Application Review and Auditing Databases

Post on 20-Jan-2016

29 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Application Review and Auditing Databases. Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota. Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45 - PowerPoint PPT Presentation

Transcript of Application Review and Auditing Databases

Application Review and Auditing Databases

Quinn Gaalswyk, CISATed Wallerstedt, CISA, CIA

Office of Internal AuditUniversity of Minnesota

Application Controls - Agenda

• Introduction & Ice Breaker - 9:00• App. Best Practices - 9:10• App. Reports - 9:25• App. Control Recap – 9:30• Database Security – 9:45• Timesheets Scenario – 10:45• Adjourn – 11:30

Where were you in 1991?

Best Practices

• Apply defense-in-depth.

• Use a positive security model.

• Fail safely.

• Run with least privilege.

• Avoid security by obscurity.

Best Practices

• Keep security simple.

• Detect intrusions and keep logs.

• Never trust infrastructure and services.

• Establish secure defaults.

• Use open standards

Application Security –Reports Overview

Quinn Gaalswyk, CISASenior Information Systems Auditor

University of Minnesota

Report Overview• Reports should support functional activities

oManagement reports – tie to business need

oException reports• Pragmatic and     useful

Report Auditing• Confirm activity is writing to report

oTest data and test environmentoObtain reports from production

• Interview functional user to confirm reports serve needs

• Confirm reports are reviewed

Application Reports and Controls Recap

Quinn Gaalswyk, CISASenior Information Systems Auditor

University of Minnesota

Application Input Controls#1 REVIEW AND EVALUATE DATA INPUT CONTROLS

Prevent

#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED

Detect

Application Interface Controls

#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.

Data Synchronization

#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.

Authentication#7. DOES AN AUTHENTICATIONMETHOD EXIST?

Way to access application

#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?

Two Factor Single Sign-on

Session Timeout

• #14. ARE USERS LOGGED OUT WHEN INACTIVE?

User Provisioning & De-Provisioning

#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?

Approval

#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?

Automated Removal

Authorization#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?

Type of access provided

#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?

#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?

Application Administration

#9. IS THE ADMIN FUNCTION ADEQUATE?

User Admin System Admin

Data Encryption

#15. IS DATA PROTECTED IN TRANSIT AND AT REST?

-Encrypted in all states

Application Audit Trail

#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.

Data Traceability

#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.

Top related

Auditing Application Systems - SF ISACA · Auditing Application Systems Maria Shaw 22 September 2003. Controls Framework (COBIT Definition) • Quality • Cost • Delivery • Effectiveness
 Documents
Application Modeling With Graph Databases - Relationships are cool!
 Documents
Application Modeling with Graph Databases
 Technology
Visualization of Large Chemical Databases with Application ...€¦ · Visualization of Large Chemical Databases with Application to Drug Design Dexuan Xie⁄ January 16, 2005 Abstract
 Documents
WebSphere Application Server V7: Accessing Databases - IBM Redbooks
 Documents
Application Modeling with Graph Databases - Relationships are cool
 Software
Application and Database Security Auditing, Vulnerability
 Documents
Efficient Patch-based Auditing for Web Application ... · Efficient Patch-based Auditing for Web Application Vulnerabilities Taesoo Kim, Ramesh Chandra, Nickolai Zeldovich ... Idea
 Documents
Chartered Accountants Audit Conference Application of Complex Auditing Standards
 Documents
Application-Tailored Databases for Real-Time Systems
 Documents
Auditing Standard ASA 580 Written Representations · 2015-12-17 · AUDITING STANDARD ASA 580 Written Representations . Application . Aus 0.1 This Auditing Standard applies to: (a)
 Documents
Application Programming for Relational Databases
 Documents
CONTINUOUS AUDITING: THEORY AND APPLICATION · 2019-03-02 · RUTGERS STUDIES IN ACCOUNTING ANALYTICS CONTINUOUS AUDITING: THEORY AND APPLICATION Editors David Y. Chan St. John’s
 Documents
Optimal Auditing with Scoring: Theory and Application to ...chairegestiondesrisques.hec.ca/.../cahiers-recherche/Opt-Auditing.pdf · Optimal Auditing with Scoring: Theory and Application
 Documents
Database Applications. Database Programming Web databases Application architecture.
 Documents
Auditing Application User Account Security and Identity Management … · Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD,
 Documents
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
 Documents
05.2 auditing procedure application controls
 Education
Poor Man’s Auditing - nocoug.org · Poor Man’s Auditing with Oracle Log Miner Caleb Small, ... • Application auditing ... ch. 17 Using LogMiner to Analyze Redo
 Documents
WebSphere Application Server V7: Accessing Databases
 Documents

Copyright © 2022 FDOCUMENTS