DATABASE AUDIT WORK PROGRAM
1 Source: www.knowledgeleader.com
� Table of Contents
DATABASE AUDIT WORK PROGRAM: SAMPLE 1...................................................................................3
2 Source: www.knowledgeleader.com
� DATABASE AUDIT WORK PROGRAM: SAMPLE 1
PROJECT TEAM (LIST MEMBERS):
Project Timing Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
AUDIT OBJECTIVES
The purpose of this document is to provide the general steps of a database administration review audit.
This work program identifies audit steps in the areas of general security, access, database availability,
backup and recovery, development and integrity, and database host operating system security.
Time Project Work Step Initial Index
General Security
General Database Controls
Audit Steps to Take
• Review the database application to determine if:
− The application has a built-in mechanism to ensure password
complexity and encryption.
− Product profiles exist that can be set up in order to limit user
access to certain database commands or products.
− Product profiles exist in order to consistently set up roles,
privileges and profiles used by the entity.
− Passwords are unique, strong, encrypted and periodically
changed.
• Look for the policies and procedures outlining:
− Password creation, assignment use and monitoring
− Profile creation, assignment, use and monitoring
− Role creation, assignment, use and monitoring
What to Look for
• Ensure that passwords are unique and renewed regularly.
• Ensure password encryption
• Ensure that object privileges exist that grant a user the right to
access and possibly manipulate data within an object, or the right
3 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
to execute stored procedures.
• Ensure that product profiles exist that limit user access to certain
database commands or products.
• Ensure that roles are created and assigned to users as a means
of granting them the necessary privileges to perform their duties.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Controls Within Database Tools
Audit Steps to Take
• Review the password list to identify if and when the default
passwords were changed.
• Review daily logs to ensure that various activities are being
captured by the auditing functions of the database to allow the
monitoring and recording of activities within the database.
• Review the retention policy on audit trails and logs.
• Review the policies and procedures on periodic reviews of the
database logs.
What to Look for
• Ensure that the default database passwords are changed.
• Ensure that the level of system and object auditing in place within
the database environment is consistent with business
requirements and active.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Segregation of Duties
Audit Steps to Take
• Review responsibilities associated with a database environment to
ensure that the areas of database operation, maintenance, design
and security are separated among different functional units.
• Discuss roles and responsibilities with database administrators
(DBAs), (Insert Name) and (Insert Name).
• Look for conflicts of access within the organizational structure.
• Look for conflicts of duties by discussing with (Insert Name) and
the DBAs the roles of DBAs, development, network, systems
4 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
services and IT operations support groups.
What to Look for
• Ensure that policies, procedures and an organizational structure
are established so that one individual cannot control key aspects
of database-related operations.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Operation Efficiency
Audit Steps to Take
• Review policies and procedures to determine if database
management and performance criteria have been established and
periodically reviewed to assess that:
− Free space is monitored regularly.
− Database growth and performance criteria are monitored.
What to Look for
• Ensure that the placeholder is not applicable to (Server).
• Ensure that performance and the ability to recover the database is
maintained.
• Ensure that resource constraints are identified and removed
before they have a negative effect on production.
• Ensure regular defragmentation of disks.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Patch Management
Audit Steps to Take
• Review policies and procedures for identifying, applying and
testing database patches.
• Determine if the database version is current and supported by
reviewing and comparing the version to current versions
supported on the vendor’s website.
• Inquire how DBAs monitor and are notified of new patches.
What to Look for
5 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
• Ensure that a process exists for applying database patches and
that the database version is current.
• Determine that DBAs monitor and are notified of new patches.
• Ensure that all database updates and patches are adequately
tested before being applied to production environments.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Login
Password Controls
Audit Steps to Take
• Obtain a full listing of the database user accounts to ensure that
the database authentication process is secure:
− Determine that all users represent valid and authorized users
and processes.
− Review the password list to ensure that default accounts and
passwords are not used. Verify this by attempting to log onto
the database using the default accounts and passwords.
− Through a review of program processes and discussion with
developers and database administration personnel, determine
whether application programs or utilities connect to the
database from within the program code and that program
codes containing passwords and IDs are protected by
appropriate file and directory permissions.
− Review policies and procedures to verify password change
requirements and formats.
What to Look for
• Users are restricted from accessing the database using invalid
usernames and passwords.
• Ensure that password and system resources for the database are
configured properly and configured to agree with the corporate
password guidelines/policies.
• Ensure that the system resource profiles put limits on system use
and provide password management functions.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
6 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
Access
Security Administration
Audit Steps to Take
• Review policies, processes and procedures for monitoring key
database functions and security-related events to determine if
system activity is regularly monitored.
• Review the company’s data classification standards and
requirements for encryption.
• Identify any database links used within the database and the
business purpose for the links and gather information about the
use and purpose of all trusted databases. Determine if private or
public links are used.
• Discuss with the DBAs their processes for monitoring key
database functions and security-related events to determine if
system activity is regularly monitored.
What to Look for
• Ensure that controls provide reasonable assurance that
unauthorized users cannot access information held in the
database.
• Ensure that controls provide reasonable assurance that
information is protected against unauthorized modification or
impairment.
• Ensure that controls provide reasonable assurance that
information is not lost because of unauthorized access.
• Security parameters are adequately defined and in place around
database links and reviewed periodically.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Privileges Monitoring
Audit Steps to Take
• Obtain printouts of the roles and privileges tables by users to
ensure that user access is properly restricted through the
assignment of restrictive roles and privileges.
• Ensure that there is monitoring of system-level privileges in the
production databases. Monitoring should be restricted to trained
and trusted security personnel.
What to Look for
7 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
• Ensure that all users defined to a database are appropriate and
valid, have database privileges, which are consistent with
business requirements, and are subject to appropriate password
controls.
• Ensure that interactive users in a production environment are
restricted to the select privilege by specific privilege or role.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Violation Monitoring
Audit Steps to Take
• Obtain printouts of the log audit actions and DBA audit objects:
− Ensure that critical commands on objects (e.g., create, alter
and drop) are logged and reviewed.
− Determine that critical system and user objects are logged for
changes, additions and deletions and that the log is reviewed
and followed up on.
− Review the retention policy on audit trails and logs.
What to Look for
• Access is monitored to ensure that it is corresponding with each
user’s job responsibilities.
• Ensure that critical security events are being detected and
reported to the DBA.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Sensitive Roles
Audit Steps to Take
• Obtain printouts of the roles and privileges tables by user to:
− Identify stored procedure tables, ensure that user privileges to
these are limited, and execute them as required by their user
job descriptions.
− Ensure that confidential data is restricted by the user.
− Ensure that individuals with the admin option, which allows
users to grant individual system privileges to other users, is
restricted to users with the highest authority levels (e.g.,
database administrators).
8 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
What to Look for
• Ensure that the users’ access is commensurate with their job
responsibilities.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Database Availability, Backup and Recovery
Backup Processes and Procedures
Audit Steps to Take
• Inquire if there is a documented disaster recovery plan in place
that is regularly tested. Review backup and restore policies and
procedures.
• Review documented disaster recovery procedures and confirm
that they are tested regularly as well as ensure that the backup
strategy is sufficient to meet this requirement.
• Inquire about the processes for securing and storing tape
backups. Review media storage policies and procedures.
What to Look for
• Ensure that the database has backup and recovery procedures
developed and that they are being utilized.
• Ensure that when unexpected events occur, critical operations
continue without interruption or are promptly resumed, and critical
and sensitive data are protected.
• Ensure that databases are kept at the same release level.
• Ensure that exports are secured.
• Ensure that the database is protected against disk failure.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Readability and Restorability
Audit Steps to Take
• Review the backup storage media cataloging, storage and control
procedures to ensure that backups are completed successfully,
labeled internally and externally, and rotated off-site to a secure
location.
9 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
• Review policies and procedures for backup and restore
processes. Verify that a well-documented procedure exists for
both the backup and restore processes and could be expected to
be followed by other authorized noncurrent DBA personnel.
• Obtain and review the database recovery testing documentation
and test results. Ensure that a couple of disk-failure recovery
scenarios have been tested successfully.
What to Look for
• Ensure that backup archives are protected.
• Ensure that the restoration process is properly conducted.
• Ensure that cumulative backups are being used instead of
incremental backups as often as possible.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop conclusion
Development and Integrity
Change Controls Within Database
Audit Steps to Take
• Obtain and review database development standards and
procedures to ensure that development and integrity controls are
in place to protect the database from unintentional changes made
by users or processes.
What to Look for
• Ensure that update access (INSERT, UPDATE, DELETE and
ALL) to critical tables is restricted to authorized user accounts and
is regularly reviewed.
• Ensure that new users will not have access to the old users’
objects.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Sensitive Roles and Access
Audit Steps to Take
• Select a sample of user access requests and determine that
access is approved by the appropriate business/system owners
and whether access is commensurate with each user’s job
10 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
responsibilities.
• Compare the approved access requests to the roles assigned to
users to ensure that roles are appropriately assigned.
• Review accounts that are assigned high-privilege roles, such as
DBA. Discuss the business requirement for this type of access
with the database administrator.
What to Look for
• Ensure that sensitive roles and access in the production
databases is restricted to trained and trusted security personnel.
• Ensure that production databases are restricted to a very small
number of trusted individuals.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop conclusion
Physical Controls
Audit Steps to Take
• Tour the data center, identify the location of key database systems
and ensure that physical controls are in place to protect database
systems and that systems have password protected screen savers
in place on server terminals.
• Inquire about the processes for securing and storing tape
backups.
• Review the processes for disposal of damaged or obsolete
equipment.
What to Look for
• Ensure that the systems are stored in a secure environment.
• Ensure proper disposal of damaged or obsolete equipment.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop conclusion
Database Host Operating System Security
Security Administration
Audit Steps to Take
• Obtain and review policies and procedures relating to server and
11 Source: www.knowledgeleader.com
� Time Project Work Step Initial Index
user security to ensure that:
− They are documented.
− Programmed tools or scripts used to ensure that the security
policies and procedures are being followed.
− The password file is reviewed frequently for password
existence, strength and privileges.
− Intruder detection is activated.
− There is a regular review of failed logins.
− Encryption is used for all communications between the client
and the server.
What to Look for
• Access to the database files at operating system (OS)-level has
been appropriately restricted through the use of operating system-
level file/directory protection.
• Ensure excellent user authentication methodologies.
• Ensure that the database is protected by a firewall from any third-
party or internet access points.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
Privileges Monitoring
Audit Steps to Take
• Obtain and review policies and procedures related to server and
user privileges to ensure that:
− The permissions file is reviewed regularly.
− Entries, which grant excessive capabilities, are removed.
Group memberships are closely monitored and memberships in
sensitive groups are restricted to those who require it.
What to Look for
Security-related system parameters/privileges are highly restricted.
Work to Complete
(Insert Steps Here That Are Customized to Your Organization)
Develop a Conclusion
12 Source: www.knowledgeleader.com
�13 Source: www.knowledgeleader.com
