SlideShare a Scribd company logo

Database auditing models

Download as PPT, PDF
E
ERSHUBHAM TIWARI

DataBase security

Engineering
1 of 69
Introduction Another key aspect of data confidentiality, integrity, and accessibility is presented database auditing, thus providing the full complement to database security. The two concepts are inseparable. Together they ensure that your data is protected. We ensure that data is well guarded through database auditing.
Introduction Database security is not effective without database auditing and vice versa. To prevent data violations, the best practice is to have both database security and auditing in place
Introduction
Database Security & Auditing: Protecting Data Integrity & Accessibility 5 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices, conduct Audit measures: compliance to policies, procedures, processes and laws
Auditing overview Audit/ Auditing: The process of examining and validating documents, data, processes, procedures, system, or other activities to ensure that the audited entity complies with its objectives. Audit log: A document that contains all activities that are being audited ordered in a chronological manner. Usually, an automated system generates the log.
Auditing overview Audit objectives: A set of business rules, system controls, government regulations, or security policies against which the audited entity is measured to determine compliance. Auditor: A person who is authorized to examine, verify, and validate documents, data, processes, procedures, systems, or activities and to produce an audit report
Auditing overview Audit procedure: A set of step-by-step instructions for performing the auditing process. Audit report: A document that contains the audit findings and is generated by individuals conducting the audit. Audit trail: A chronological record of document changes, data changes, system activities, or operational events.
Auditing overview Data audit: A chronological record of data changes stored in a log file or a database table object. Database auditing: A chronological record of database activities, such as shutdown, startup, logons, and data structure changes of database objects.
Auditing overview Internal auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members of the organization being audited. External auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members outside of the organization being audited.
Auditing Activities Auditing activities are performed as a part of an audit, audit process, or audit plan. Some of these activities can be thought of as the auditor’s responsibilities or they can be incorporated into an organization’s audit policies.
Auditing Activities
Auditing Activities
Auditing Environment An auditing can be conducted as a review of the enforcement of security policies and procedures. These are only a few of the many reasons for audits. However, as diverse as these audits are, they all take place in an auditing environment
Auditing Environment
Auditing Environment Objectives: An audit without a set of objectives is useless. To conduct an audit we must know what the audit entity is to be measured against. Procedures: To conduct an audit, step-by-step instructions and tasks must be documented ahead of time.
Auditing Environment People: Every auditing environment must have an auditor, even in the case of an automatic audit. Audited entities: This includes people, documents, processes, systems, activities, or any operations that are being audited.
Components of DB Auditing Environment
Components of DB Auditing Environment The auditing environment present is applicable to all aspects of the business including the database. The auditing environment for database auditing differs slightly from the generic auditing environment in that it distinguishes the database from the other auditable entities
Components of DB Auditing Environment When designing an auditing model for database application. We need to account for all the components shown in the figure to ensure auditing model is complete and effective. Design and develop an application system or business process that requires auditing, we must think about every objective related to these components.
Auditing Process The auditing process ensures that the system is working and complies with the policies, standards, regulations, or laws set forth by the organizations. Auditing is also not the same as performance monitoring. Their objectives are totally different.
Auditing Process The main objective of performance monitoring is to observe if there is degradation in performance at various operation times, which is totally different from auditing. Auditing validates compliance to policy, not performance.
Auditing Process Difference in QA, auditing and performance monitoring QA Process Timing : During Development and before product is commissioned into production Auditing Process Timing : After product is commissioned into production Performance Monitoring Process Timing : After product is commissioned into production
Auditing Process Difference in QA, auditing and performance monitoring QA : Test the product to make sure it is working properly and is not defective. Performance Monitoring : Monitor Response Time
Auditing Process
Auditing Process The first block on the left is the full system development life cycle, known as SDLC. In this block the system goes through a structured process of development. One of the phases in this block is QA testing, which is designed to identify bug in the code and make sure the system fulfills the requirements of the functional specifications
Auditing Process The first phase of the process is to understand the objectives of the audit and plan a procedure to execute the auditing process. The second phase is to review, verify, and validate the system according to the objectives set in the previous phase.
Auditing Process Divergence from the auditing objectives is documented. In this phase we are observing what is happening. The last phase is to document the results of the audit and recommend changes to the system.
Auditing objectives Auditing objectives are established and documented for the following reasons Complying: identify all company policies, government regulation, laws, and the industry standards with which company comply. Informing: All policies, regulations, law, and standard must be published and communicated to all parties involved in the department and operation of the audited entity.
Auditing objectives Planning: All the objectives enables the auditor to plan and document procedures to assess the audited entity. Executing: without auditing objectives, the person conducting the audit cannot evaluate, verify, or review the audited entity and cannot determine if the auditing objectives have been met.
Auditing objectives Here are the top ten database auditing objectives: Data integrity: Ensure that data is valid and in full referential integrity. Application users and roles: Ensure that users are assigned roles that correspond to their responsibilities and duties. Data confidentiality: Identify who can read data and what data can be read.
Auditing objectives Here are the top ten database auditing objectives: Data changes: create an audit trail of all data changes. Data structure changes: Ensure that the database logs all data structure changes. Database or application availability: Record the number of occurrences and duration of application or database shutdowns and all startup times.
Auditing objectives Here are the top ten database auditing objectives: Change control: Ensure that a change control mechanism in incorporated to track necessary and planned changes to the database or application. Physical access: Record the physical access to the application or the database where the software and hardware resides. Auditing reports: Ensure that reports are generated on demand or automatically, showing all auditable activities
Auditing classification and types Every industry and business sector uses different classifications of audits. In addition, the definition of each classification can differ from business to business. These categories are applicable to all industries.
Auditing classification and types Internal Audit An internal audit is an audit that is conducted by a staff member of the company being audited. The purpose and intention of an internal audit is to; Verify that all auditing objectives are met by conducting a well-planned and scheduled audit.
Auditing classification and types Investigate a situation that was prompted by an internal event or incident. This audit is random, not planned or scheduled. Investigate a situation that was prompted by an external request. This audit is random, not planned
Auditing classification and types External Audit An external audit is conducted by a party outside the company that is being audited. The purpose and intention of this audit it to Investigate the financial or operational state of the company. Verity that all auditing objectives are met. This is a planned and scheduled.
Auditing classification and types Automatic Audit An automatic audit is prompted and performed automatically. These audit are used mainly for systems and database systems. Some systems that employ this type of audit generate report and logs.
Auditing classification and types Manual Audit Manual Audit is performed completely by humans. The audit team uses various methods to collect audit data, including interviews, document reviews, and observation.
Auditing classification and types  Hybrid Audit A hybrid audit is a combination of automatic and manual audits. Most audits fall into this classification.
Audit Types Financial audit: Ensure that all financial transactions are accounted for and comply with the law. Security audit: Evaluates if the system is as secure as it should be. This audit identifies security gaps and vulnerabilities. Compliance audit: Verifies that the system complies with industry standards, government regulations, or partner and client policies
Audit Types Operational audit: Verifies if an operation is working according to the policies of the company. Investigative audit: performed in response to an event, request, threat, or incident to verify the integrity of the system. Product audit: performed to ensure that the product complies with industry standards. This audit is sometimes confused with testing; it should not be. Preventive audit: Performed to identify problems before they occur.
Database Security & Auditing: Protecting Data Integrity & Accessibility 43 Benefits and Side Effects of AuditingBenefits: Enforces company policies and government regulations and laws Lowers the incidence of security violations Identifies security gaps and vulnerabilities Provides an audit trail of activities Provides means to observe and evaluate operations of the audited entity Makes the organization more accountable
Database Security & Auditing: Protecting Data Integrity & Accessibility 44 Benefits and Side Effects of Auditing (continued) Side effects: Performance problems Too many reports and documents Disruption to the operations of the audited entity Consumption of resources, and added costs from downtime Friction between operators and auditor Same from a database perspective
Auditing Models Security and auditing are the two inseparable elements of data and database integrity. Database auditing can be implemented by utilizing built-in feature of the database or by creating own mechanism
Auditing Models It is important that we need to understand how auditing is processed for data and database activities. The flowchart shows what happens when a user performs and action on a database object. Specific checks occur to verify if the action, the user, or the object are registered repository
Auditing Models If they are registered, following are recorded : State of the object before the action was taken along with the time of the action. Description of the action that was performed Name of the user who performed the action
Database Security & Auditing: Protecting Data Integrity & Accessibility 48 Auditing Models (continued) User-name Action Object Previous values and record
Database Security & Auditing: Protecting Data Integrity & Accessibility 49 Simple Auditing Model 1 Easy to understand and develop Registers audited entities in the audit model repository Chronologically tracks activities performed Entities: user, table, or column Activities: DML transaction (update, insert, delete) or logon and off times Status: active, deleted, inactive
Database Security & Auditing: Protecting Data Integrity & Accessibility 50 Simple Auditing Model 1 (continued) update, insert, delete, logon and off user, table, or column active, deleted, inactive
Simple Auditing Model 1
Simple Auditing Model 1
Simple Auditing Model 1 A control column is a placeholder for data that the application inserts automatically when a record is created or updated. It stores data about the current record, such as date and time the record was created and updated.
Simple Auditing Model 1
Simple Auditing Model 1
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Security Checklist
Database Auditing Checklist Evaluate the purpose for auditing. After you have a clear understanding of the reasons for auditing, you can devise an appropriate auditing strategy and avoid unnecessary auditing.
Database Auditing Checklist For example, suppose you are auditing to investigate suspicious database activity. This information by itself is not specific enough. What types of suspicious database activity do you suspect or have you noticed? A more focused auditing purpose might be to audit unauthorized deletions from arbitrary tables in the database.
Database Auditing Checklist This purpose narrows the type of action being audited and the type of object being affected by the suspicious activity. Audit knowledgeably. Audit the minimum number of statements, users, or objects required to get the targeted information.
Database Auditing Checklist This prevents unnecessary audit information from cluttering the meaningful information and consuming valuable space in the SYSTEM tablespace. Balance your need to gather sufficient security information with your ability to store and process it.
Database Auditing Checklist Auditing Normal Database Activity Audit only relevant actions. To avoid disorder meaningful information with useless audit records and reduce the amount of audit trail administration, only audit the targeted database activities.
Database Auditing Checklist Archive audit records and purge the audit trail. After you have collected the required information, archive the audit records of interest and purge the audit trail of this information.
Database Auditing Checklist Auditing Suspicious Database Activity First audit generally, and then specifically. When starting to audit for suspicious database activity, it is common that not much information is available to target specific users or schema objects.
Database Auditing Checklist Therefore, audit options must be set more generally at first. Once preliminary audit information is recorded and analyzed, the general audit options should be turned off and more specific audit options enabled. This process should continue until enough evidence is gathered to draw conclusions about the origin of the suspicious database activity.
Database Auditing Checklist Protect the audit trail. When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited.

Recommended

Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
Craig Mullins
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
CenapSerdarolu
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 

Recommended

Security audit
Security auditSecurity audit
Security audit
Rosaria Dee
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
Craig Mullins
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controls
CenapSerdarolu
 
The information security audit
The information security auditThe information security audit
The information security audit
Dhani Ahmad
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
IT Asset management presentation
IT Asset management presentationIT Asset management presentation
IT Asset management presentation
Ashita Mehra
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
Marco Raposo
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi48
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
Hadi Fadlallah
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
ControlCase
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
Yasir Khan
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
Mahesh Patwardhan
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
UEBA
UEBAUEBA
UEBA
Christophe M. Anciaux ☁
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is all
PECB
 
Software testing ppt
Software testing pptSoftware testing ppt
Software testing ppt
Savyasachi14
 
Sql database audit
Sql database auditSql database audit
Sql database audit
Sqlperfomance
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
Mohsen B
 

More Related Content

What's hot

03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 

What's hot (20)

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
IT Asset management presentation
IT Asset management presentationIT Asset management presentation
IT Asset management presentation
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
UEBA
UEBAUEBA
UEBA
 
Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is all
 
Software testing ppt
Software testing pptSoftware testing ppt
Software testing ppt
 

Viewers also liked

security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
Mohsen B
 
Tips for Maintaining Prospect Data in CRM
Tips for Maintaining Prospect Data in CRMTips for Maintaining Prospect Data in CRM
Tips for Maintaining Prospect Data in CRM
Blackbaud
 
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Health Catalyst
 
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
Amazon Web Services
 

Viewers also liked (15)

Sql database audit
Sql database auditSql database audit
Sql database audit
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
 
Tips for Maintaining Prospect Data in CRM
Tips for Maintaining Prospect Data in CRMTips for Maintaining Prospect Data in CRM
Tips for Maintaining Prospect Data in CRM
 
Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2
 
Blackbaud CRM After Go-Live
Blackbaud CRM After Go-LiveBlackbaud CRM After Go-Live
Blackbaud CRM After Go-Live
 
Distributed database security with discretionary access control
Distributed database security with discretionary access controlDistributed database security with discretionary access control
Distributed database security with discretionary access control
 
Managerial Control
Managerial ControlManagerial Control
Managerial Control
 
Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
Modelo Entidad Relación Extendido.
Modelo Entidad Relación Extendido.Modelo Entidad Relación Extendido.
Modelo Entidad Relación Extendido.
 
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
Clinical Data Repository vs. A Data Warehouse - Which Do You Need?
 
DATA WAREHOUSING
DATA WAREHOUSINGDATA WAREHOUSING
DATA WAREHOUSING
 
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Heal...
 
MHRA Data Integrity Requirements
MHRA Data Integrity RequirementsMHRA Data Integrity Requirements
MHRA Data Integrity Requirements
 
Audit report
Audit reportAudit report
Audit report
 
Best practice strategies to clean up and maintain your database with Hether G...
Best practice strategies to clean up and maintain your database with Hether G...Best practice strategies to clean up and maintain your database with Hether G...
Best practice strategies to clean up and maintain your database with Hether G...
 

Similar to Database auditing models

auditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdfauditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdf
owaissayyed0041
 
Navigating the Realm of Audits: Understanding, Preparation, and Compliance
Navigating the Realm of Audits: Understanding, Preparation, and ComplianceNavigating the Realm of Audits: Understanding, Preparation, and Compliance
Navigating the Realm of Audits: Understanding, Preparation, and Compliance
amanrajput052046
 

Similar to Database auditing models (20)

Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277Tugas mandiri audit novita dewi 11353202277
Tugas mandiri audit novita dewi 11353202277
 
Eeoqms internal auditing
Eeoqms internal auditingEeoqms internal auditing
Eeoqms internal auditing
 
Audits and Regulatory Compliance
Audits and Regulatory ComplianceAudits and Regulatory Compliance
Audits and Regulatory Compliance
 
Auditing Management systems based on ISO19011 By Eng. Karam Malkawi - Jordan
Auditing Management systems based on ISO19011 By Eng. Karam Malkawi - JordanAuditing Management systems based on ISO19011 By Eng. Karam Malkawi - Jordan
Auditing Management systems based on ISO19011 By Eng. Karam Malkawi - Jordan
 
Internal control and Control Self Assessment
Internal control and Control Self AssessmentInternal control and Control Self Assessment
Internal control and Control Self Assessment
 
Quality Assurance
Quality AssuranceQuality Assurance
Quality Assurance
 
Basic concepts of quality assurance
Basic concepts of quality assuranceBasic concepts of quality assurance
Basic concepts of quality assurance
 
social audit
social auditsocial audit
social audit
 
Safety Audit at Workplace (Group 15)
Safety Audit at Workplace (Group 15)Safety Audit at Workplace (Group 15)
Safety Audit at Workplace (Group 15)
 
auditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdfauditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdf
 
introduction on auditing
introduction on auditingintroduction on auditing
introduction on auditing
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsAis Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
 
Ais Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based IsAis Romney 2006 Slides 09 Auditing Computer Based Is
Ais Romney 2006 Slides 09 Auditing Computer Based Is
 
Auditing
AuditingAuditing
Auditing
 
Internal audit
Internal auditInternal audit
Internal audit
 
Audit system
Audit systemAudit system
Audit system
 
CHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdfCHAPTER-1 Management Audit and Planning procedure.pdf
CHAPTER-1 Management Audit and Planning procedure.pdf
 
Navigating the Realm of Audits: Understanding, Preparation, and Compliance
Navigating the Realm of Audits: Understanding, Preparation, and ComplianceNavigating the Realm of Audits: Understanding, Preparation, and Compliance
Navigating the Realm of Audits: Understanding, Preparation, and Compliance
 
Audit system
Audit systemAudit system
Audit system
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 

Recently uploaded

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
Kamal Acharya
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
vershagrag
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 

Recently uploaded (20)

Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
💚Trustworthy Call Girls Pune Call Girls Service Just Call 🍑👄6378878445 🍑👄 Top...
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Introduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdfIntroduction to Data Visualization,Matplotlib.pdf
Introduction to Data Visualization,Matplotlib.pdf
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 

Database auditing models

  • 1.
  • 2. Introduction Another key aspect of data confidentiality, integrity, and accessibility is presented database auditing, thus providing the full complement to database security. The two concepts are inseparable. Together they ensure that your data is protected. We ensure that data is well guarded through database auditing.
  • 3. Introduction Database security is not effective without database auditing and vice versa. To prevent data violations, the best practice is to have both database security and auditing in place
  • 5. Database Security & Auditing: Protecting Data Integrity & Accessibility 5 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices, conduct Audit measures: compliance to policies, procedures, processes and laws
  • 6. Auditing overview Audit/ Auditing: The process of examining and validating documents, data, processes, procedures, system, or other activities to ensure that the audited entity complies with its objectives. Audit log: A document that contains all activities that are being audited ordered in a chronological manner. Usually, an automated system generates the log.
  • 7. Auditing overview Audit objectives: A set of business rules, system controls, government regulations, or security policies against which the audited entity is measured to determine compliance. Auditor: A person who is authorized to examine, verify, and validate documents, data, processes, procedures, systems, or activities and to produce an audit report
  • 8. Auditing overview Audit procedure: A set of step-by-step instructions for performing the auditing process. Audit report: A document that contains the audit findings and is generated by individuals conducting the audit. Audit trail: A chronological record of document changes, data changes, system activities, or operational events.
  • 9. Auditing overview Data audit: A chronological record of data changes stored in a log file or a database table object. Database auditing: A chronological record of database activities, such as shutdown, startup, logons, and data structure changes of database objects.
  • 10. Auditing overview Internal auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members of the organization being audited. External auditing: An examination, verification, and validation of documents, processes, procedures, systems, or activities conducted by staff members outside of the organization being audited.
  • 11. Auditing Activities Auditing activities are performed as a part of an audit, audit process, or audit plan. Some of these activities can be thought of as the auditor’s responsibilities or they can be incorporated into an organization’s audit policies.
  • 14. Auditing Environment An auditing can be conducted as a review of the enforcement of security policies and procedures. These are only a few of the many reasons for audits. However, as diverse as these audits are, they all take place in an auditing environment
  • 16. Auditing Environment Objectives: An audit without a set of objectives is useless. To conduct an audit we must know what the audit entity is to be measured against. Procedures: To conduct an audit, step-by-step instructions and tasks must be documented ahead of time.
  • 17. Auditing Environment People: Every auditing environment must have an auditor, even in the case of an automatic audit. Audited entities: This includes people, documents, processes, systems, activities, or any operations that are being audited.
  • 18. Components of DB Auditing Environment
  • 19. Components of DB Auditing Environment The auditing environment present is applicable to all aspects of the business including the database. The auditing environment for database auditing differs slightly from the generic auditing environment in that it distinguishes the database from the other auditable entities
  • 20. Components of DB Auditing Environment When designing an auditing model for database application. We need to account for all the components shown in the figure to ensure auditing model is complete and effective. Design and develop an application system or business process that requires auditing, we must think about every objective related to these components.
  • 21. Auditing Process The auditing process ensures that the system is working and complies with the policies, standards, regulations, or laws set forth by the organizations. Auditing is also not the same as performance monitoring. Their objectives are totally different.
  • 22. Auditing Process The main objective of performance monitoring is to observe if there is degradation in performance at various operation times, which is totally different from auditing. Auditing validates compliance to policy, not performance.
  • 23. Auditing Process Difference in QA, auditing and performance monitoring QA Process Timing : During Development and before product is commissioned into production Auditing Process Timing : After product is commissioned into production Performance Monitoring Process Timing : After product is commissioned into production
  • 24. Auditing Process Difference in QA, auditing and performance monitoring QA : Test the product to make sure it is working properly and is not defective. Performance Monitoring : Monitor Response Time
  • 26. Auditing Process The first block on the left is the full system development life cycle, known as SDLC. In this block the system goes through a structured process of development. One of the phases in this block is QA testing, which is designed to identify bug in the code and make sure the system fulfills the requirements of the functional specifications
  • 27. Auditing Process The first phase of the process is to understand the objectives of the audit and plan a procedure to execute the auditing process. The second phase is to review, verify, and validate the system according to the objectives set in the previous phase.
  • 28. Auditing Process Divergence from the auditing objectives is documented. In this phase we are observing what is happening. The last phase is to document the results of the audit and recommend changes to the system.
  • 29. Auditing objectives Auditing objectives are established and documented for the following reasons Complying: identify all company policies, government regulation, laws, and the industry standards with which company comply. Informing: All policies, regulations, law, and standard must be published and communicated to all parties involved in the department and operation of the audited entity.
  • 30. Auditing objectives Planning: All the objectives enables the auditor to plan and document procedures to assess the audited entity. Executing: without auditing objectives, the person conducting the audit cannot evaluate, verify, or review the audited entity and cannot determine if the auditing objectives have been met.
  • 31. Auditing objectives Here are the top ten database auditing objectives: Data integrity: Ensure that data is valid and in full referential integrity. Application users and roles: Ensure that users are assigned roles that correspond to their responsibilities and duties. Data confidentiality: Identify who can read data and what data can be read.
  • 32. Auditing objectives Here are the top ten database auditing objectives: Data changes: create an audit trail of all data changes. Data structure changes: Ensure that the database logs all data structure changes. Database or application availability: Record the number of occurrences and duration of application or database shutdowns and all startup times.
  • 33. Auditing objectives Here are the top ten database auditing objectives: Change control: Ensure that a change control mechanism in incorporated to track necessary and planned changes to the database or application. Physical access: Record the physical access to the application or the database where the software and hardware resides. Auditing reports: Ensure that reports are generated on demand or automatically, showing all auditable activities
  • 34. Auditing classification and types Every industry and business sector uses different classifications of audits. In addition, the definition of each classification can differ from business to business. These categories are applicable to all industries.
  • 35. Auditing classification and types Internal Audit An internal audit is an audit that is conducted by a staff member of the company being audited. The purpose and intention of an internal audit is to; Verify that all auditing objectives are met by conducting a well-planned and scheduled audit.
  • 36. Auditing classification and types Investigate a situation that was prompted by an internal event or incident. This audit is random, not planned or scheduled. Investigate a situation that was prompted by an external request. This audit is random, not planned
  • 37. Auditing classification and types External Audit An external audit is conducted by a party outside the company that is being audited. The purpose and intention of this audit it to Investigate the financial or operational state of the company. Verity that all auditing objectives are met. This is a planned and scheduled.
  • 38. Auditing classification and types Automatic Audit An automatic audit is prompted and performed automatically. These audit are used mainly for systems and database systems. Some systems that employ this type of audit generate report and logs.
  • 39. Auditing classification and types Manual Audit Manual Audit is performed completely by humans. The audit team uses various methods to collect audit data, including interviews, document reviews, and observation.
  • 40. Auditing classification and types  Hybrid Audit A hybrid audit is a combination of automatic and manual audits. Most audits fall into this classification.
  • 41. Audit Types Financial audit: Ensure that all financial transactions are accounted for and comply with the law. Security audit: Evaluates if the system is as secure as it should be. This audit identifies security gaps and vulnerabilities. Compliance audit: Verifies that the system complies with industry standards, government regulations, or partner and client policies
  • 42. Audit Types Operational audit: Verifies if an operation is working according to the policies of the company. Investigative audit: performed in response to an event, request, threat, or incident to verify the integrity of the system. Product audit: performed to ensure that the product complies with industry standards. This audit is sometimes confused with testing; it should not be. Preventive audit: Performed to identify problems before they occur.
  • 43. Database Security & Auditing: Protecting Data Integrity & Accessibility 43 Benefits and Side Effects of AuditingBenefits: Enforces company policies and government regulations and laws Lowers the incidence of security violations Identifies security gaps and vulnerabilities Provides an audit trail of activities Provides means to observe and evaluate operations of the audited entity Makes the organization more accountable
  • 44. Database Security & Auditing: Protecting Data Integrity & Accessibility 44 Benefits and Side Effects of Auditing (continued) Side effects: Performance problems Too many reports and documents Disruption to the operations of the audited entity Consumption of resources, and added costs from downtime Friction between operators and auditor Same from a database perspective
  • 45. Auditing Models Security and auditing are the two inseparable elements of data and database integrity. Database auditing can be implemented by utilizing built-in feature of the database or by creating own mechanism
  • 46. Auditing Models It is important that we need to understand how auditing is processed for data and database activities. The flowchart shows what happens when a user performs and action on a database object. Specific checks occur to verify if the action, the user, or the object are registered repository
  • 47. Auditing Models If they are registered, following are recorded : State of the object before the action was taken along with the time of the action. Description of the action that was performed Name of the user who performed the action
  • 48. Database Security & Auditing: Protecting Data Integrity & Accessibility 48 Auditing Models (continued) User-name Action Object Previous values and record
  • 49. Database Security & Auditing: Protecting Data Integrity & Accessibility 49 Simple Auditing Model 1 Easy to understand and develop Registers audited entities in the audit model repository Chronologically tracks activities performed Entities: user, table, or column Activities: DML transaction (update, insert, delete) or logon and off times Status: active, deleted, inactive
  • 50. Database Security & Auditing: Protecting Data Integrity & Accessibility 50 Simple Auditing Model 1 (continued) update, insert, delete, logon and off user, table, or column active, deleted, inactive
  • 53. Simple Auditing Model 1 A control column is a placeholder for data that the application inserts automatically when a record is created or updated. It stores data about the current record, such as date and time the record was created and updated.
  • 61. Database Auditing Checklist Evaluate the purpose for auditing. After you have a clear understanding of the reasons for auditing, you can devise an appropriate auditing strategy and avoid unnecessary auditing.
  • 62. Database Auditing Checklist For example, suppose you are auditing to investigate suspicious database activity. This information by itself is not specific enough. What types of suspicious database activity do you suspect or have you noticed? A more focused auditing purpose might be to audit unauthorized deletions from arbitrary tables in the database.
  • 63. Database Auditing Checklist This purpose narrows the type of action being audited and the type of object being affected by the suspicious activity. Audit knowledgeably. Audit the minimum number of statements, users, or objects required to get the targeted information.
  • 64. Database Auditing Checklist This prevents unnecessary audit information from cluttering the meaningful information and consuming valuable space in the SYSTEM tablespace. Balance your need to gather sufficient security information with your ability to store and process it.
  • 65. Database Auditing Checklist Auditing Normal Database Activity Audit only relevant actions. To avoid disorder meaningful information with useless audit records and reduce the amount of audit trail administration, only audit the targeted database activities.
  • 66. Database Auditing Checklist Archive audit records and purge the audit trail. After you have collected the required information, archive the audit records of interest and purge the audit trail of this information.
  • 67. Database Auditing Checklist Auditing Suspicious Database Activity First audit generally, and then specifically. When starting to audit for suspicious database activity, it is common that not much information is available to target specific users or schema objects.
  • 68. Database Auditing Checklist Therefore, audit options must be set more generally at first. Once preliminary audit information is recorded and analyzed, the general audit options should be turned off and more specific audit options enabled. This process should continue until enough evidence is gathered to draw conclusions about the origin of the suspicious database activity.
  • 69. Database Auditing Checklist Protect the audit trail. When auditing for suspicious database activity, protect the audit trail so that audit information cannot be added, changed, or deleted without being audited.