Security Part II:

Auditing Database
Systems

1
Lay-out of topics: AUDITING OF DATABASE SYSTEMS

 Focus: SOX compliance regarding the security and control of organization

databases
 2 general approaches: Flat-file model and Database model

1. Describes flat-file data management; private ownership of data

2. Overview of database model and how problems associated in flat-file model

are resolved under database approach

3. Key functions and defining features of 3 common database models

( hierarchical, network and relation models)

4. Role of database technology in the distributed environment

5. Control and audit issues related to data management

2
 DATABASE

▸ Definition:
○ - structured set of data held in computer, especially one that is
accessible in various ways.
○ - organized collection of data, generally stored and accessed
electronically from a computer system
○ - where databases are more complex they are often developed
using formal design and modeling techniques.

DATABASE MANAGEMENT SYSTEM (DBMS)

- Extracts information from the database in response to
queries.

DATABASE SOFTWARES:
- Oracle database
- MySQL
- PostgreSQL
- MariaDB
- Microsoft SQL Server
3
DATA MANAGEMENT APPROACHES

▸ 1. Flat-file Model

▸ 2. Database Model

4
 FLAT–FILE METHOD

▸ Are files that contain records with no structured

relationships to other files

▸ Associated with large, older legacy systems still in use

today

▸ Promotes a single-user view approach where end

users own rather than share data files

▸ Therefore, data files are structured, formatted and

arranged per “owners” specification.

5
 F L A T – F I L E METHOD

▸ Data Redundancy- replication of essentially the same

data in multiple files

▸ Separate data sets for each user leads to a data

redundancy which causes problems with:
■ Data Storage: Commonly used data duplicated multiple
time within the organization

■ Data updating: Changes must be made separately for

each user. If updating fails problem currency of
information with users having outdated information

■ Task-data dependency: Users cannot obtain additional

information as needs change
 F
l
a
t
f
i
l
e
model
7
 DATABASE APPROACH

▸ Access to the data resource is controlled by a database

management systems (DBMS)

▸ DBMS – a special software system that is programmed to

know which data elements each user is authorized to
access.

▸ The user’s program sends request for data to DBMS, it is

denied if user is not authorized.

▸ Centralizes organization’s data into a common database

shared by the user community

8
 DATABASE APPROACH

▸ All users have access to data they need which may

overcome flat-file problems

■Elimination of data storage problem: No data

redundancy

■Elimination of data updating problem: Single

update procedure eliminates currency of
information problem

■Elimination of task-data dependency problem:

Users only constrained by legitimacy of access
needs
9
Database MODEL

10
KEY ELEMENTS OF THE DATABASE
ENVIRONMENT

○Database Management System (DBMS)

○Users
○Database administrator
○Physical database
○DBMS models

11
Relationship
between the
elements
of
database
environment

12
 DBMS FEATURES

▸ Program Development – applications may be

created by programmers and end users

▸ Backup and Recovery – copies made during

processing

▸ Database Usage Reporting – captures

statistics on database usage (who, when, etc.)

▸ Database Access – authorizes access to

sections of the database

13
 DATA DEFINITION LANGUAGE

▸ Identifies the names and the relationship of

all data elements, records, and files that
constitute the database.

▸ used to define the database to the DBMS on

three levels(views)
○ 1. physical internal view
○ 2. conceptual view (schema)
○ 3. user view (subschema)

14
 DATABASE VIEWS
1. Internal/ Physical View

▸ physical arrangement of records in the database

▸ Lowest level of representation
▸ Describes structures of data records, linkage between
files and physical arrangement and sequence of
records in a file.
▸ Only one internal view.
▸ Conceptual/ Logical view(schema): describes the
entire database logically and abstractly rather
than physically. Only one conceptual view.
▸ External/ User view(subschema): portion of
database each user views. May be many distinct
users.
15
 DATABASE VIEWS
2. Conceptual/Logical View (Schema)

▸ describes the entire database logically and

abstractly rather than physically

▸ Represents the database logically and

abstractly

▸ Only one conceptual view.

16
 DATABASE VIEWS
3. External/ User View (Subschema)

▸ portion of database each user views.

▸ May be many distinct users.

▸ Example:
○ A user in the personnel department may view the
database as a collection of employee records and is
unaware of the supplier and inventory records seen by
the users in the inventory control department.

17
Data Manipulation Language (DML)

▸ DML is the proprietary programming language that a

particular DBMS uses to retrieve, process, and store
data to / from the database.

▸ Entire user programs may be written in the DML, or

selected DML commands can be inserted into
universal programs, such as COBOL and FORTRAN.

▸ Can be used to ‘patch’ third party applications to the

DBMS 

18
Overview of DBMS Operation

19
 DBMS Operation
1. User program sends request data to the DBMS.
2. DBMS analyzes the request by matching the called data elements
against the user view and conceptual view. (authorized/denied)
3. DBMS determines the data structure parameters from the internal
view and passes them to the operating system.
4. Operating system interacts with the disk storage device to retrieve
the data from the physical database.
5. Operating system stores the data in a main memory buffer area.
6. DBMS transfers the data to the user’s work location in main
memory.

20
Informal Access: Query Language

▸ Query is an ad hoc access methodology for

extracting information from a database.
○ Users can access data via direct query which requires no
formal application programs.

▸ IBM’s Structured Query Language (SQL) has

emerged as the standard query language.

▸ Query feature enhances ability to deal with

problems that pop-up but poses an important
control issue.
○ Must ensure it is not used for unauthorized database access
21
Functions of the Database Administrator
(DBA)

22
Database Administrator (DBA
)

▸ Responsible for managing the database resource.

▸ Data Dictionary –
○ describes every data element in the database
○ Enables all users to share a common view of
the data resource, thus greatly facilitating the
analysis of user needs.
○ May be in both paper form and online

23
Organizational Interaction of the DBA

24
The Physical Database
▸ Lowest level and only one in physical form
▸ Magnetic sports on metallic coated disks that
create a logical collection of files and records.
▸ Data structures are bricks and mortar of database
○ Allows records to be located, stored, and retrieved
○ Two components: organization and access methods
▸ The organization of a file refers to way records
are physically arranged on the storage device -
either sequential or random
▸ Access methods are programs used to locate
records and to navigate through the database

25
 ▸ CRITERIA THAT INFLUENCE
SELECTION OF DATA STRUCTURE:
▸ 1. Rapid file access and data retrieval
▸ 2. Efficient use of disk storage space
▸ 3. High throughput for transaction processing
▸ 4. Protection from data loss
▸ 5. Ease of recovery from system failure
▸ 6. Accommodation of file growth

26
 “
▸DATABASE
MODELS

27
▸ A Data Model is an abstract
representation of the data about
entities, including resources(assets),
events(transactions) and agents
(personnel/ customer) and their
relationships in an organization.

▸ PURPOSE: To represent entity

attributes in away that is
understandable to users
28
Types of dbms models

▸ HEIRARCHICAL MODEL
NAVIGATIONAL
▸ NETWORK MODEL MODELS
▸ RELATIONAL MODEL

29
 Database Terminology
▸ Data Attribute/ Field: single ▸ Occurrence: Related to the
item of data number of records of
▸ Entity: database represented by a particular
representation of an record type
individual resource, event or ▸ Attributes: Defines
agent entities with values that
▸ Record Type: Physical vary (i.e. each employee
database representation of has a different name)
an entity ▸ Associations: Record types
▸ Database: Set of record that constitute a database
types that an organization exist in relation to other
needs to support its record types.
business processes

30
 three basic record
Associations
○ One-to-one: For every occurrence of Record
Type X there is one (or zero) of Record Type
Y
○ One-to-many: For every occurrence of Record
Type X, there are zero, one or many
occurrences of Record Type Y
○ Many-to-many: For every occurrence of Record
Types X and Y, there are zero, one or many
occurrences of Record Types Y and X,
respectively. 

31
32
The Hierarchical
Model

33
▸ Basis of earliest DBAs and still in use
today
▸ Sets that describe relationship between
two linked files
○ Each set contains a parent and a child.
○ Files at the same level with the same parent
are siblings
○ Tree structure with the highest level in the
tree being the root segment and the lowest
file in a branch the leaf

34
▸ IBM's (IMS)- most prevalent example,
introduced in 1968
▸ Also called a navigational database.
▸ LIMITATIONS
-presents an artificially constrained view of
data relationship
- doesn't always reflect reality
▸ Usefulness of model is limited because no child
record can have more than one parent which
leads to data redundancy

35
Hierarchical Data Model

36
THE NETWORK
MODEL

37
▸ Developed by Committee on
Developmet of Applied Symbolic
Language (CODASYL) which was
created by ANSI in the late 1970s
▸ is also a navigational database with
explicit linkages between records and
files
▸ The distinction is that it permits a
child record to have multiple parents
▸ Integrated Database Management
System (IDMS)- most popular
example
38
The Network Model

39
the relational
model

40
 The Relational Model

▸ proposed by E.F. Codd in the late

1960s

▸ Difference between this and navigational

models is the way data associations are
represented to the user

41
 ○Relational model portrays data in two-
dimensional tables with attributes across the
top forming column
○Intersecting columns to form rows are tuples
which are normalized arrays of data similar to
records in a flat-file system

▸ Relations are formed by an attribute common to

both tables in the relation

42
43
 four characteristics
▸ 1. All occurrency at the intersection of a row and
column are a single value. No multiple values are
allowed.

▸ 2. The attribute values in any column must all be

of the same class.

▸ 3. Each columns in a given table must be uniquely

named.

▸ 4. Each row in a tabl must be unique in at least

one attribute. This attribute is the primary key.

44
45
 “
▸DATABASES IN
A DISTRIBUTED
ENVIRONMENT

46
Centralized Databases in a
Distributed Environment
▸ Data retained in a central location.

▸ Remote IT units send requests to

central site which processes requests and
transmits data back to the requesting
IT units.

○ Actual processing of performed at remote IT

unit.

47
▸ Objective of database approach it to maintain
data currency with can be challenging.

○ During processing, account balances pass

through a state of temporary inconsistency
where values are incorrect.

○ Database lockout procedures prevent

multiple simultaneous access to data
preventing potential corruption.

48
49
 Distributed Databases:
Partitioned Databases
▸ Splits central database into segments distributed to their
primary users.

▸ Advantages:
○ Users’ control increased by having data stored at local
sites.
○ Improved transaction processing response time.
○ Volume of transmitted data between IT units is
reduced.
○ Reduces potential data loss from a disaster.

▸ Works best for organizations that require minimal data

sharing among units.

50
51
 The Deadlock Phenomenon
▸ Occurs when multiple sites lock each other
out of the database, preventing each from
processing its transactions.
○ Transactions in a “wait” state until locks removed.
○ Can result in transactions being incompletely processed
and database being corrupted.

▸ Deadlock is a permanent condition that

must be resolved with special software
that analyzes and resolve conflicts.
○ Usually involves terminating one or more transactions to
complete processing of the other in deadlock.
○ Preempted transactions must be reinitiated.

52
The Deadlock Condition

53
 Distributed Databases:
Replicated Databases

▸ Effective for situations with a high

degree of data sharing, but no primary
user.

▸ Common data replicated at each site,

reducing data traffic between sites.

54
▸ Primary justification to support read-only queries.

▸ Problem is maintaining current versions of database

at each site.

○Since each IT unit processes its own transactions,

common data replicated at each site affected by
different transactions and reflect different
values.

55
 Concurrency Control

▸ Database concurrency is the presence of

complete and accurate data at all user
sites.
▸ Designers need to employ methods to
ensure transactions processed at each site
are accurately reflected in the databases of
all the other sites.
▸ Commonly used method is to serialize
transactions which involves labeling each
transaction by two criteria:
○ Special software groups transactions into classes to
identify potential conflicts.
○ Second part of control is to time-stamp each
transaction.
56
Database Distribution Methods
and the Accountant
▸ Many issues and trade-offs in
distributing databases.
▸ Basic questions to be addressed:
○ Centralized or distributed data?
○ If distributed, replicated or partitioned?
○ If replicated, total or partial replication?
○ If partitioned, what is the allocation of the
data segments among the sites?
▸ Choices impact organization’s
ability to maintain database
integrity, preserve audit trails, and
have accurate records.
57
 Controlling and Auditing Data
Management Systems

▸ Controls over data management

systems fall into two categories.
▸ Access controls are designed to
prevent unauthorized individuals
from viewing, retrieving, corrupting
or destroying data.
▸ Backup controls ensure tat the
organization can recover its
database in the event of data loss.

58
 Access Controls
▸ User views (subschema) is a subset of the database that
defines user’s data domain and access.
▸ Database authorization table contains rules that limit user
actions.
▸ User-defined procedures allow users to create a personal
security program or routine .
▸ Data encryption procedures protect sensitive data.
▸ Biometric devices such as fingerprints or retina prints
control access to the database.
▸ Inference controls should prevent users from inferring,
through query options, specific data values they are
unauthorized to access.
○ Attempt to prevent three types of compromises to the database:
■ Positive compromise – the user determines the specific value of a
data item
■ Negative compromise – the user determines that a data item
doesn’t have a specific value
■ Approximate compromise – the user is unable to determine the
exact value of an item but is59able to estimate it with sufficient
Subschema Restricting Access

60
Database authorization table

61
Audit Procedures for Testing Database
Access Controls

▸ Verify DBA personnel retain

responsibility for authority tables and
designing user views.
▸ Select a sample of users and verify
access privileges are consistent with
job description.
▸ Evaluate cost and benefits of
biometric controls.
▸ Verify database query controls to
prevent unauthorized access via
inference.
62
 Backup controls

▸ Data can be corrupted and destroyed

by malicious acts from external
hackers, disk failure, program errors,
etc.
▸ To recover from such disasters,
organizations must implement
policies, procedures and techniques
that systematically and routinely
backup copies of critical files

63
Backup Controls in the flat-
file Environment
▸ The backup technique employed will
depend on the media and the file structure.
▸ GPC backup technique is used in sequential
file batch systems. The backup procedures:
○ Current master file(parent) is processed against the
transaction file to produce a new updated master
file(child).
○ The next batch of transactions, the child becomes the
current master file(parent) and the original parent
becomes the backup file(grandparent)
▸ Data values are changed in place through a
process called destructive replacement.
▸ As an added safeguard, backup files
created should be stored off-site in a secure
location. 64
Grandparent-parent-child
approach

65
Audit Procedures for Testing
flat-file backup Controls
▸ Verify that backup controls in place are
effective.
▸ Select a sample of systems and determine
from the system documentation that the
number of GPC backup files specified for
each system is adequate.
▸ Verify through physical observation that
transaction files used to reconstruct the
master files are also retained.
▸ Select a sample of applications and identify
the direct access files being updated in
each system.
▸ Verify the existence and adequacy of off-
66
Backup of direct access files

67
Backup of direct access files

68
 Backup Controls in the
Database Environment
▸ Since data sharing is a fundamental
objective of the database approach,
environment is vulnerable to damage
from individual users.
▸ Four needed backup and recovery
features:
○ Backup feature makes a periodic backup of entire
database which is stored in a secure, remote
location.
○ Transaction log provides an audit trail of all
processed transactions.
○ Checkpoint facility suspends all processing while
system reconciles transaction log and database
change log against the69 database.
Backup of Direct Access Files

70
Audit Procedures for Testing Database
backup Controls

▸ Verify backups are performed

routinely and frequently.
○ Backup policy should balance
inconvenience of frequent activity against
business disruption caused by system
failure.
▸ Verify that automatic backup
procedures are in place and
functioning and that copies of the
database are stored off-site.

71