Database controls

A major control objective for any organization is to protect sensitive data. Data protection or
information security is protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification or destruction to provide confidentiality, integrity and
availability.
In the early years of database management systems (DBMS), such a system was acclaimed as a
tool for centralizing control over data access.
But as controls frequently migrate around within the information infrastructure, data access
controls have tended to migrate to other points, such as network perimeter controls, user identity
and access management, and the application systems that access databases.
The tendency has been to presume a database is protected because of the broad and diverse set of
controls applicable to data access.
However, the breadth and diversity of controls have taken away the centralized access control at
the database itself, opened key weaknesses in data protection and allowed some of the most serious
threats to data to go largely unmanaged.
Where are data access controls?
Data access controls tend to be distributed in many organizations. They have evolved to that state
by systems groups attacking the problem of the moment, placing controls where they can protect
against a given threat, and avoiding performance bottlenecks and impacts on performance caused
by using controls such as native logging and protection in the commercial DBMS.
The following are some key distributed control types:
• Perimeter controls (e.g., firewalls, intrusion protection, malware detection) attempt to keep the
bad guys out.
• User identity and access management is the essence of deciding who is allowed to do what and
then monitoring to ensure things are as they are supposed to be. However, these
controls tend to be dispersed across a wide variety of business functions including policy
administration, personnel administration (e.g., keeping up with access privileges as people move
to new positions), managing group access rights
• Application systems (particularly ERP systems) are a focal point for data access protection.
And, if user identity and access management is complex, application systems can be more so.
Applications administer remote (sometimes global) access by customers, remote and local

1
employees, and often business partners. Multiple applications may access the same database and
be subject to differing sets of controls.
Privileged users have access rights beyond those needed for routine business operations. Database
technical and operational controls (such as backup/recovery, system upgrades, checkpoint/restart,
maintaining pointer integrity, optimizing physical data storage and performance) take place
outside of the access constraints of application systems and most of the identity and access
management processes, but must also be closely coordinated with application and user
requirements. They are perhaps the most important point for knowing exactly who did what with
the data.
Database Access Control Objectives A key component for identifying the steps in a database
access protection audit is to identify the risks associated with the data maintained in the database
and the potential impacts if risks materialize.
For each control objective, the auditor must assess the specific controls in place and consider the
risks and consequences if the objectives are not consistently and continuously met. Database
access control objectives include:
• Appropriate assignment of responsibilities including separation of duties
• Access allowed only as appropriate (no unauthorized access)
• Completeness and accuracy of data in the database
• Evidence that each transaction or update is accurately applied and recorded
• Appropriate management of data sharing
• Adequate transaction/access audit trails
• Adequate service level for database users
Auditing Database Access Conceptually, database auditing focuses on answering some fairly basic
questions: How does one know, and how can one verify who accessed and/or changed the data?
When?
How was the content changed?
The difficult part lies in assessing the full scope of controls to determine their effectiveness in fully
recording all accesses; ensuring only authorized access; and maintaining unimpeachable evidence
for management, audit, assurance and forensics purposes.
Database controls and audits must address:
• User interfaces

2
• Operation of the DBMS
• Database administration
• Data definition and documentation
• Security and access
• Organizational policies and priorities
• Backup and recovery
• Business continuity
• Compliance with standards and requirements
However, not all of these areas are necessarily relevant to an audit of database access management
and compliance. Each area of database management has its own set of control objectives, and the
objectives frequently apply to multiple areas. Auditors must audit, evaluate and test the controls
they find in place for database protection and monitoring, and their assessment must be of the
existing controls rather than the controls they believe should be in place. However, audit
recommendations can focus on moving the enterprise to a more reliable and efficient approach to
information protection and access control.
Physical
controls
Physical security control refers to capabilities that limit access to restricted areas or the protection
against unauthorized physical access to information assets, and unauthorized physical access is a
major risk factor for information compromise. The concentration of information is rapidly
increasing due to the use of virtualization. Therefore, the vulnerability to compromise as well as
the potential impact of an individual compromise are increasing.
Task: read and make notes on framework for information systems controls