Application Review and Auditing Databases
Quinn Gaalswyk, CISATed Wallerstedt, CISA, CIA
Office of Internal AuditUniversity of Minnesota
Application Controls - Agenda
• Introduction & Ice Breaker - 9:00• App. Best Practices - 9:10• App. Reports - 9:25• App. Control Recap – 9:30• Database Security – 9:45• Timesheets Scenario – 10:45• Adjourn – 11:30
Where were you in 1991?
Best Practices
• Apply defense-in-depth.
• Use a positive security model.
• Fail safely.
• Run with least privilege.
• Avoid security by obscurity.
Best Practices
• Keep security simple.
• Detect intrusions and keep logs.
• Never trust infrastructure and services.
• Establish secure defaults.
• Use open standards
Application Security –Reports Overview
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
Report Overview• Reports should support functional activities
oManagement reports – tie to business need
oException reports• Pragmatic and useful
Report Auditing• Confirm activity is writing to report
oTest data and test environmentoObtain reports from production
• Interview functional user to confirm reports serve needs
• Confirm reports are reviewed
Application Reports and Controls Recap
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
Application Input Controls#1 REVIEW AND EVALUATE DATA INPUT CONTROLS
Prevent
#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED
Detect
Application Interface Controls
#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.
Data Synchronization
#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.
Authentication#7. DOES AN AUTHENTICATIONMETHOD EXIST?
Way to access application
#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?
Two Factor Single Sign-on
Session Timeout
• #14. ARE USERS LOGGED OUT WHEN INACTIVE?
User Provisioning & De-Provisioning
#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?
Approval
#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?
Automated Removal
Authorization#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?
Type of access provided
#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?
#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?
Application Administration
#9. IS THE ADMIN FUNCTION ADEQUATE?
User Admin System Admin
Data Encryption
#15. IS DATA PROTECTED IN TRANSIT AND AT REST?
-Encrypted in all states
Application Audit Trail
#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.
Data Traceability
#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.
Top Related