SlideShare a Scribd company logo

Database auditing models

Download as PPT, PDF
E
ERSHUBHAM TIWARI

This document discusses database auditing and security. It begins by stating that database auditing is key to ensuring data confidentiality, integrity and accessibility, and that database security is not effective without auditing. It then provides overviews of auditing, defining terms like audit logs, objectives, procedures and reports. It describes auditing activities, environments, processes and objectives. It outlines the components of a database auditing environment and classifications and types of audits, including internal, external, automatic, manual and hybrid audits.

Engineering
1 of 69
Downloaded 158 times
1
2
3
4
5
6
7
8
9
10
11
Most read
12
13
14
15
16
17
18
Most read
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Most read
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Database auditing models
Introduction Another key aspect of data confidentiality, integrity, and accessibility is presented database auditing, thus providing the full complement to database security. The two concepts are inseparable. Together they ensure that your data is protected. We ensure that data is well guarded through database auditing.
Introduction Database security is not effective without database auditing and vice versa. To prevent data violations, the best practice is to have both database security and auditing in place
Introduction
Database Security & Auditing: Protecting Data Integrity & Accessibility 5 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices, conduct Audit measures: compliance to policies, procedures, processes and laws
Auditing overview Audit/ Auditing: The process of examining and validating documents, data, processes, procedures, system, or other activities to ensure that the audited entity complies with its objectives. Audit log: A document that contains all activities that are being audited ordered in a chronological manner. Usually, an automated system generates the log.
Auditing overview Audit objectives: A set of business rules, system controls, government regulations, or security policies against which the audited entity is measured to determine compliance. Auditor: A person who is authorized to examine, verify, and validate documents, data, processes, procedures, systems, or activities and to produce an audit report
Auditing overview Audit procedure: A set of step-by-step instructions for performing the auditing process. Audit report: A document that contains the audit findings and is generated by individuals conducting the audit. Audit trail: A chronological record of document changes, data changes, system activities, or operational events.
Auditing overview Data audit: A chronological record of data changes stored in a log file or a database table object. Database auditing: A chronological record of database activities, such as shutdown, startup, logons, and data structure changes of database objects.
Auditing overview Internal auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members of the organization being audited. External auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members outside of the organization being audited.
Auditing Activities Auditing activities are performed as a part of an audit, audit process, or audit plan. Some of these activities can be thought of as the auditor’s responsibilities or they can be incorporated into an organization’s audit policies.
Auditing Activities
Auditing Activities
Auditing Environment An auditing can be conducted as a review of the enforcement of security policies and procedures. These are only a few of the many reasons for audits. However, as diverse as these audits are, they all take place in an auditing environment
Auditing Environment
Auditing Environment Objectives: An audit without a set of objectives is useless. To conduct an audit we must know what the audit entity is to be measured against. Procedures: To conduct an audit, step-by-step instructions and tasks must be documented ahead of time.
Auditing Environment People: Every auditing environment must have an auditor, even in the case of an automatic audit. Audited entities: This includes people, documents, processes, systems, activities, or any operations that are being audited.
Components of DB Auditing Environment
Components of DB Auditing Environment The auditing environment present is applicable to all aspects of the business including the database. The auditing environment for database auditing differs slightly from the generic auditing environment in that it distinguishes the database from the other auditable entities
Components of DB Auditing Environment When designing an auditing model for database application. We need to account for all the components shown in the figure to ensure auditing model is complete and effective. Design and develop an application system or business process that requires auditing, we must think about every objective related to these components.
Auditing Process The auditing process ensures that the system is working and complies with the policies, standards, regulations, or laws set forth by the organizations. Auditing is also not the same as performance monitoring. Their objectives are totally different.
Auditing Process The main objective of performance monitoring is to observe if there is degradation in performance at various operation times, which is totally different from auditing. Auditing validates compliance to policy, not performance.
Auditing Process Difference in QA, auditing and performance monitoring QA Process Timing : During Development and before product is commissioned into production Auditing Process Timing : After product is commissioned into production Performance Monitoring Process Timing : After product is commissioned into production
Auditing Process Difference in QA, auditing and performance monitoring QA : Test the product to make sure it is working properly and is not defective. Performance Monitoring : Monitor Response Time
Auditing Process
Auditing Process The first block on the left is the full system development life cycle, known as SDLC. In this block the system goes through a structured process of development. One of the phases in this block is QA testing, which is designed to identify bug in the code and make sure the system fulfills the requirements of the functional specifications
Auditing Process The first phase of the process is to understand the objectives of the audit and plan a procedure to execute the auditing process. The second phase is to review, verify, and validate the system according to the objectives set in the previous phase.
Auditing Process Divergence from the auditing objectives is documented. In this phase we are observing what is happening. The last phase is to document the results of the audit and recommend changes to the system.
Auditing objectives Auditing objectives are established and documented for the following reasons Complying: identify all company policies, government regulation, laws, and the industry standards with which company comply. Informing: All policies, regulations, law, and standard must be published and communicated to all parties involved in the department and operation of the audited entity.
Auditing objectives Planning: All the objectives enables the auditor to plan and document procedures to assess the audited entity. Executing: without auditing objectives, the person conducting the audit cannot evaluate, verify, or review the audited entity and cannot determine if the auditing objectives have been met.
Auditing objectives Here are the top ten database auditing objectives: Data integrity: Ensure that data is valid and in full referential integrity. Application users and roles: Ensure that users are assigned roles that correspond to their responsibilities and duties. Data confidentiality: Identify who can read data and what data can be read.
Auditing objectives Here are the top ten database auditing objectives: Data changes: create an audit trail of all data changes. Data structure changes: Ensure that the database logs all data structure changes. Database or application availability: Record the number of occurrences and duration of application or database shutdowns and all startup times.
Auditing objectives Here are the top ten database auditing objectives: Change control: Ensure that a change control mechanism in incorporated to track necessary and planned changes to the database or application. Physical access: Record the physical access to the application or the database where the software and hardware resides. Auditing reports: Ensure that reports are generated on demand or automatically, showing all auditable activities
Auditing classification and types Every industry and business sector uses different classifications of audits. In addition, the definition of each classification can differ from business to business. These categories are applicable to all industries.
Auditing classification and types Internal Audit An internal audit is an audit that is conducted by a staff member of the company being audited. The purpose and intention of an internal audit is to; Verify that all auditing objectives are met by conducting a well-planned and scheduled audit.
Auditing classification and types Investigate a situation that was prompted by an internal event or incident. This audit is random, not planned or scheduled. Investigate a situation that was prompted by an external request. This audit is random, not planned
Auditing classification and types External Audit An external audit is conducted by a party outside the company that is being audited. The purpose and intention of this audit it to Investigate the financial or operational state of the company. Verity that all auditing objectives are met. This is a planned and scheduled.
Auditing classification and types Automatic Audit An automatic audit is prompted and performed automatically. These audit are used mainly for systems and database systems. Some systems that employ this type of audit generate report and logs.
Auditing classification and types Manual Audit Manual Audit is performed completely by humans. The audit team uses various methods to collect audit data, including interviews, document reviews, and observation.
Auditing classification and types  Hybrid Audit A hybrid audit is a combination of automatic and manual audits. Most audits fall into this classification.
Audit Types Financial audit: Ensure that all financial transactions are accounted for and comply with the law. Security audit: Evaluates if the system is as secure as it should be. This audit identifies security gaps and vulnerabilities. Compliance audit: Verifies that the system complies with industry standards, government regulations, or partner and client policies
Audit Types Operational audit: Verifies if an operation is working according to the policies of the company. Investigative audit: performed in response to an event, request, threat, or incident to verify the integrity of the system. Product audit: performed to ensure that the product complies with industry standards. This audit is sometimes confused with testing; it should not be. Preventive audit: Performed to identify problems before they occur.
Database Security & Auditing: Protecting Data Integrity & Accessibility 43 Benefits and Side Effects of AuditingBenefits: Enforces company policies and government regulations and laws Lowers the incidence of security violations Identifies security gaps and vulnerabilities Provides an audit trail of activities Provides means to observe and evaluate operations of the audited entity Makes the organization more accountable
Database Security & Auditing: Protecting Data Integrity & Accessibility 44 Benefits and Side Effects of Auditing (continued) Side effects: Performance problems Too many reports and documents Disruption to the operations of the audited entity Consumption of resources, and added costs from downtime Friction between operators and auditor Same from a database perspective
Auditing Models Security and auditing are the two inseparable elements of data and database integrity. Database auditing can be implemented by utilizing built-in feature of the database or by creating own mechanism
Auditing Models It is important that we need to understand how auditing is processed for data and database activities. The flowchart shows what happens when a user performs and action on a database object. Specific checks occur to verify if the action, the user, or the object are registered repository
Auditing Models If they are registered, following are recorded : State of the object before the action was taken along with the time of the action. Description of the action that was performed Name of the user who performed the action
Database Security & Auditing: Protecting Data Integrity & Accessibility 48 Auditing Models (continued) User-name Action Object Previous values and record
Database Security & Auditing: Protecting Data Integrity & Accessibility 49 Simple Auditing Model 1 Easy to understand and develop Registers audited entities in the audit model repository Chronologically tracks activities performed Entities: user, table, or column Activities: DML transaction (update, insert, delete) or logon and off times Status: active, deleted, inactive
Database Security & Auditing: Protecting Data Integrity & Accessibility 50 Simple Auditing Model 1 (continued) update, insert, delete, logon and off user, table, or column active, deleted, inactive
Simple Auditing Model 1
Simple Auditing Model 1
Simple Auditing Model 1 A control column is a placeholder for data that the application inserts automatically when a record is created or updated. It stores data about the current record, such as date and time the record was created and updated.
Simple Auditing Model 1
Simple Auditing Model 1
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Auditing Checklist Evaluate the purpose for auditing. After you have a clear understanding of the reasons for auditing, you can devise an appropriate auditing strategy and avoid unnecessary auditing.
Database Auditing Checklist For example, suppose you are auditing to investigate suspicious database activity. This information by itself is not specific enough. What types of suspicious database activity do you suspect or have you noticed? A more focused auditing purpose might be to audit unauthorized deletions from arbitrary tables in the database.
Database Auditing Checklist This purpose narrows the type of action being audited and the type of object being affected by the suspicious activity. Audit knowledgeably. Audit the minimum number of statements, users, or objects required to get the targeted information.
Database Auditing Checklist This prevents unnecessary audit information from cluttering the meaningful information and consuming valuable space in the SYSTEM tablespace. Balance your need to gather sufficient security information with your ability to store and process it.
Database Auditing Checklist Auditing Normal Database Activity Audit only relevant actions. To avoid disorder meaningful information with useless audit records and reduce the amount of audit trail administration, only audit the targeted database activities.
Database Auditing Checklist Archive audit records and purge the audit trail. After you have collected the required information, archive the audit records of interest and purge the audit trail of this information.
Database Auditing Checklist Auditing Suspicious Database Activity First audit generally, and then specifically. When starting to audit for suspicious database activity, it is common that not much information is available to target specific users or schema objects.
Database Auditing Checklist Therefore, audit options must be set more generally at first. Once preliminary audit information is recorded and analyzed, the general audit options should be turned off and more specific audit options enabled. This process should continue until enough evidence is gathered to draw conclusions about the origin of the suspicious database activity.
Database Auditing Checklist Protect the audit trail. When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited.

More Related Content

PPT
Raspberry Pi
Tusharkant Behera
 
PPTX
forensic accounting& role and function of forensic accountant
pooja Devi(Guru Nanak dev University)
 
PPTX
GENERATIONS OF COMPUTER
Rajat More
 
PPTX
The five generations of computers presentation
Swarnima Tiwari
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPT
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
PPTX
Unit 1 rules of inference
raksharao
 
PPT
Download presentation
webhostingguy
 
Raspberry Pi
Tusharkant Behera
 
forensic accounting& role and function of forensic accountant
pooja Devi(Guru Nanak dev University)
 
GENERATIONS OF COMPUTER
Rajat More
 
The five generations of computers presentation
Swarnima Tiwari
 
Identity and Access Management (IAM)
Identacor
 
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
Unit 1 rules of inference
raksharao
 
Download presentation
webhostingguy
 

What's hot (20)

PPT
Database auditing essentials
Craig Mullins
 
PPTX
SQL INJECTION
Anoop T
 
PPTX
Database security
Birju Tank
 
PPTX
Unit1 DBMS Introduction
MUHAMMED MASHAHIL PUKKUNNUMMAL
 
PPTX
Oracle
JIGAR MAKHIJA
 
PPTX
Database Administration
Bilal Arshad
 
PPTX
03.2 application control
Mulyadi Yusuf
 
PPT
Information Security
Dhilsath Fathima
 
PPT
Ch 7 Physical D B Design
guest8fdbdd
 
PPTX
itgc.pptx
AvniJain836319
 
PPTX
Database security and security in networks
Prachi Gulihar
 
PPTX
SQL injection
Raj Parmar
 
PPTX
Oracle database performance tuning
Yogiji Creations
 
PDF
Test data management
Onur Erdogan
 
PPTX
Component and Deployment Diagram - Brief Overview
Rajiv Kumar
 
PDF
Web application security & Testing
Deepu S Nath
 
PPTX
Database Testing.pptx
ssuser88c0fd1
 
PPT
State transition testing-software_testing
Midhun S
 
PPTX
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
PPTX
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Database auditing essentials
Craig Mullins
 
SQL INJECTION
Anoop T
 
Database security
Birju Tank
 
Unit1 DBMS Introduction
MUHAMMED MASHAHIL PUKKUNNUMMAL
 
Oracle
JIGAR MAKHIJA
 
Database Administration
Bilal Arshad
 
03.2 application control
Mulyadi Yusuf
 
Information Security
Dhilsath Fathima
 
Ch 7 Physical D B Design
guest8fdbdd
 
itgc.pptx
AvniJain836319
 
Database security and security in networks
Prachi Gulihar
 
SQL injection
Raj Parmar
 
Oracle database performance tuning
Yogiji Creations
 
Test data management
Onur Erdogan
 
Component and Deployment Diagram - Brief Overview
Rajiv Kumar
 
Web application security & Testing
Deepu S Nath
 
Database Testing.pptx
ssuser88c0fd1
 
State transition testing-software_testing
Midhun S
 
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
Ad

Viewers also liked (14)

PDF
Sql database audit
Sqlperfomance
 
PDF
security-checklist-database
Mohsen B
 
PDF
Tips for Maintaining Prospect Data in CRM
Blackbaud
 
PPT
Ais Romney 2006 Slides 08 Is Control2
Sharing Slides Training
 
PPTX
Blackbaud CRM After Go-Live
Blackbaud
 
PPTX
Distributed database security with discretionary access control
Jyotishkar Dey
 
PPT
Managerial Control
Manuel Ardales
 
DOC
Sample audit plan
Maher Manan
 
PPT
Modelo Entidad Relación Extendido.
nayis2010
 
PPTX
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Health Catalyst
 
PPTX
DATA WAREHOUSING
King Julian
 
PPTX
MHRA Data Integrity Requirements
GMP EDUCATION : Not for Profit Organization
 
PDF
Audit report
WINNERbd.it
 
PDF
Best practice strategies to clean up and maintain your database with Hether G...
Blackbaud Pacific
 
Sql database audit
Sqlperfomance
 
security-checklist-database
Mohsen B
 
Tips for Maintaining Prospect Data in CRM
Blackbaud
 
Ais Romney 2006 Slides 08 Is Control2
Sharing Slides Training
 
Blackbaud CRM After Go-Live
Blackbaud
 
Distributed database security with discretionary access control
Jyotishkar Dey
 
Managerial Control
Manuel Ardales
 
Sample audit plan
Maher Manan
 
Modelo Entidad Relación Extendido.
nayis2010
 
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Health Catalyst
 
DATA WAREHOUSING
King Julian
 
MHRA Data Integrity Requirements
GMP EDUCATION : Not for Profit Organization
 
Audit report
WINNERbd.it
 
Best practice strategies to clean up and maintain your database with Hether G...
Blackbaud Pacific
 
Ad

Similar to Database auditing models (20)

PPTX
Tugas mandiri audit novita dewi 11353202277
novita dewi
 
PPTX
Eeoqms internal auditing
hardeep singh
 
PPTX
Audits and Regulatory Compliance
someshwar mankar
 
PPT
Auditing Management systems based on ISO19011 By Eng. Karam Malkawi - Jordan
Eng. A.karam Al Malkawi
 
PDF
Simplify Your Audits with the Ultimate Checklist ✅
Axonator Inc
 
PDF
prof-elec-3-OPERATIONS-AUDITING-FULL.pdf
depozi1218
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
PPTX
Cyber Security Audit and Information Security.pptx
alamba570
 
PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PPT
Quality Assurance
Henmaidi Alfian
 
PPTX
Basic concepts of quality assurance
sonaliph
 
PPTX
social audit
Debashish Debnath
 
PPTX
Safety Audit at Workplace (Group 15)
Yvonne Chew
 
PDF
auditpresentation-121006061658-phpapp02.pdf
owaissayyed0041
 
PPTX
introduction on auditing
nikhilkumar640177
 
PPT
Ais Romney 2006 Slides 09 Auditing Computer Based Is
sharing notes123
 
PPT
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
 
PPS
Auditing
Pardhasaradhi ch
 
PPTX
Internal audit
S.M. Towhidul Islam
 
DOCX
Audit system
maureaguirre
 
Tugas mandiri audit novita dewi 11353202277
novita dewi
 
Eeoqms internal auditing
hardeep singh
 
Audits and Regulatory Compliance
someshwar mankar
 
Auditing Management systems based on ISO19011 By Eng. Karam Malkawi - Jordan
Eng. A.karam Al Malkawi
 
Simplify Your Audits with the Ultimate Checklist ✅
Axonator Inc
 
prof-elec-3-OPERATIONS-AUDITING-FULL.pdf
depozi1218
 
CISSP Domain 06 Security Assessment and Testing.pdf
gealehegn
 
Cyber Security Audit and Information Security.pptx
alamba570
 
Internal control and Control Self Assessment
Manoj Agarwal
 
Quality Assurance
Henmaidi Alfian
 
Basic concepts of quality assurance
sonaliph
 
social audit
Debashish Debnath
 
Safety Audit at Workplace (Group 15)
Yvonne Chew
 
auditpresentation-121006061658-phpapp02.pdf
owaissayyed0041
 
introduction on auditing
nikhilkumar640177
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
sharing notes123
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Sharing Slides Training
 
Auditing
Pardhasaradhi ch
 
Internal audit
S.M. Towhidul Islam
 
Audit system
maureaguirre
 

Recently uploaded (20)

PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Project quality management in manufacturing
BarMusaTetik
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 

Database auditing models

  • 2. Introduction Another key aspect of data confidentiality, integrity, and accessibility is presented database auditing, thus providing the full complement to database security. The two concepts are inseparable. Together they ensure that your data is protected. We ensure that data is well guarded through database auditing.
  • 3. Introduction Database security is not effective without database auditing and vice versa. To prevent data violations, the best practice is to have both database security and auditing in place
  • 5. Database Security & Auditing: Protecting Data Integrity & Accessibility 5 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices, conduct Audit measures: compliance to policies, procedures, processes and laws
  • 6. Auditing overview Audit/ Auditing: The process of examining and validating documents, data, processes, procedures, system, or other activities to ensure that the audited entity complies with its objectives. Audit log: A document that contains all activities that are being audited ordered in a chronological manner. Usually, an automated system generates the log.
  • 7. Auditing overview Audit objectives: A set of business rules, system controls, government regulations, or security policies against which the audited entity is measured to determine compliance. Auditor: A person who is authorized to examine, verify, and validate documents, data, processes, procedures, systems, or activities and to produce an audit report
  • 8. Auditing overview Audit procedure: A set of step-by-step instructions for performing the auditing process. Audit report: A document that contains the audit findings and is generated by individuals conducting the audit. Audit trail: A chronological record of document changes, data changes, system activities, or operational events.
  • 9. Auditing overview Data audit: A chronological record of data changes stored in a log file or a database table object. Database auditing: A chronological record of database activities, such as shutdown, startup, logons, and data structure changes of database objects.
  • 10. Auditing overview Internal auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members of the organization being audited. External auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members outside of the organization being audited.
  • 11. Auditing Activities Auditing activities are performed as a part of an audit, audit process, or audit plan. Some of these activities can be thought of as the auditor’s responsibilities or they can be incorporated into an organization’s audit policies.
  • 14. Auditing Environment An auditing can be conducted as a review of the enforcement of security policies and procedures. These are only a few of the many reasons for audits. However, as diverse as these audits are, they all take place in an auditing environment
  • 16. Auditing Environment Objectives: An audit without a set of objectives is useless. To conduct an audit we must know what the audit entity is to be measured against. Procedures: To conduct an audit, step-by-step instructions and tasks must be documented ahead of time.
  • 17. Auditing Environment People: Every auditing environment must have an auditor, even in the case of an automatic audit. Audited entities: This includes people, documents, processes, systems, activities, or any operations that are being audited.
  • 18. Components of DB Auditing Environment
  • 19. Components of DB Auditing Environment The auditing environment present is applicable to all aspects of the business including the database. The auditing environment for database auditing differs slightly from the generic auditing environment in that it distinguishes the database from the other auditable entities
  • 20. Components of DB Auditing Environment When designing an auditing model for database application. We need to account for all the components shown in the figure to ensure auditing model is complete and effective. Design and develop an application system or business process that requires auditing, we must think about every objective related to these components.
  • 21. Auditing Process The auditing process ensures that the system is working and complies with the policies, standards, regulations, or laws set forth by the organizations. Auditing is also not the same as performance monitoring. Their objectives are totally different.
  • 22. Auditing Process The main objective of performance monitoring is to observe if there is degradation in performance at various operation times, which is totally different from auditing. Auditing validates compliance to policy, not performance.
  • 23. Auditing Process Difference in QA, auditing and performance monitoring QA Process Timing : During Development and before product is commissioned into production Auditing Process Timing : After product is commissioned into production Performance Monitoring Process Timing : After product is commissioned into production
  • 24. Auditing Process Difference in QA, auditing and performance monitoring QA : Test the product to make sure it is working properly and is not defective. Performance Monitoring : Monitor Response Time
  • 26. Auditing Process The first block on the left is the full system development life cycle, known as SDLC. In this block the system goes through a structured process of development. One of the phases in this block is QA testing, which is designed to identify bug in the code and make sure the system fulfills the requirements of the functional specifications
  • 27. Auditing Process The first phase of the process is to understand the objectives of the audit and plan a procedure to execute the auditing process. The second phase is to review, verify, and validate the system according to the objectives set in the previous phase.
  • 28. Auditing Process Divergence from the auditing objectives is documented. In this phase we are observing what is happening. The last phase is to document the results of the audit and recommend changes to the system.
  • 29. Auditing objectives Auditing objectives are established and documented for the following reasons Complying: identify all company policies, government regulation, laws, and the industry standards with which company comply. Informing: All policies, regulations, law, and standard must be published and communicated to all parties involved in the department and operation of the audited entity.
  • 30. Auditing objectives Planning: All the objectives enables the auditor to plan and document procedures to assess the audited entity. Executing: without auditing objectives, the person conducting the audit cannot evaluate, verify, or review the audited entity and cannot determine if the auditing objectives have been met.
  • 31. Auditing objectives Here are the top ten database auditing objectives: Data integrity: Ensure that data is valid and in full referential integrity. Application users and roles: Ensure that users are assigned roles that correspond to their responsibilities and duties. Data confidentiality: Identify who can read data and what data can be read.
  • 32. Auditing objectives Here are the top ten database auditing objectives: Data changes: create an audit trail of all data changes. Data structure changes: Ensure that the database logs all data structure changes. Database or application availability: Record the number of occurrences and duration of application or database shutdowns and all startup times.
  • 33. Auditing objectives Here are the top ten database auditing objectives: Change control: Ensure that a change control mechanism in incorporated to track necessary and planned changes to the database or application. Physical access: Record the physical access to the application or the database where the software and hardware resides. Auditing reports: Ensure that reports are generated on demand or automatically, showing all auditable activities
  • 34. Auditing classification and types Every industry and business sector uses different classifications of audits. In addition, the definition of each classification can differ from business to business. These categories are applicable to all industries.
  • 35. Auditing classification and types Internal Audit An internal audit is an audit that is conducted by a staff member of the company being audited. The purpose and intention of an internal audit is to; Verify that all auditing objectives are met by conducting a well-planned and scheduled audit.
  • 36. Auditing classification and types Investigate a situation that was prompted by an internal event or incident. This audit is random, not planned or scheduled. Investigate a situation that was prompted by an external request. This audit is random, not planned
  • 37. Auditing classification and types External Audit An external audit is conducted by a party outside the company that is being audited. The purpose and intention of this audit it to Investigate the financial or operational state of the company. Verity that all auditing objectives are met. This is a planned and scheduled.
  • 38. Auditing classification and types Automatic Audit An automatic audit is prompted and performed automatically. These audit are used mainly for systems and database systems. Some systems that employ this type of audit generate report and logs.
  • 39. Auditing classification and types Manual Audit Manual Audit is performed completely by humans. The audit team uses various methods to collect audit data, including interviews, document reviews, and observation.
  • 40. Auditing classification and types  Hybrid Audit A hybrid audit is a combination of automatic and manual audits. Most audits fall into this classification.
  • 41. Audit Types Financial audit: Ensure that all financial transactions are accounted for and comply with the law. Security audit: Evaluates if the system is as secure as it should be. This audit identifies security gaps and vulnerabilities. Compliance audit: Verifies that the system complies with industry standards, government regulations, or partner and client policies
  • 42. Audit Types Operational audit: Verifies if an operation is working according to the policies of the company. Investigative audit: performed in response to an event, request, threat, or incident to verify the integrity of the system. Product audit: performed to ensure that the product complies with industry standards. This audit is sometimes confused with testing; it should not be. Preventive audit: Performed to identify problems before they occur.
  • 43. Database Security & Auditing: Protecting Data Integrity & Accessibility 43 Benefits and Side Effects of AuditingBenefits: Enforces company policies and government regulations and laws Lowers the incidence of security violations Identifies security gaps and vulnerabilities Provides an audit trail of activities Provides means to observe and evaluate operations of the audited entity Makes the organization more accountable
  • 44. Database Security & Auditing: Protecting Data Integrity & Accessibility 44 Benefits and Side Effects of Auditing (continued) Side effects: Performance problems Too many reports and documents Disruption to the operations of the audited entity Consumption of resources, and added costs from downtime Friction between operators and auditor Same from a database perspective
  • 45. Auditing Models Security and auditing are the two inseparable elements of data and database integrity. Database auditing can be implemented by utilizing built-in feature of the database or by creating own mechanism
  • 46. Auditing Models It is important that we need to understand how auditing is processed for data and database activities. The flowchart shows what happens when a user performs and action on a database object. Specific checks occur to verify if the action, the user, or the object are registered repository
  • 47. Auditing Models If they are registered, following are recorded : State of the object before the action was taken along with the time of the action. Description of the action that was performed Name of the user who performed the action
  • 48. Database Security & Auditing: Protecting Data Integrity & Accessibility 48 Auditing Models (continued) User-name Action Object Previous values and record
  • 49. Database Security & Auditing: Protecting Data Integrity & Accessibility 49 Simple Auditing Model 1 Easy to understand and develop Registers audited entities in the audit model repository Chronologically tracks activities performed Entities: user, table, or column Activities: DML transaction (update, insert, delete) or logon and off times Status: active, deleted, inactive
  • 50. Database Security & Auditing: Protecting Data Integrity & Accessibility 50 Simple Auditing Model 1 (continued) update, insert, delete, logon and off user, table, or column active, deleted, inactive
  • 53. Simple Auditing Model 1 A control column is a placeholder for data that the application inserts automatically when a record is created or updated. It stores data about the current record, such as date and time the record was created and updated.
  • 61. Database Auditing Checklist Evaluate the purpose for auditing. After you have a clear understanding of the reasons for auditing, you can devise an appropriate auditing strategy and avoid unnecessary auditing.
  • 62. Database Auditing Checklist For example, suppose you are auditing to investigate suspicious database activity. This information by itself is not specific enough. What types of suspicious database activity do you suspect or have you noticed? A more focused auditing purpose might be to audit unauthorized deletions from arbitrary tables in the database.
  • 63. Database Auditing Checklist This purpose narrows the type of action being audited and the type of object being affected by the suspicious activity. Audit knowledgeably. Audit the minimum number of statements, users, or objects required to get the targeted information.
  • 64. Database Auditing Checklist This prevents unnecessary audit information from cluttering the meaningful information and consuming valuable space in the SYSTEM tablespace. Balance your need to gather sufficient security information with your ability to store and process it.
  • 65. Database Auditing Checklist Auditing Normal Database Activity Audit only relevant actions. To avoid disorder meaningful information with useless audit records and reduce the amount of audit trail administration, only audit the targeted database activities.
  • 66. Database Auditing Checklist Archive audit records and purge the audit trail. After you have collected the required information, archive the audit records of interest and purge the audit trail of this information.
  • 67. Database Auditing Checklist Auditing Suspicious Database Activity First audit generally, and then specifically. When starting to audit for suspicious database activity, it is common that not much information is available to target specific users or schema objects.
  • 68. Database Auditing Checklist Therefore, audit options must be set more generally at first. Once preliminary audit information is recorded and analyzed, the general audit options should be turned off and more specific audit options enabled. This process should continue until enough evidence is gathered to draw conclusions about the origin of the suspicious database activity.
  • 69. Database Auditing Checklist Protect the audit trail. When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited.