Restricting Access to Databases

Restricting access to production databases is a requirement of Sarbanes-Oxley_Act sections 302, 404, and is included in the COBIT framework.

Restricting access

Steps to restrict database access within an organization:
#Implement Separation_of_duties (SOD) a preventive control.
#Establish test and production environments which is preventive control.
#Restrict user account and Database_administrator access which is a preventive control.
#Turn on audit trails, monitoring software, or exception reports which are detective controls.

Elements to restrict include:

#Data_access (Successful/Failed Selects)

#Data Changes (Insert, Update, Delete)

#System Access (Successful/Failed Logins; User/Role/Permissions/Password changes)

#Privileged User Activity (All)

#Schema Changes (Create/Drop/Alter Tables, Columns, Fields)

Controls

Compensating Controls:
#Exploiting technology known as triggers. Triggers are user-written code, or DBA-written code, that gets inserted into the database and gets executed whenever an insert or an update or a delete occurs.
Cons:
a.) Transaction performance could suffer.
b.) This solution does not provide 100% assurances of an incorruptible audit trail.
c.) Triggers can be modified by anyone who has the appropriate privileges.

#Implement application-based auditing.
Con:
Effective only if no other application or utility can access the database(s).

#Perform auditing on a per-database, per-table, per-column, or per-user basis.
Con:
Labor intensive for IT. Would require a manual review the audit report and verify (before/after) what was changed and sign-off that the change was authorized and acceptable.

Control evaluation considerations by Internal Audit: The overall control evaluation cannot be determined until after the compensating controls have been reviewed and tested within the environment. If the compensating controls fail or are deemed inadequate the control issue could potentially be classified as a Significant Deficiency due to its pervasive nature and inability to validate that no unknown or inappropriate adjustments have been executed.

The best control environment surrounding databases is to have the ability to track and review, any and all adds, deletes and modifications to the databases.

Deficiency

Deficiency and Material Weakness Definitions:
• Preventative/Detective Control is missing; or
• Control objective is not met, or the control is not operating as designed; or
• The individual performing the control is not qualified or not authorized to perform the control.

An internal control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements or errors in a timely basis.

Significant Deficiency is an internal control deficiency that adversely affects the entity’s ability to initiate, records, process, or report external financial data reliably in accordance with generally accepted accounting principles GAAP. A single or combination of deficiencies, that results in more than a remote likelihood that a misstatement of financial statements that is more than inconsequential in amount, and will not be prevented or detected.

Material Weakness is a significant deficiency that, by itself, or in combination with other significant deficiencies, results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

ee also

*Sarbanes-Oxley_Act
*COBIT

References

* [http://www.theiia.org The Institute of Internal Auditors]
* [http://www.isaca.org Information Systems Audit and Control Association]
* [http://www.itcinstitute.com IT Compliance Institute]
* [http://www.coso.org COSO]