Application Review and Auditing Databases

Quinn Gaalswyk, CISATed Wallerstedt, CISA, CIA

Office of Internal AuditUniversity of Minnesota

Application Controls - Agenda

• Introduction & Ice Breaker - 9:00• App. Best Practices - 9:10• App. Reports - 9:25• App. Control Recap – 9:30• Database Security – 9:45• Timesheets Scenario – 10:45• Adjourn – 11:30

Where were you in 1991?

Best Practices

• Apply defense-in-depth.

• Use a positive security model.

• Fail safely.

• Run with least privilege.

• Avoid security by obscurity.

Best Practices

• Keep security simple.

• Detect intrusions and keep logs.

• Never trust infrastructure and services.

• Establish secure defaults.

• Use open standards

Application Security –Reports Overview

Quinn Gaalswyk, CISASenior Information Systems Auditor

University of Minnesota

Report Overview• Reports should support functional activities

oManagement reports – tie to business need

oException reports• Pragmatic and     useful

Report Auditing• Confirm activity is writing to report

oTest data and test environmentoObtain reports from production

• Interview functional user to confirm reports serve needs

• Confirm reports are reviewed

Application Reports and Controls Recap

Quinn Gaalswyk, CISASenior Information Systems Auditor

University of Minnesota

Application Input Controls#1 REVIEW AND EVALUATE DATA INPUT CONTROLS

Prevent

#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED

Detect

Application Interface Controls

#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.

Data Synchronization

#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.

Authentication#7. DOES AN AUTHENTICATIONMETHOD EXIST?

Way to access application

#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?

Two Factor Single Sign-on

Session Timeout

• #14. ARE USERS LOGGED OUT WHEN INACTIVE?

User Provisioning & De-Provisioning

#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?

Approval

#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?

Automated Removal

Authorization#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?

Type of access provided

#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?

#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?

Application Administration

#9. IS THE ADMIN FUNCTION ADEQUATE?

User Admin System Admin

Data Encryption

#15. IS DATA PROTECTED IN TRANSIT AND AT REST?

-Encrypted in all states

Application Audit Trail

#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.

Data Traceability

#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.