Application Review and Auditing Databases
20
Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota
description
Application Review and Auditing Databases. Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota. Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45 - PowerPoint PPT Presentation
Transcript of Application Review and Auditing Databases
Application Review and Auditing Databases
Quinn Gaalswyk, CISATed Wallerstedt, CISA, CIA
Office of Internal AuditUniversity of Minnesota
Application Controls - Agenda
• Introduction & Ice Breaker - 9:00• App. Best Practices - 9:10• App. Reports - 9:25• App. Control Recap – 9:30• Database Security – 9:45• Timesheets Scenario – 10:45• Adjourn – 11:30
Where were you in 1991?
Best Practices
• Apply defense-in-depth.
• Use a positive security model.
• Fail safely.
• Run with least privilege.
• Avoid security by obscurity.
Best Practices
• Keep security simple.
• Detect intrusions and keep logs.
• Never trust infrastructure and services.
• Establish secure defaults.
• Use open standards
Application Security –Reports Overview
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
Report Overview• Reports should support functional activities
oManagement reports – tie to business need
oException reports• Pragmatic and useful
Report Auditing• Confirm activity is writing to report
oTest data and test environmentoObtain reports from production
• Interview functional user to confirm reports serve needs
• Confirm reports are reviewed
Application Reports and Controls Recap
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
Application Input Controls#1 REVIEW AND EVALUATE DATA INPUT CONTROLS
Prevent
#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED
Detect
Application Interface Controls
#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.
Data Synchronization
#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.
Authentication#7. DOES AN AUTHENTICATIONMETHOD EXIST?
Way to access application
#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?
Two Factor Single Sign-on
Session Timeout
• #14. ARE USERS LOGGED OUT WHEN INACTIVE?
User Provisioning & De-Provisioning
#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?
Approval
#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?
Automated Removal
Authorization#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?
Type of access provided
#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?
#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?
Application Administration
#9. IS THE ADMIN FUNCTION ADEQUATE?
User Admin System Admin
Data Encryption
#15. IS DATA PROTECTED IN TRANSIT AND AT REST?
-Encrypted in all states
Application Audit Trail
#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.
Data Traceability
#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.
