200 likes | 339 Views
Application Review and Auditing Databases. Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota. Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45
E N D
Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota
Introduction & Ice Breaker - 9:00 • App. Best Practices - 9:10 • App. Reports - 9:25 • App. Control Recap – 9:30 • Database Security – 9:45 • Timesheets Scenario – 10:45 • Adjourn – 11:30 Application Controls - Agenda
Best Practices • Apply defense-in-depth. • Use a positive security model. • Fail safely. • Run with least privilege. • Avoid security by obscurity.
Best Practices • Keep security simple. • Detect intrusions and keep logs. • Never trust infrastructure and services. • Establish secure defaults. • Use open standards
Application Security –Reports Overview Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota
Reports should support functional activities • Management reports – tie to business need • Exception reports • Pragmatic and • useful Report Overview
Confirm activity is writing to report • Test data and test environment • Obtain reports from production • Interview functional user to confirm reports serve needs • Confirm reports are reviewed Report Auditing
Application Reports and Controls Recap Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota
#1 REVIEW AND EVALUATE DATA INPUT CONTROLS Prevent #2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED Detect Application Input Controls
#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS. Application Interface Controls
#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA. Data Synchronization
Authentication #7. DOES AN AUTHENTICATION METHOD EXIST? Way to access application #12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE? Two Factor Single Sign-on
Session Timeout • #14. ARE USERS LOGGED OUT WHEN INACTIVE?
#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED? Approval #11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED? Automated Removal User Provisioning & De-Provisioning
#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS? Type of access provided #10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION? #16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS? Authorization
#9. IS THE ADMIN FUNCTION ADEQUATE? User Admin System Admin Application Administration
#15. IS DATA PROTECTED IN TRANSIT AND AT REST? -Encrypted in all states Data Encryption
#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS. Application Audit Trail
#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM. Data Traceability