8.1.4 Review network protocols supported using the SQL Server Configuration
Manager or other equivalent tool.
8.1.4.1 Verify that active ports or services are supported according to docu-
mented and approved use.
8.1.4.2 Verify that only approved services are in use.
8.1.4.3 Verify that only ports documented as valid are in use.
8.1.4.4 Investigate and discuss any undocumented connections with the
DBA. Recommend turning off, documenting or gaining approval for
any undocumented connections found.
8.1.4.5 Verify that security enabled ports follow enterprise security stand-
ards, e.g., encryption.
8.1.5 Verify that each network instance, or a sample of network instances, is con- DS5.10
figured as described in the documentation: DS9
 From the SQL Server Configuration Manager, expand the SQL Server ME1
Network Configuration.
 Click Protocols for <instance_name>, and verify that each one is con-
figured as described.
8.1.6 Scan ports, and run a vulnerability assessment to check for security expos- DS5.10
ures.
8.1.7 Obtain and review documentation of running services, and conduct the fol- DS5.10
lowing.
8.1.7.1 Verify documented services are running or normally run.

© 2011 ISACA. All rights reserved. Page 27

 Microsoft® SQL Server® Database Audit/Assurance Program

Audit/Assurance Program Step COBIT COSO Reference Issue Comments

Cross- Hyperlink Cross-ref-

Risk Assessment

Control Activities

Information and
reference erence

Monitoring
Control
8.1.7.2 Consider recommending stopping services that appear to be un-
needed.
8.1.8 Verify that different login IDs and complex passwords are used for critical DS5.10
services.
8.1.9 Verify that policies, procedures and standards specify denying unneeded con- DS5.10
nect permission to endpoints.

© 2011 ISACA. All rights reserved. Page 28

 Microsoft® SQL Server® Database Audit/Assurance Program

VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of the
audit/assurance review and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices.
Assessed Target Reference
COBIT Control Practice Comments
Maturity Maturity Hyperlink
AI6.1 Change Standards and Procedures
1. Develop, document and promulgate a change management framework that specifies the policies
and processes, including:
 Roles and responsibilities
 Classification and prioritisation of all changes based on business risk
 Assessment of impact
 Authorisation and approval of all changes by the business process owners and IT
 Tracking and status of changes
 Impact on data integrity (e.g., all changes to data files being made under system and applica-
tion control rather than by direct user intervention)
2. Establish and maintain version control over all changes.
3. Implement roles and responsibilities that involve business process owners and appropriate
technical IT functions. Ensure appropriate segregation of duties.
4. Establish appropriate record management practices and audit trails to record key steps in the
change management process. Ensure timely closure of changes. Elevate and report to
management changes that are not closed in a timely fashion.
5. Consider the impact of contracted services providers (e.g., of infrastructure, application
development and shared services) on the change management process. Consider integration of
organisational change management processes with change management processes of service
providers. Consider the impact of the organisational change management process on contractual
terms and SLAs.
AI6.2 Impact Assessment, Prioritisation and Authorisation
1. Develop a process to allow business process owners and IT to request changes to infrastructure,
systems or applications. Develop controls to ensure that all such changes arise only through the
change request management process.
2. Categorize all requested changes (e.g., infrastructure, operating systems, networks, application
systems, purchased/packaged application software).
3. Prioritise all requested changes. Ensure that the change management process identifies both the
business and technical needs for the change. Consider legal, regulatory and contractual reasons
for the requested change.
4. Assess all requests in a structured fashion. Ensure that the assessment process addresses impact
analysis on infrastructure, systems and applications. Consider security, legal, contractual and
compliance implications of the requested change. Consider also interdependencies among
changes. Involve business process owners in the assessment process, as appropriate.

© 2011 ISACA. All rights reserved. Page 29

 Microsoft® SQL Server® Database Audit/Assurance Program

Assessed Target Reference

COBIT Control Practice Comments
Maturity Maturity Hyperlink
5. Ensure that each change is formally approved by business process owners and IT technical
stakeholders, as appropriate.
AI6.4 Change Status Tracking and Reporting
1. Establish a process to allow requestors and stakeholders to track the status of requests
throughout the various stages of the change management process.
2. Categorise change requests in the tracking process (e.g., rejected, approved but not yet initiated,
approved and in process, and closed).
3. Implement change status reports with performance metrics to enable management review and
monitoring of both the detailed status of changes and the overall state (e.g., aged analysis of
change requests). Ensure that status reports form an audit trail so changes can subsequently be
tracked from inception to eventual disposition.
4. Monitor open changes to ensure that all approved changes are closed in a timely fashion,
depending on priority.
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and autho-
rise access mechanisms and access rights for all users on a need-to-know/need-to-have basis,
based on predetermined and preapproved roles. Clearly state accountability of any user for any
action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into ac-
count:
• Sensitivity of information and applications involved (data classification)
• Policies for information protection and dissemination (legal, regulatory, internal policies and
contractual requirements)
• Roles and responsibilities as defined within the enterprise
• The need-to-have access rights associated with the function
• Standard but individual user access profiles for common job roles in the organisation
• Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and en-
force access rights in line with sensitivity of information and functional application requirements
and infrastructure components, and in compliance with applicable laws, regulations, internal
policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the sys-
tem owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with hu-
man resources and user departments for users who are new, who have left the organisation, or
who have changed roles or jobs.

© 2011 ISACA. All rights reserved. Page 30

 Microsoft® SQL Server® Database Audit/Assurance Program

Assessed Target Reference

COBIT Control Practice Comments
Maturity Maturity Hyperlink
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
 Using unique user IDs to enable users to be linked to and held accountable for their actions
 Awareness that the use of group IDs results in the loss of individual accountability and are
permitted only when justified for business or operational reasons and compensated by mitigat-
ing controls. Group IDs must be approved and documented.
 Checking that the user has authorisation from the system owner for the use of the information
system or service, and the level of access granted is appropriate to the business purpose and
consistent with the organisational security policy
 A procedure to require users to understand and acknowledge their access rights and the condi-
tions of such access
 Ensuring that internal and external service providers do not provide access until authorisation
procedures have been completed
 Maintaining a formal record, including access levels, of all persons registered to use the ser-
vice
 A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes, such
as transfer, promotion, demotion or termination of employment. Authorisations for special
privileged access rights should be reviewed independently at more frequent intervals.
DS9.1 Configuration Repository and Baseline
1. Implement a configuration repository to capture and maintain configuration management items.
The repository should include hardware; application software; middleware; parameters;
documentation; procedures; and tools for operating, accessing and using the systems, services,
version numbers and licensing details.
2. Implement a tool to enable the effective logging of configuration management information
within a repository.
3. Provide a unique identifier to a configuration item so the item can be easily tracked and related
to physical asset tags and financial records.
4. Define and document configuration baselines for components across development, test and
production environments, to enable identification of system configuration at specific points in
time (past, present and planned).
5. Establish a process to revert to the baseline configuration in the event of problems, if determined
appropriate after initial investigation.
6. Install mechanisms to monitor changes against the defined repository and baseline. Provide
management reports for exceptions, reconciliation and decision making.

© 2011 ISACA. All rights reserved. Page 31

 Microsoft® SQL Server® Database Audit/Assurance Program

Assessed Target Reference

COBIT Control Practice Comments
Maturity Maturity Hyperlink
DS9.2 Identification and Maintenance of Configuration Items
1. Define and implement a policy requiring all configuration items and their attributes and versions
to be identified and maintained.
2. Tag physical assets according to a defined policy. Consider using an automated mechanism,
such as barcodes.
3. Define a policy that integrates incident, change and problem management procedures with the
maintenance of the configuration repository.
4. Define a process to record new, modified and deleted configuration items and their relative
attributes and versions. Identify and maintain the relationships between configuration items in
the configuration repository.
5. Establish a process to maintain an audit trail for all changes to configuration items.
6. Define a process to identify critical configuration items in relationship to business functions
(component failure impact analysis).
7. Record all assets—including new hardware and software, procured or internally developed—
within the configuration management data repository.
8. Define and implement a process to ensure that valid licences are in place to prevent the
inclusion of unauthorised software.
DS9.3 Configuration Integrity Review
1. To validate the integrity of configuration data, implement a process to ensure that configuration
items are monitored. Compare recorded data against actual physical existence, and ensure that
errors and deviations are reported and corrected.
2. Using automated discovery tools where appropriate, reconcile actual installed software and
hardware periodically against the configuration database, licence records and physical tags.
3. Periodically review against the policy for software usage the existence of any software in
violation or in excess of current policies and licence agreements. Report deviations for
correction.

© 2011 ISACA. All rights reserved. Page 32

 Microsoft® SQL Server® Database Audit/Assurance Program

VIII. Assessment Maturity vs. Target Maturity

This spider graph is an example of the assessment results and maturity target for a specific enterprise.

© 2011 ISACA. All rights reserved. Page 33

 Microsoft® SQL Server® Database Audit/Assurance Program

IX. References and Resources

Andrews, Chip; SQL Security.com, July 1999, www.sqlsecurity.com
Lee, Il-Sung; Art Rask; “Auditing in SQL Server 2008,” February 2009, http://msdn.microsoft.com/en-
us/library/dd392015(SQL.100).aspx
ISACA, Change Management Audit/Assurance Program, USA, 2009
ISACA, Information Security Management Audit/Assurance Program, USA, 2010
ISACA, MySQL® Audit/Assurance Program, USA, 2010
ISACA, Network Perimeter Security Audit/Assurance Program, USA, 2009

X. Technical Appendix
Suggested technical tests are current as of August 2010, the last update of this audit/assurance program.

Remote Access
1. To determine if Remote Access is enabled:
a. Click Start
i. Click to Programs
ii. Click to Microsoft SQL Server 2005
iii. Click to Configuration Tools
iv. Click SQL Server Surface Area Configuration.
b. On the SQL Server 2005 Surface Area Configuration page, click Surface Area Configuration for
Services and Connections.
c. On the Surface Area Configuration for Services and Connections page, expand Database Engine,
click Remote Connections.
d. Determine if “Local and remote connections” is enabled; that setting allows remote and local
connections. “Local connections” is default.
2. To determine if the service is running:
a. Type “sqlcmd–S(local)\SQLEXPRESS” at the command prompt. If you see “1>” that means that
you managed to connect.
b. Type “exit” to exit the sqlcmd program.

© 2011 ISACA. All rights reserved. Page 34