Embed
Email

Restricting_Access_to_Databases

Document Sample

Shared by: roy ashbrook
Categories
Tags
Stats
views:
0
posted:
1/3/2012
language:
pages:
2
From Wikipedia, the free encyclopedia Restricting Access to Databases









Restricting Access to Databases

Restricting access to production databases is a require- ter the compensating controls have been reviewed and

ment of Sarbanes-Oxley Act sections 302, 404, and is in- tested within the environment. If the compensating con-

cluded in the COBIT framework. trols fail or are deemed inadequate the control issue

could potentially be classified as a Significant Deficiency

Restricting access due to its pervasive nature and inability to validate that

no unknown or inappropriate adjustments have been ex-

Steps to restrict database access within an organization: ecuted.

1. Implement Separation of duties (SOD) a preventive The best control environment surrounding databases

control. is to have the ability to track and review, any and all adds,

2. Establish test and production environments which is deletes and modifications to the databases.

preventive control.

3. Restrict user account and Database administrator

access which is a preventive control.

Deficiency

4. Turn on audit trails, monitoring software, or Deficiency and Material Weakness Definitions:

exception reports which are detective controls. • Preventative/Detective Control is missing; or

Elements to restrict include: • Control objective is not met, or the control is not oper-

1. Data access (Successful/Failed Selects) ating as designed; or

2. Data Changes (Insert, Update, Delete) • The individual performing the control is not qualified or

3. System Access (Successful/Failed Logins; User/Role/ not authorized to perform the control.

Permissions/Password changes) An internal control deficiency exists when the design

4. Privileged User Activity (All) or operation of a control does not allow management or

5. Schema Changes (Create/Drop/Alter Tables, employees, in the normal course of performing their as-

Columns, Fields) signed functions, to prevent or detect misstatements or

errors in a timely basis.

Controls Significant Deficiency is an internal control deficien-

cy that adversely affects the entity’s ability to initiate,

Compensating Controls: records, process, or report external financial data reli-

1. Exploiting technology known as triggers. Triggers ably in accordance with generally accepted accounting

are user-written code, or DBA-written code, that gets principles GAAP. A single or combination of deficiencies,

inserted into the database and gets executed that results in more than a remote likelihood that a mis-

whenever an insert or an update or a delete occurs. statement of financial statements that is more than in-

Cons: consequential in amount, and will not be prevented or

a.) Transaction performance could suffer. detected.

b.) This solution does not provide 100% assurances of Material Weakness is a significant deficiency that, by

an incorruptible audit trail. itself, or in combination with other significant deficien-

c.) Triggers can be modified by anyone who has the cies, results in more than a remote likelihood that a ma-

appropriate privileges. terial misstatement of the financial statements will not

2. Implement application-based auditing. be prevented or detected.

Con:

Effective only if no other application or utility can

access the database(s).

See also

3. Perform auditing on a per-database, per-table, per- • COBIT

column, or per-user basis.

Con:

Labor intensive for IT. Would require a manual

External links

review the audit report and verify (before/after) • Internal Auditing’s Role in Sections 302 and 404 of

what was changed and sign-off that the change was the U.S. Sarbanes-Oxley Act of 2002 The Institute of

authorized and acceptable. Internal Auditors

Control evaluation considerations by Internal Audit: The

overall control evaluation cannot be determined until af-





1

From Wikipedia, the free encyclopedia Restricting Access to Databases









Retrieved from "http://en.wikipedia.org/w/index.php?title=Restricting_Access_to_Databases&oldid=468635338"



Categories:

• Computer access control

• Data security

• Databases





This page was last modified on 30 December 2011 at 18:24. Text is available under the Creative Commons Attribution-

ShareAlike License; additional terms may apply. See Terms of use for details. Wikipedia® is a registered trademark of

the Wikimedia Foundation, Inc., a non-profit organization.Contact us

Privacy policy About Wikipedia Disclaimers



2



Related docs
Restricting_Access_to_Databases
Views: 0  |  Downloads: 0
OAuth: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors
Views: 20  |  Downloads: 0
ATTACHMENT 14 TECHNICAL EVALUATION CRITERIA The criteria set forth ...
Views: 0  |  Downloads: 0
Business Intelligence Market 2007-2010
Views: 83  |  Downloads: 0
CRM & Business Intelligence Market 2007-2010 - Bundled Report
Views: 16  |  Downloads: 0
BI Software & Application Management Services Market 2007-2010 - Bundled Report
Views: 10  |  Downloads: 0
Enterprise Resource Management & Business Intelligence Market 2007-2010 - Bundled Report
Views: 13  |  Downloads: 0
Other docs by roy ashbrook
Philip_Taaffe
Views: 48  |  Downloads: 0
Philip_Dodd__broadcaster_
Views: 36  |  Downloads: 0
Philippa_of_Champagne
Views: 31  |  Downloads: 0
Philadelphians
Views: 26  |  Downloads: 0
Phaansi
Views: 22  |  Downloads: 0
Peykasa
Views: 22  |  Downloads: 0
Pet_door
Views: 41  |  Downloads: 0
Peter_Rice__Chairman_of_Fox_Broadcasting_
Views: 34  |  Downloads: 0
Perittia_farinella
Views: 14  |  Downloads: 0
Perissoza_scripta
Views: 15  |  Downloads: 0
By registering with docstoc.com you agree to our
privacy policy
Close

You are almost ready to download!

close

You are almost ready to download!