Databases

1. Databases Kevin Casady Hanna Short BJ Rollinson

2. Database Introduction • Centralized and Structured collection of data stored in a computer system • An electronic filing system • Easy access to information

3. Importance of Databases • Provide a convenient means of storing large amounts of data. • Quick access to information allowing for sorting, searching, viewing and manipulating. • Efficiency.

4. Enterprise Resource Planning • Enterprise Resource Planning - ERP is an application system that integrates a company’s business processes and financial data in one platform. • Massive Database that encompasses the entire business operations.

5. Problems with ERP • There is a shortage of staff members trained in ERP security. • Implementers pay inadequate attention to ERP security during deployment. • ERP tools for security audit are inadequate. • The customization of ERP systems to firms inhibits the development of standardized security solutions.

6. Database Security Breaches • Data loss can cost a company significant losses in revenue, integrity, and bring on unwanted litigation. • As noted in a 2007 survey, 85 percent of businesses have experienced a data security breach. • The estimated breaches have cost US $182 per compromised record. • Data breaches remain the leading cause of financial losses. • A survey conducted in 2007 revealed that 40 percent of companies are not monitoring their databases for suspicious activity. • Privacy Rights Clearinghouse. www.privacyrights.org

7. Data Access Risks • External • Gaining access from outside the company. • Internal • Employee who should not have access, gains access • Employee abuses their access privileges. 2007 Computer Crime and Security Survey: • Insider abuse of net access- 59 percent • Unauthorized access to information- 25 percent • Theft of customer or employee data- 17 percent

8. Data Access Controls • Perimeter Controls • Keep people on the outside from gaining access. • User identity and access management • Who is allowed to do what. • Ensure things are as they are supposed to be. • Application systems • Independent audit software tools. • Privileged Users • Physical and logical controls within and outside their sphere of operational control are needed to provide evidence of their actions.

9. Auditing Databases – Preliminary Steps • Review prior report if there is one. • Obtain important information from database environment • Talk to database administrators • Identify significant risks and key controls that mitigate these risks.

10. Auditing Databases – Detailed Audit Steps • Security patches are applied in a timely manner. • Processes are in place to regularly monitor security on the system. • Operating system is secured and database files are protected (passwords, permissions, encryption) • The database server is physically protected (located in a secure location)

11. Auditing Databases – Detailed Audit Steps • Users are restricted to information required to perform job. • Assure that backup and recovery strategies exist. • Controls are in place to keep database information secure over the network.

12. Auditing Databases • After testing, the auditor may send out a questionnaire to ensure that their test results are aligned the internal auditor findings.

13. Sources • Nair, Sushila. The Art of Database Monitoring. 2008. • Le Grand, Charles & Sarel, Dan. Database Security, Compliance, and Audit. 2008. • Musaji, Yusuf. ERP Post Implementation Problems. 2005. • ISACA. Oracle Database Security, Audit and Control Features. • Stephens, Richard. Importance of Database Uptime. July 2007. <http://www.liu.edu/cwis/cwp/library/workshop/citmla.htm>