MySQL™ Server

Audit/Assurance Program
 MySQL™ Server Audit/Assurance Program
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®),
Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and
Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT ®,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Disclaimer
ISACA has designed and created MySQL™ Server Audit/Assurance Program (the “Work”) primarily as an
informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit/assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.

Reservation of Rights
© 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use, and
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: [email protected]
Web site: www.isaca.org

ISBN 978-1-60420-165-9
MySQL™ Audit/Assurance Program

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.

MySQL™ Server Audit/Assurance Program is an independent publication and is not affiliated with, nor has it been

© 2010 ISACA. All rights reserved. Page 2

 MySQL™ Server Audit/Assurance Program
authorized, sponsored or otherwise approved by the Oracle Corporation.
ISACA wishes to recognize:
Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive, Inc. USA

Expert Reviewers
Abdus Sami Khan, Sami Associates, Pakistan
Prashant Khopkar, CISA, CA, CPA, Grant Thornton LLP, USA
Bart van Lodensteijn, CISA, CGEIT, Ordina Consultancy B.V, The Netherlands
Philippe Rivest, CISA, CEH, CISSP, TransForce, Canada

ISACA Board of Directors

Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee

Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA

Guidance and Practices Committee

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand

ISACA/IT Governance Institute Affiliates and Sponsors

American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform

© 2010 ISACA. All rights reserved. Page 3

 MySQL™ Server Audit/Assurance Program
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
Aldion Consulting Pte. Ltd.
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.

Table of Contents
I. Introduction 4
II. Using This Document 5
III. Controls Maturity Analysis 8
IV. Assurance and Control Framework 9
V. Executive Summary of Audit/Assurance Focus 11
VI. Audit/Assurance Program 13
1. Planning and Scoping the Audit 13
2. Preparatory Steps 14
3. Host System 16
4. Web Server 17
5. MySQL server 18
6. Data Base Integrity 22
7. Shared IT Management Services 23
8. MySQL server Additional Components 25
VII. Maturity Assessment 26
VIII. Assessment Maturity vs. Target Maturity 28

I. Introduction

Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and that are the guiding
principles under which the IT audit and assurance profession operates. The guidelines provide
information and direction for the practice of IT audit and assurance. The tools and techniques provide
methodologies, tools and templates to provide direction in the application of IT audit and assurance
processes.

Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT
audit and assurance professionals with the requisite knowledge of the subject matter under review, as

© 2010 ISACA. All rights reserved. Page 4

 MySQL™ Server Audit/Assurance Program
described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. They seek to integrate control framework elements used by the
general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it
has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these
columns to align with the enterprise’s control framework.

Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program identifies the
control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter
expertise required to conduct the work and is supervised by a professional with the Certified Information
Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the
work performed.

II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.

Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.

Step 1 is part of the fact gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the substeps.

© 2010 ISACA. All rights reserved. Page 5

 MySQL™ Server Audit/Assurance Program

Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the
audit/assurance program describes the audit/assurance objective—the reason for performing the steps in
the topic area and the specific controls follow. Each review step is listed after the control. These steps
may include assessing the control design by walking through a process, interviewing, observing or
otherwise verifying the process and the controls that address that process. In many cases, once the control
design has been verified, specific tests need to be performed to provide assurance that the process
associated with the control is being followed.

The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.

The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.

COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Subprocesses in the work program are too granular to be cross-referenced to COBIT. The
audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to
the development process. COBIT provides in-depth control objectives and suggested control practices at
each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance
Guide: Using COBIT for good-practice control guidance.

COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their reports, and summarize assurance activities to the audit committee of the board
of directors.

For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.

The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. Large enterprises are in the process of adopting ERM. The two frameworks are
compared in figure 1.

© 2010 ISACA. All rights reserved. Page 6

 MySQL™ Server Audit/Assurance Program

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, management’s operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external
and internal sources that must be assessed. A precondition to risk
assessment is establishment of objectives, and, thus, risk assessment is
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Control Activities: Control activities are the policies and procedures
that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to achievement
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key
role in internal control systems as they produce reports, including
operational, financial and compliance-related information that make it
possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a
process that assesses the quality of the system’s performance over
time. This is accomplished through ongoing monitoring activities or
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
Internal Environment: The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entity’s people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Risks are analyzed, considering the likelihood and
impact, as a basis for determining how they could be managed. Risk
areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
Control Activities: Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
Information and Communication: Relevant information is
identified, captured and communicated in a form and time frame that
enable people to carry out their responsibilities. Effective
communication also occurs in a broader sense, flowing down, across
and up the entity.
Monitoring: The entirety of enterprise risk management is monitored
and modifications are made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations or both.

The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for its audit/assurance
programs. As more enterprises implement the ERM model, the additional three columns can be added, if
relevant. When completing the COSO component columns, consider the definitions of the components as
described in figure 1.

Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work

© 2010 ISACA. All rights reserved. Page 7

 MySQL™ Server Audit/Assurance Program
performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.

Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).

Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper that describes the work performed.

III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.

IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model that shows the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.

Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organization’s culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.

1 Initial/ad hoc There is some recognition of the need for internal control.
The approach to risk and control requirements is ad hoc and
disorganized, without communication or monitoring.
Deficiencies are not identified. Employees are not aware of
their responsibilities.
There is no awareness of the need for assessment of what is
needed in terms of IT controls. When performed, it is only on
an ad hoc basis, at a high level and in reaction to significant
incidents. Assessment addresses only the actual incident.

2 Repeatable but Controls are in place but are not documented. Their operation
Intuitive is dependent on the knowledge and motivation of individuals.
Effectiveness is not adequately evaluated. Many control
weaknesses exist and are not adequately addressed; the
impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not
be aware of their responsibilities.
Assessment of control needs occurs only when needed for
selected IT processes to determine the current level of control
maturity, the target level that should be reached and the gaps
that exist. An informal workshop approach, involving IT
managers and the team involved in the process, is used to
define an adequate approach to controls for the process and to
motivate an agreed-upon action plan.

3 Defined Controls are in place and adequately documented. Operating Critical IT processes are identified based on value and risk
effectiveness is evaluated on a periodic basis and there is an drivers. A detailed analysis is performed to identify control
average number of issues. However, the evaluation process is requirements and the ROOT cause of gaps and to develop
not documented. While management is able to deal improvement opportunities. In addition to facilitated

© 2010 ISACA. All rights reserved. Page 8

 MySQL™ Server Audit/Assurance Program
Figure 2—Maturity Model for Internal Control
Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
predictably with most control issues, some control
weaknesses persist and impacts could still be severe.
Employees are aware of their responsibilities for control.
4 Managed and There is an effective internal control and risk management
Measurable environment. A formal, documented evaluation of controls
occurs frequently. Many controls are automated and regularly
reviewed. Management is likely to detect most control issues,
but not all issues are routinely identified. There is consistent
follow-up to address identified control weaknesses. A
limited, tactical use of technology is applied to automate
controls.
5 Optimized An enterprise-wide risk and control program provides
continuous and effective control and risk issues resolution.
Internal control and risk management are integrated with
enterprise practices, supported with automated real-time
monitoring with full accountability for control monitoring,
risk management and compliance enforcement. Control
evaluation is continuous, based on self-assessments and gap
and ROOT cause analyses. Employees are proactively
involved in control improvements.
workshops, tools are used and interviews are performed to
support the analysis and ensure that an IT process owner
owns and drives the assessment and improvement process.
IT process criticality is regularly defined with full support
and agreement from the relevant business process owners.
Assessment of control requirements is based on policy and
the actual maturity of these processes, following a thorough
and measured analysis involving key stakeholders.
Accountability for these assessments is clear and enforced.
Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
Business changes consider the criticality of IT processes and
cover any need to reassess process control capability. IT
process owners regularly perform self-assessments to
confirm that controls are at the right level of maturity to meet
business needs and they consider maturity attributes to find
ways to make controls more efficient and effective. The
organization benchmarks to external best practices and seeks
external advice on internal control effectiveness. For critical
processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.

The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in
the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to management.

At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last
page of the document (section VIII), based on sample assessments.

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

The following ITAF sections are relevant to the audit of MySQL Server:
 3630.10—Database Management and Controls
 3630.14—Operating Systems (OSs) Management and Controls

ISACA Controls Framework

COBIT is a framework for the governance of IT and a supporting tool set that allows managers to bridge
the gap among control requirements, technical issues and business risks. COBIT enables clear policy

© 2010 ISACA. All rights reserved. Page 9

 MySQL™ Server Audit/Assurance Program
development and good practice for IT control throughout enterprises.

Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.

COBIT IT process DS9 Manage the configuration from the Deliver and Support (DS) domain addresses
good practices for ensuring the integrity of hardware and software configurations. This requires the
establishment and maintenance of an accurate and complete configuration repository. Sections from DS5
Ensure systems security and AI3 Acquire and maintain technology infrastructure are relevant. The
primary COBIT control objectives are:
 DS9.1 Configuration repository and baseline—Establish a supporting tool and a central repository to
contain all relevant information on configuration items. Monitor and record all assets and changes to
assets. Maintain a baseline of configuration items for every system and service as a checkpoint to
which to return after changes.
 DS9.2 Identification and maintenance of configuration items—Establish configuration procedures to
support management and logging of all changes to the configuration repository. Integrate these
procedures with change management, incident management and problem management procedures.
 DS9.3 Configuration integrity review—Periodically review the configuration data to verify and
confirm the integrity of the current and historical configuration. Periodically review installed software
against the policy for software usage to identify personal or unlicensed software or any software
instances in excess of current license agreements. Report, act on and correct errors and deviations.

The secondary COBIT control objectives are:

 AI3.2 Infrastructure resource protection and availability—Implement internal control, security and
auditability measures during configuration, integration and maintenance of hardware and
infrastructural software to protect resources and ensure availability and integrity. Responsibilities for
using sensitive infrastructure components should be clearly defined and understood by those who
develop and integrate infrastructure components. Their use should be monitored and evaluated.
 AI3.3 Infrastructure maintenance—Develop a strategy and plan for infrastructure maintenance, and
ensure that changes are controlled in line with the organisation’s change management procedure.
Include periodic reviews against business needs, patch management, upgrade strategies, risks,
vulnerabilities assessment and security requirements.
 DS5.3 Identity management—Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure that user access rights are
requested by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures, and keep them current to establish user identification,
implement authentication and enforce access rights.
 DS5.4 User account management—Address requesting, establishing, issuing, suspending, modifying
and closing user accounts and related user privileges with a set of user account management
procedures. Include an approval procedure outlining the data or system owner granting the access
privileges. These procedures should apply for all users, including administrators (privileged users)
and internal and external users, for normal and emergency cases. Rights and obligations relative to
access to enterprise systems and information should be contractually arranged for all types of users.
 DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure
that the approved enterprise’s information security baseline is maintained.

© 2010 ISACA. All rights reserved. Page 10

 MySQL™ Server Audit/Assurance Program
 DS5.6 Security incident definition—Clearly define and communicate the characteristics of potential
security incidents so they can be properly classified and treated by the incident and problem
management process.
 DS5.10 Network security—Use security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.

Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk
drivers.

V. Executive Summary of Audit/Assurance Focus

MySQL™ Security
MySQL is a popular database that operates on numerous operating systems and is most popular on
UNIX™/Linux™ variants. MySQL is often implemented as part of LAMP or WAMP1—Linux/Windows
prepackaged implementation of the Apache Web Server, MySQL database and PHP scripting language.

MySQL was originally developed by a Swedish software development company and was acquired by
Oracle Corp. The license is open source, which requires the user to preserve copyright notices, but
permits the source code to be modified and/or distributed freely.

MySQL Servers are used in the enterprise operating environment as database systems for general
applications including accounting, business operations and documentation repositories. In addition, they
are used as e-commerce backend servers and web content management servers. The failure of a MySQL
Server to be properly configured could result in the inability for the business to execute its critical
processes, the loss of intellectual property, the loss of critical or sensitive information, and/or the
utilization of the database server to implement malicious processes. In addition, the security of MySQL
Server is dependent on the configuration of the host operating system.

Business Impact and Risk

MySQL risks resulting from ineffective or incorrect operating system configurations could include:
 Disclosure of privileged information
 Loss of physical assets2
 Loss of intellectual property
 Loss of competitive advantage
 Loss of customer confidence
 Violation of regulatory requirements
 Disruption of the computer infrastructure resulting in the inability to perform critical business
functions
 Infection of computer systems with viruses and the like to disrupt processing
 Use of the MySQL Server as a launching pad for malicious activity against other entities (and the
potential to be held liable for the damages)

1
LAMP was originally coined from the first letters of Linux™ (operating system), Apache™ HTTP Server, MySQL™
(database software) and PHP™ (hypertext pre-processor scripting language). Similar terms exist for essentially the same
software suite (AMP) running on other operating systems, such as MS Windows® (WAMP), Mac OS® (MAMP), Oracle®
Solaris™ (SAMP), or OpenBSD (OpAMP).
2
Instances in which the system under review processes transactions as affecting assets, i.e., inventory, order entry/shipping,
investments and cash

© 2010 ISACA. All rights reserved. Page 11

 MySQL™ Server Audit/Assurance Program

Objective and Scope

Objective—The objective of the MySQL Server Security audit/assurance review is to provide
management with an independent assessment relating to the effectiveness of the configuration and
security of MySQL Servers within the enterprise’s computing environment.

Scope—The review will focus on the configurations of the relevant MySQL Servers within the enterprise.
The selection of the applications/functions and specific servers will be based on the risks introduced to
the enterprise by these systems.

MySQL Server relies on the integrity of the host operating system. Accordingly, the auditor must perform
or have access to a recent audit of the host operating system’s configuration and be assured of the
integrity and security of the host. If this cannot be assured, the audit of the host operating system should
be completed prior to beginning this audit. If the audit has identified significant deficiencies or material
weaknesses, the audit should be postponed until these issues are remediated.

{The remainder of this paragraph needs to be customized to describe which servers and applications
within the enterprise will be reviewed.}

Minimum Audit Skills

This review is considered highly technical. The IT audit and assurance professional must have an
understanding of the host operating system’s good-practice configuration and known security
weaknesses. Since MySQL is built on the UNIX model, knowledge of UNIX processes, functionality and
utility tools is required. It should not be assumed that an audit and assurance professional holding the
CISA designation alone has the requisite skills to perform this review.

© 2010 ISACA. All rights reserved. Page 12

 MySQL™ Server Audit/Assurance Program

VI. Audit/Assurance Program

COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

1. PLANNING AND SCOPING THE AUDIT

1.1 Define the audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance
program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe,
annual plan and charter.
1.2 Define boundaries of review.
The review must have a defined scope. Understand the functions and application requirements
for the web servers within scope.
1.2.1 Obtain a description of the applications operating using MySQL.
1.2.2 Determine the MySQL instances to be within scope.
1.3 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused. In most
enterprises, audit resources are not available for all processes. The risk-based approach assures
utilization of audit resources in the most effective manner.
1.3.1 Identify the business risk associated with the MySQL databases on the server and the
applications supported by the MySQL Server.
1.3.2 Review previous audits and risk assessments.
1.3.3 Evaluate the overall risk factor for performing the review.
1.3.4 Based on the risk assessment, identify changes to the scope.
1.3.5 Discuss the risks with IT management, and adjust the risk assessment.
1.3.6 Based on the risk assessment, revise the scope.
1.4 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating environment
and associated risks. As further research and analysis are performed, changes to the scope and
approach may result.
1.4.1 Identify the senior IT assurance resource responsible for the review.
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance program and
© 2010 ISACA. All rights reserved. Page 13
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

the authorizations required.

1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team,
other assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance
function’s standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction of this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.
1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end
dates) required for the review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance
teams and the process owner is essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses or meetings, and the final report.
1.8 Communications
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to discuss:
 Review objectives with the stakeholders
 Documents and information security resources required to effectively perform
the review
 Timelines and deliverables
2. PREPARATORY STEPS

2.1 Obtain and review the current organization responsible for the OS and database
configuration and security functions.
2.2 Determine if an audit of the host operating system has been performed.

© 2010 ISACA. All rights reserved. Page 14

 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

2.2.1 If an audit has been performed, determine if the specific database servers under
consideration for inclusion in the scope of this audit have been included in the
operating system review
2.2.1.1 Obtain the work papers for the previous audit.

2.2.1.2 Review the security configuration, and determine if identified issues have been
resolved.
2.2.1.3 Determine if the database specific servers under consideration for inclusion in
the scope of this audit were included in the OS review.
2.2.2 If an audit has not been performed or the database servers were not within scope,
consider performing an audit of the MySQL Server’s host operating system prior to
continuing with this audit/assurance program.
2.3 Select the MySQL servers to be included in the review.

2.3.1 Based on the prioritized list of MySQL servers developed previously, identify the
servers to be included in the review. Be sure that there is a representative sample of
database high-risk servers. A group of servers may have similar functions and can be
aggregated into a group.
2.3.2 Determine if there are a corporate standard server configuration and related settings
for MySQL servers.
3. If a corporate standard server configuration and related settings for MySQL servers do
not exist, recommend the development of standards as a basis for continuing the
audit.
3.1 Obtain documentation for the servers to be reviewed.

3.1.1 Print out the file /chroot3/my.cnf, the host operating system’s utilities or reporting
software.4
3.1.2 Obtain an understanding of the operating environment and management issues.
3.1.3 Interview the senior operating systems management analyst (manager or director) to
obtain an understanding of policies, procedures, and known issues and known (risk-

3
The directory /choot is a directory directly subordinate to the ROOT of a volume. It can have any name but its purpose is to isolate the directory structure of the MySQL files from other directories.
4
Consult UNIX/LINUX documentation for specific commands and locations.
© 2010 ISACA. All rights reserved. Page 15
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

based accepted) deviations from policies and procedures.

4. HOST SYSTEM
4.1 Hardened Host System
Audit/Assurance Objective: The operating system of the server that hosts the MySQL server has
been configured to address identified security vulnerabilities or compensating controls for
residual risks.
5. MySQL Server is Isolated AI3.2
X
Control: MySQL Server is hosted on a dedicated server. DS9.1
5.1.1.1 Verify that the computer hosting the MySQL Server is dedicated to the MySQL
server function.
6. MySQL Server Operating System Configuration AI3.2
Control: The host operating system is configured to ensure the MySQL server will not be DS5.3
subject to host operating system configuration vulnerabilities. DS5.4
DS9.1 X
DS9.2
DS9.3
DS13.1
6.1.1.1 Determine if an assurance review has been performed on the configuration of the
host MySQL Server.
6.1.1.2 If an assurance review has been performed, determine that all follow-up security
issues have been corrected.
6.1.1.3 If an assurance review has not been performed, execute a review of the host server
prior to continuing with this assessment. It is suggested that you use the relevant
audit/assurance program available from ISACA.
6.1.1.4 Determine if a list of authorized services and daemons exists for MySQL Servers.
6.1.1.4.1 If a list exists, examine the list for potentially risky modules or services.
6.1.1.4.2 If no list exists, determine how servers are protected from unauthorized 6.1.1.4.3 6.1.1.4.4 6.1.1.4.5
services or modules.
6.1.1.5 Determine that only core services required to host a MySQL Server are installed.
6.1.1.5.1 Determine the services running on the host server.
6.1.1.5.1.1 Run ntsysv or rcconf (for UNIX/Linux installations).
6.1.1.5.2 Determine the services installed on the host server
© 2010 ISACA. All rights reserved. Page 16
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

6.1.1.5.2.1 List files in /etc/services /etc/rcx /etc/init.d (applicable to

UNIX/Linux installations).
6.1.1.5.2.2 Determine services built into the server build.
6.1.1.5.3 Investigate and evaluate modules or services not on the approved list. If an
approved list does not exist, use best-practice lists.
7. MySQL Server Security Updates AI3.2
Control: OS updates are applied routinely. DS9.1 X
DS9.2
7.1.1.1 Determine if policies exist that prescribe how security updates are evaluated,
prioritized, tested and applied to the production servers.
7.1.1.2 If policies exist, obtain the update logs.
7.1.1.2.1 Determine if the update policy has been followed.
7.1.1.3 If policies do not exist, determine how security updates are evaluated, prioritized,
tested and applied to production servers.
8. User Access to \chroot AI3.2
Control: Minimum users should have access to \chroot. DS5.3
X
DS5.4
DS9.2
8.1.1.1 Identify users having access to \chroot.
8.1.1.1.1 Execute the following command to identify all IDs having ROOT access:
find / -perm +4000 -user \chroot -type f (for UNIX/Linux server).
9. WEB SERVER
9.1 Web Server Security
Audit/Assurance Objective: If a web server is operating with the MySQL Server, the web server
has been adequately secured.
10. Web Server Assurance
Control: A web server assurance review has been performed on the host system, and all
significant findings have been appropriately remediated.
10.1.1.1 Determine if a web server assurance review has been performed for the servers
hosting the MySQL databases.
10.1.1.2 If the web servers have been reviewed, evaluate the findings and
recommendations.
© 2010 ISACA. All rights reserved. Page 17
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

10.1.1.2.1 Determine if significant findings have been remediated.

10.1.1.2.2 Determine if any unremediated findings would affect the integrity of the
MySQL assessment.
10.1.1.3 If a web server review has not been performed for the system hosting the
MySQL database, consider performing said assessment prior to continuing with
the MySQL review. Consider using a relevant audit/assurance program, if
applicable, from ISACA.
11. MYSQL SERVER5
11.1 Secure Authentication
Audit/Assurance Objective: The MySQL Server is protected from unauthorized access.
12. MySQL Server Restricted Access to OS DS5.3
Control: MySQL Server is run as a nonprivileged user. DS5.4
X
DS9.1
DS9.2
5.1.1.1Determine that the MySQL Server has its own UID and GID.
5.1.1.1.1On the server, enter cat /etc/password.
5.1.1.1.2If Apache Web Server is installed, verify that the Apache Server has a
dedicated user ID
5.1.1.1.3Verify that the UID of the MySQL Server is greater than 999
(nonprivileged user).
13. MySQL Server UID has No Directory or Shell DS5.3
Control: The MySQL Server UID settings include no directory or shell. DS5.4
X
DS9.1
DS9.2
13.1.1.1 Determine that the MySQL Server login has no directory or shell.
5.1.2.1.1On the server, enter: FINGER and the UID for the MySQL Server
account.
5.1.2.1.2Verify the following:
 dir = /dev/null
 shell = /sbin/nologin
5
Most of the operating system commands given in the following sections are applicable for UNIX/Linux servers. For Windows servers, the relevant documentation of “MySQL server for
Windows” should be consulted (refer to www.mysql.com).
© 2010 ISACA. All rights reserved. Page 18
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

14. MySQL Server Has a Separate Password File DS5.3

Control: The MySQL Server has a separate password file for access to the MySQL Server. DS5.4
X
DS9.1
DS9.2
5.1.3.1Verify that an .htaccess file is in the ROOT directory of the MySQL Server
software.
14.1 Secure Network Services
Audit/Assurance Objective: The MySQL Server configuration establishes secure network
connections.
15. MySQL server Firewall AI3.2
Control: A firewall has been installed on the MySQL Server. DS5.5 X
DS5.10
15.1.1.1 Obtain the configuration of the firewall.
15.1.1.2 Determine if the MySQL Server uses the standard port 3306.
15.1.1.3 If a different port is used, determine that the appropriate NAT translation is
installed.
15.1.1.4 Determine that the firewall limits access to the MySQL Server base system. If
remote access to the server is permitted, verify that the port is nonstandard and
appropriate.
16. Data Transmissions over the Internet are secure.
Control: Data encryption is used when communicating with the MySQL Server.
5.2.2.1 Test the data stream using the command:
Tcdump–l–i eth0–w–src or dst port 3306|strings
If plain text is visible, encryption is not in use. If the data are encrypted, the data
will appear with extraneous characters.
16.1 Secure Server Components
Audit/Assurance Objective: The MySQL Server configuration secures the MySQL modules and
content.
17. Secure Directories AI3.2
Control: MySQL Server directories are secured against unauthorized access using chroot. DS9.1 X
DS9.2
17.1.1.1 Determine that a directory has been created at the ROOT of the hard disk or on a
separate drive.
© 2010 ISACA. All rights reserved. Page 19
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

17.1.1.2 Determine that the MySQL directory has been copied from the /etc directory to
the new ROOT directory (for consistency, this directory will be referred to as
/chroot).
17.1.1.3 Determine that MySQL server is owner of the directory and no other user has
access.
17.1.1.3.1 Enter ls /chroot –l.
17.1.1.3.2 Verify that the access is -rwxr----- (740).
17.1.1.4 Determine that the ROOT content directory /chroot/mysql has MySQL Server
userID as owner and read access to others.
17.1.1.4.1 Enter ls /chroot/mysql –l.
17.1.1.4.2 Verify that the access is -rwxr-xr-x (755).
17.1.1.5 Determine that /chroot/mysql/tmp, containing the logs and scripts, is secure.
17.1.1.5.1 Enter ls /chroot/mysql/tmp –l.
17.1.1.5.2 Determine that the access is ---xrwxrwx (1777).
17.2 MySQL Configuration
Audit/Assurance Objective: The MySQL configuration is designed for maximum security.
18. Remote Access Disabled AI3.2
Control: The MySQL Server is defined to disable remote access. DS9.1 X
DS9.2
18.1.1.1 Verify that the file /chroot/mysql/etc/my.cnf in section mysqld has the parameter
skip-networking.
18.1.1.1.1 Use an editor or file list program to print the my.cnf file.
19. Utilize Configuration Options to Minimize Vulnerabilities AI3.2
Control: Use appropriate configuration options to minimise vulnerabilities. DS9.1 X
DS9.2
5.4.2.1Verify that the LOAD DATA LOCAL INFILE option has been disabled.
5.4.2.1.1Use an editor or file list program to access the my.cnf file.
5.4.2.1.2Determine that the file /chroot/mysql/etc/my.cnf in section mysqld has
the parameter set-variable=local-infile=0.
5.4.2.2Verify that the –socket option forces the mysql socket.
5.4.2.2.1Use an editor or file list program to access the my.cnf file.
© 2010 ISACA. All rights reserved. Page 20
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

5.4.2.2.2Determine that the file /chroot/mysql/etc/my.cnf in the section [client] has

the parameter socket= /chroot/mysql/temp/mysql.sock.
5.4.2.3Verify that the symbolic links to tables have been disabled.
5.4.2.3.1Use an editor or file list program to access the my.cnf file.
5.4.2.3.2Determine that the file /chroot/mysql/etc/my.cnf has the option parameter
–skip-symbolic-links.
20. MySQL ROOT Table Is Protected AI3.2
Control: The MySQL Server is protected with a password and not easily identified user DS5.3
X
ID. DS9.1
DS9.2
5.4.3.1Determine if admin userID has been renamed.
5.4.3.1.1Run phpMyadmin or an equivalent utility, or use the SQL SELECT
command including the user name and password name from the table.
5.4.3.2Determine if a password has been assigned for the admin user ID; if not, anyone
could access ROOT.
5.4.3.2.1Connect to the MySQL server by entering mysql–u root. If you connect,
no password has been assigned.
5.4.3.3Determine if access has been limited.
5.4.3.3.1Enter SHOW GRANTS, and identify users with:
 ALTER TABLES
 ALL PRIVILEGES
 GRANT ALL
 GRANT
 REVOKE
 CREATE
 SHUTDOWN
 LOCK TABLES
 REPLICATION SLAVE
 SUPER
 KILL
 PURGE BINARY LOGS
 SET GLOBAL
 TRIGGER
© 2010 ISACA. All rights reserved. Page 21
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

 UPDATE
Determine if this level of access is appropriate for the concerned users.
21. Other Databases and Users Are Removed AI3.2
Control: Only required databases are installed on the MySQL Server with only required DS9.1 X
users. DS9.2
21.1.1.1 Run phpMyadmin or an equivalent utility, or use the SQL SELECT command
including the user name and password name from the table.
21.1.1.1.1 List the databases displayed.
21.1.1.1.2 Determine if all databases are authorized and required.
21.1.1.1.3 Select each database, and list the user Ids.
21.1.1.1.4 Determine if admin user ID has been renamed.
21.1.1.1.5 Determine if a password has been assigned for the admin user ID; if
not, anyone could access ROOT.
21.1.1.1.6 Determine if the other user IDs are appropriate and have passwords.
22. History File Content Removed
Control: The mysql-history file containing SQL commands has been cleared.
22.1.1.1 Determine that the /chroot/mysql/etc/tmp/.mysql_history file has no contents.
23. DATA BASE INTEGRITY
23.1 Programming Standards
Audit/Assurance Objective: Programming standards protect the MySQL database from
inappropriate data passing to the database.
24. Application Program Standards Require the Use of Special Functions to Strip Escape
Characters
Control: Functions are used to strip out control functions.
24.1.1.1 Determine if mysql_real_escape_string function is in use.
24.1.1.2 Enter the following characters in a field:
16. Escape %1b
17. “ %22
18. ‘ %27
19. # %23
Determine if error messages are generated.

© 2010 ISACA. All rights reserved. Page 22

 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

24.1.1.3 Modify the dynamic URL in the browser:

20. Escape %1b
21. “ %22
22. ‘ %27
23. # %23
Determine if this generates an error or unexpected response.
25. SHARED IT MANAGEMENT SERVICES
25.1 Patch Management
Audit/Assurance Objective: Patch management procedures are consistently applied using
installation policies and procedures.
26. Patch Management
AI3.3
Control: Standard installation patch management policies and procedures are X
DS9.3
implemented for the MySQL Server and host operating system.
26.1.1.1 Obtain the patch management procedures.
26.1.1.1.1 Determine that appropriate testing, authorization, prioritization and
promotion to production procedures are in use for MySQL Server related
programs and files.
26.1.1.2 Obtain recent audit/assurance work papers of patch management.
26.1.1.2.1 Evaluate open issues, and determine their impact on the MySQL Server 26.1.1.2.8 26.1.1.2.9 26.1.1.2.10
26.1.1.2.2
26.1.1.2.3
26.1.1.2.4
26.1.1.2.5
26.1.1.2.6
26.1.1.2.7
controls environment.
26.1.1.3 Obtain the list of the most recent patches, and verify if they are implemented in 26.1.1.3.7 26.1.1.3.8 26.1.1.3.9
26.1.1.3.1
26.1.1.3.2
26.1.1.3.3
26.1.1.3.4
26.1.1.3.5
26.1.1.3.6
line with the policies.
26.2 Log Management 26.2.1.1.7 26.2.1.1.8 26.2.1.1.9
Audit/Assurance Objective: Logs of critical MySQL Server activities are available for review 26.2.1.1.1
26.2.1.1.2
26.2.1.1.3
26.2.1.1.4
26.2.1.1.5
26.2.1.1.6
and analysis.
7.2.1Log Management AI3.2
Control: Management generates appropriate security logs, reviews logs regularly, and DS5.5
retains the logs for discovery and forensic analysis. DS5.7
X
DS9.2
DS13.3
ME1
26.2.1.2 Obtain the installation log policies.

© 2010 ISACA. All rights reserved. Page 23

 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

26.2.1.3 Determine that appropriate logs are generated and retained.

26.2.1.4 Select a sample of critical logging reports.
26.2.1.5 Review the procedures for evidence of management review, incident escalation
based on the review of logs, defined response times and retention policies.
26.2.1.6 Determine that the logs directory is “read only” for normal users to prevent
alteration.
26.3 Incident Management
Audit/Assurance Objective: Incident management processes assure that issues affecting the
MySQL Server environment are identified and researched, an action plan for remediation is
established, protection actions are implemented, significant issues are escalated to appropriate
management, incidents are closed, and incident trends are analyzed.
27. Incident Management DS5.6
Control: Enterprise incident management processes include MySQL Server activities, and DS8
X X X
the incident management processes are actively monitored. DS10
ME1
27.1.1.1 Verify that problems and security incidents are properly classified and
recognizable.
27.1.1.2 Obtain documentation about the enterprise incident management process.
27.1.1.3 Determine if database activities are included in the incident management
procedure.
27.1.1.4 Select database-related incidents from the incident management system. Follow
the process for incident investigation and remediation to closure.
27.1.1.5 Determine if significant security incidents have been escalated to the appropriate
officials.
27.1.1.6 Determine if remediation and closure have been appropriately documented.
27.2 Intrusion Monitoring and Prevention
Audit/Assurance Objective: MySQL Servers are included in the intrusion detection/prevention
activities of the enterprise.
28. Intrusion Detection/Prevention DS5.5
Control: MySQL Servers are within the scope of the enterprise intrusion DS5.9 X X X
detection/prevention policies. DS13.3
28.1.1.1 Determine if an audit/assurance assessment has been performed of the intrusion
© 2010 ISACA. All rights reserved. Page 24
 MySQL™ Server Audit/Assurance Program
COSO

Risk Assessment
COBIT Referenc Issue

Control Activities
Information and
Communication
Audit/Assurance Program Step Cross- e Cross- Comments

Environment

Monitoring
reference Hyper- reference

Control
link

monitoring and detection process associated with network perimeter audits.

28.1.1.2 If audits have been performed, obtain the work papers and report.
28.1.1.3 Determine if the scope of the intrusion detection/prevention process includes the
MySQL Server environment.
28.1.1.4 If an audit has not been performed or the MySQL Server environment has been
excluded from the standard monitoring process, expand the scope of this audit or
perform a separate audit of the intrusion monitoring program.
29. MYSQL SERVER ADDITIONAL COMPONENTS
Audit/Assurance Objective: Additional MySQL Server components provide adequate security to
prevent unauthorized access to MySQL Server services and database content.
29.1 The audit/assurance professional can add audit steps for Secure Sockets Layer (SSL)
database extensions, database dynamic content components, Server Side Includes and
common gateway interfaces (CGI). Since these components will vary by installation, it is
preferable to customize the audit/assurance program to fit the specific installation
components. They can be filled in below.

© 2010 ISACA. All rights reserved. Page 25

 MySQL™ Server Audit/Assurance Program

VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance
review, and the reviewer’s observations, assign a maturity level to each of the following COBIT control objectives.

Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objective
link
AI3.2 Infrastructure Resource Protection and Availability
Implement internal control, security and auditability measures during configuration, integration
and maintenance of hardware and infrastructural software to protect resources and ensure
availability and integrity. Responsibilities for using sensitive infrastructure components should
be clearly defined and understood by those who develop and integrate infrastructure
components. Their use should be monitored and evaluated.
AI3.3 Infrastructure Maintenance
Develop a strategy and plan for infrastructure maintenance, and ensure that changes are
controlled in line with the organisation’s change management procedure. Include periodic
reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities
assessment and security requirements.
DS5.3 Identity Management
Ensure that all users (internal, external and temporary) and their activity on IT systems
(business application, IT environment, system operations, development and maintenance) are
uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user
access rights to systems and data are in line with defined and documented business needs and
that job requirements are attached to user identities. Ensure that user access rights are requested
by user management, approved by system owners and implemented by the security-responsible
person. Maintain user identities and access rights in a central repository. Deploy cost-effective
technical and procedural measures, and keep them current to establish user identification,
implement authentication and enforce access rights.
DS5.4 User Account Management
Address requesting, establishing, issuing, suspending, modifying and closing user accounts and
related user privileges with a set of user account management procedures. Include an approval
procedure outlining the data or system owner granting the access privileges. These procedures
should apply for all users, including administrators (privileged users) and internal and external
users, for normal and emergency cases. Rights and obligations relative to access to enterprise
systems and information should be contractually arranged for all types of users. Perform regular
management review of all accounts and related privileges.
© 2010 ISACA. All rights reserved. Page 26
 MySQL™ Server Audit/Assurance Program
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objective
link
DS5.5 Security Testing, Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT security should be
reaccredited in a timely manner to ensure that the approved enterprise’s information security
baseline is maintained. A logging and monitoring function will enable the early prevention
and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may
need to be addressed.
DS5.6 Security Incident Definition
Clearly define and communicate the characteristics of potential security incidents so they can be
properly classified and treated by the incident and problem management process.
DS5.10 Network Security
Use security techniques and related management procedures (e.g., firewalls, security
appliances, network segmentation, intrusion detection) to authorise access and control
information flows from and to networks.
DS9.1 Configuration Repository and Baseline
Establish a supporting tool and a central repository to contain all relevant information on
configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of
configuration items for every system and service as a checkpoint to which to return after
changes.
DS9.2 Identification and Maintenance of Configuration Items
Establish configuration procedures to support management and logging of all changes to the
configuration repository. Integrate these procedures with change management, incident
management and problem management procedures.
DS9.3 Configuration Integrity Review
Periodically review the configuration data to verify and confirm the integrity of the current and
historical configuration. Periodically review installed software against the policy for software
usage to identify personal or unlicensed software or any software instances in excess of current
license agreements. Report, act on and correct errors and deviations.

© 2010 ISACA. All rights reserved. Page 27

 MySQL™ Server Audit/Assurance Program

VIII. Assessment Maturity vs. Target Maturity

This spider graph is an example of the assessment results and maturity target for a specific company.

© 2010 ISACA. All rights reserved. Page 28