1 / 20

Application Review and Auditing Databases

Application Review and Auditing Databases. Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota. Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45

nellis
Download Presentation

Application Review and Auditing Databases

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota

  2. Introduction & Ice Breaker - 9:00 • App. Best Practices - 9:10 • App. Reports - 9:25 • App. Control Recap – 9:30 • Database Security – 9:45 • Timesheets Scenario – 10:45 • Adjourn – 11:30 Application Controls - Agenda

  3. Where were you in 1991?

  4. Best Practices • Apply defense-in-depth. • Use a positive security model. • Fail safely. • Run with least privilege. • Avoid security by obscurity.

  5. Best Practices • Keep security simple. • Detect intrusions and keep logs. • Never trust infrastructure and services. • Establish secure defaults. • Use open standards

  6. Application Security –Reports Overview Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

  7. Reports should support functional activities • Management reports – tie to business need • Exception reports • Pragmatic and •     useful Report Overview

  8. Confirm activity is writing to report • Test data and test environment • Obtain reports from production • Interview functional user to confirm reports serve needs • Confirm reports are reviewed Report Auditing

  9. Application Reports and Controls Recap Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

  10. #1 REVIEW AND EVALUATE DATA INPUT CONTROLS Prevent #2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED Detect Application Input Controls

  11. #3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS. Application Interface Controls

  12. #4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA. Data Synchronization

  13. Authentication #7. DOES AN AUTHENTICATION METHOD EXIST? Way to access application #12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE? Two Factor Single Sign-on

  14. Session Timeout • #14. ARE USERS LOGGED OUT WHEN INACTIVE?

  15. #13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED? Approval #11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED? Automated Removal User Provisioning & De-Provisioning

  16. #8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS? Type of access provided #10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION? #16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS? Authorization

  17. #9. IS THE ADMIN FUNCTION ADEQUATE? User Admin System Admin Application Administration

  18. #15. IS DATA PROTECTED IN TRANSIT AND AT REST? -Encrypted in all states Data Encryption

  19. #5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS. Application Audit Trail

  20. #6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM. Data Traceability

More Related