Controlling and Auditing Data

Management Systems

Chapter 4 - Security II:

Auditing Database Systems
 Controlling and Auditing Data Management
Systems
• Access Controls
• Backup Controls
 CONTROLLING DBMS
Two (2) general categories of controls over DBMS: access controls (for unauthorized users)
and backup controls (for data recovery)

Access Controls – Database

Approach Backup Controls
• 1) User Views • Flat-File Environment:
• 1) GPC Backup Technique
• 2) Database • sequential file batch systems
• 2) Direct Access File Backup
Authorization Table • Real-Time Processing System

• 3) User-Defined • Batch Processing System

• 3) Off-Site Storage
Procedures
• 4) Data Encryption • Database Environment:
• 1) Backup
• 5) Biometric Devices • 2) Transaction Log (Journal)
• 3) Checkpoint Feature
• 6) Inference Controls • 4) Recovery Module
 Access Controls
• Flat File Approach
• No risk
• Database Approach
• Risks: Corruption, Theft, Misuse of data, Destruction of data.
• These threats originate from both
• unauthorized intruders and
• authorized users who exceed their access privileges.
 Access Controls:
User Views
• User views or Subschema
• can restrict user access to a limited set
of data, but they do not define task
privileges such as read, delete, or write.
• Access privileges to the database should
be commensurate with the users’
legitimate needs.
• User view design
• In a centralized database environment,
the database administrator (DBA) has
primary responsibility but works closely
with users and systems designers.
 Access Controls:
Database Authorization Table
• Similar to the access control list used in the OS.
• User
• is granted certain privileges that are coded in the authority table, which is used to verify the user’s action requests.
• Password
• indicates the level of action (read, insert, modify, or delete) that individuals can take based on their entering the
correct password.
 Access Controls:
User-Defined Procedures
• User-defined procedure allows the user to create a personal security
program or routine to provide more positive user identification than a
single password.
• In addition to a password, the security procedure asks a series of personal
questions (such as the user’s mother’s maiden name), which only the
legitimate user should know.
 Access Controls:
Data Encryption
• Making the data unreadable to an intruder “browsing” the database.
• In Chapter 2, encryption is used to protect data that are transmitted
over communications lines.
• Database systems also use encryption procedures to protect highly
sensitive stored data, such as
• product formulas
• personnel pay rates
• password files
• certain financial data
 Access Controls:
Biometric Devices
• The ultimate in user authentication procedures.
• measure various personal characteristics, such as fingerprints, voice
prints, retina prints, or signature characteristics.
• User characteristics - are digitized profile data and stored permanently
• in a database security file or
• on an identification card that the user carries.
• Process:
• When an individual attempts to access the database, a special scanning device
captures his or her biometric characteristics, which it compares with the profile
data stored on file or the ID card. If the data do not match, access is denied.
 Access Controls:
Biometric Devices
• Three (3) reasons why Biometric devices have a great potential to
serve as effective means of access control, especially from remote
locations:
• 1) the degree of remote access to systems
• 2) the decline in costs of biometric systems
• 3) the increased effectiveness of biometric systems
 Access Controls:
Inference Controls
• Advantage of Database query capability:
• provides users with summary and statistical data for decision making.
• Disadvantage of Database query capability:
• Legitimate queries sometimes involve access to confidential data.
• Purposes of Inference Controls:
• To preserve the confidentiality and integrity of the database
• To prevent users from inferring specific data values that they otherwise are unauthorized to access.

• Inference control rules that place restrictions on the size of the query set to which the
system will respond:
• The system will not respond to queries where fewer than two records satisfy the query.
• The system will not respond to queries where greater than (n – 2) records satisfy the query (where n is
the number of records in the database).
 Access Controls:
Inference Controls
• Three (3) types of compromises to the database that inference
controls attempt to prevent:
• 1. Positive compromise - the user determines the specific value of a
data item.
• 2. Negative compromise - the user determines that a data item does
not have a specific value.
• 3. Approximate compromise - the user is unable to determine the
exact value of an item but is able to estimate it with sufficient
accuracy to violate the confidentiality of the data.
 Access Controls:
Audit Objective and Audit Procedures
AUDIT OBJECTIVE: Verify that database access authority and privileges are granted to users in
accordance with their legitimate needs.
AUDIT PROCEDURES:
Responsibility for Verify that database administration (DBA) personnel retain exclusive
Authority Tables and responsibility for creating authority tables and designing user views. Evidence
Subschemas may come from three sources:
(1) By reviewing company policy and job descriptions, which specify these
technical responsibilities;
(2) (2) by examining programmer authority tables for access privileges to data
definition language (DDL) commands;
(3) through personal interviews with programmers and DBA personnel.
Appropriate Access Select a sample of users and verify that their access privileges stored in the
Authority authority table are consistent with their job descriptions organizational levels.
 Access Controls:
Audit Objective and Audit Procedures
AUDIT OBJECTIVE: Verify that database access authority and privileges are
granted to users in accordance with their legitimate needs.
AUDIT PROCEDURES:
Biometric Controls Evaluate the costs and benefits of biometric controls. Generally, these would be
most appropriate where highly sensitive data are accessed by a very limited
number of users.
Inference Controls Verify that database query controls exist to prevent unauthorized access via
inference. The auditor can test controls by simulating access by a sample of
users and attempting to retrieve unauthorized data via inference queries.
Encryption Verify that sensitive data, such as passwords, are properly encrypted. Printing
Controls the file contents to hard copy can do this.
 Backup Controls
• Risks: Data can be corrupted and destroyed by
• malicious acts from external hackers and disgruntled employees
• disk failure
• program errors
• fires, floods, and earthquakes

• Solution: Backup controls

 Backup Controls
Flat-File Environment Database Environment
• Two (2) file structures: • File structure: Direct access file
• 1) Sequential file
• GPC Backup Technique • Four (4) Backup and recovery
• integral part of the master file update process.
• Media: tape & disk
features:
• Processing method: batch systems • 1) Database Backup
• 2) Direct Access File Backup
• need a separate backup procedure. • 2) Transaction log
• Destructive replacement
• Solution: direct access files must be copied before being updated. • 3) Checkpoints
• Media: disk
• Processing methods: Batch system & Real time • 4) Recovery module

Off-Site Storage
 Backup Controls:
Flat-File - GPC Backup Technique
Creates generations of backup files.
• The more significant the data, the
greater the number of backup versions

• Who will determine the needed

Backup file  number of backup files?
• 1) Management and auditors
Current Master File  • 2) Systems designer
• Two factors influence this decision:
• (1) the financial significance of the system
• (2) the degree of file activity.
Updated Master File 
 Backup Controls:
Flat-File - Direct Access File Backup
•The timing of the direct access backup procedures will depend on the processing method being used: Batch system or Real Time System.
•Direct access is the ability to obtain data from a storage device by going directly to where it is physically located on the device.

Batch System Real Time System

• Backup of files is usually scheduled prior to the update
process.
• Special Recovery Program: (to reconstruct most
current backup file)
• The master file is backed up before the update run.
• The backup procedure takes place at specified intervals
throughout the day (for example, every 15 minutes).
• Reprocess the transaction: (to restore the master file to
current status)
• The master file is backed up after the update run.
 Backup Controls:
Flat-File - Off-Site Storage
• is securing backup files created in a secure location among the
options available are (discussed in Chapter 2 – DRP):
• mutual aid pact
• empty shell or cold site
• recovery operations center or hot site
• internally provided backup
• Is applicable for GPC, direct access, and database approaches.
 Backup Controls:
Database Environment
Most mainframe DBMSs have a backup and recovery system similar to the one
illustrated in Figure 4.23.

• File Structure: Direct

access file
• Four (4) backup and
recovery features:
1) database backup
2) transaction log
3) Checkpoints
4) recovery module
 Backup Controls:
Database Environment
• Database backup
• makes a periodic backup of the entire database.
• an automatic procedure that should be performed at least once a day.
• Backup copy: Off-Site Storage
• Transaction log (Journal)
• provides an audit trail of all processed transactions.
• lists transactions and records the resulting changes to the database in a separate database change
log.
• Checkpoint
• suspends all data processing (at this point, the system is in a quiet state) while the system reconciles
the transaction log and the database change log against the database.
• occur automatically several times an hour.
• If a failure occurs, it is usually possible to restart the processing from the last checkpoint.
• Recovery Module
• uses the logs and backup files to restart the system after a failure.
 Backup Controls: Flat-File
Audit Objective and Audit Procedures
AUDIT OBJECTIVE: Verify that backup controls in place are effective in protecting data files from physical
damage, loss, accidental erasure, and data corruption through system failures and program errors.
AUDIT PROCEDURES:
Sequential File (GPC) Select a sample of systems and determine from the system documentation that the number
Backup of GPC backup files specified for each system is adequate. If insufficient backup versions
exist, recovery from some types of failures may be impossible.
Backup Transaction Verify through physical observation that transaction files used to reconstruct the master
Files files are also retained. Without corresponding transaction files, reconstruction is impossible.
Direct Access File Select a sample of applications and identify the direct access files being updated in each
Backup system. From system documentation and through observation, the auditor can verify that
each of them was copied to tape or disk before being updated.
Off-Site Storage Verify the existence and adequacy of off-site storage. This audit procedure may be
performed as part of the review of the disaster recovery plan or computer center
operations controls.
 Backup Controls: Database
Audit Objective and Audit Procedures
AUDIT OBJECTIVE: Verify that controls over the data resource are sufficient to preserve the
integrity and physical security of the database.
AUDIT PROCEDURES:
Backup Verify that backup is performed routinely and frequently to facilitate the recovery of
Schedule lost, destroyed, or corrupted data without excessive reprocessing. Production
databases should be copied at regular intervals (perhaps several times an hour).
Backup Policy Backup policy should strike a balance between the inconvenience of frequent
backup activities and the business disruption caused by excessive reprocessing that
is needed to restore the database after a failure.
Backup Verify that automatic backup procedures are in place and functioning, and that
Procedures copies of the database are stored off-site for further security.