Database Security and Auditing: Protecting
Data Integrity and Accessibility

Chapter 7
Database Auditing Models


Objectives

•
•
•
•

Gain an overview of auditing fundamentals
Understand the database auditing environment
Create a flowchart of the auditing process
List the basic objectives of an audit

Database Security and Auditing

2


Objectives (continued)

•
•
•

Define the differences between auditing classifications and types

List the benefits and side effects of an audit
Create your own auditing models

Database Security and Auditing

3


Auditing Overview

•

Audit examines: documentation that reflects (from business or individuals);
actions, practices, conduct

•

Audit measures: compliance to policies, procedures, processes and laws

Database Security and Auditing

4


Definitions

•

Audit/auditing: process of examining and validating documents, data, processes,
procedures, systems


•

Audit log: document that contains all activities that are being audited ordered in a
chronological manner

•

Audit objectives: set of business rules, system controls, government regulations,
or security policies

Database Security and Auditing

5


Definitions (continued)

•
•
•
•

Auditor: person authorized to audit
Audit procedure: set of instructions for the auditing process
Audit report: document that contains the audit findings
Audit trail: chronological record of document changes, data changes, system
activities, or operational events

Database Security and Auditing


6


Definitions (continued)

•

Data audit: chronological record of data changes stored in log file or database table
object

•
•

Database auditing: chronological record of database activities
Internal auditing: examination of activities conducted by staff members of the
audited organization

•

External auditing

Database Security and Auditing

7


Auditing Activities

•

•
•

Evaluate the effectiveness and adequacy of the audited entity
Ascertain and review the reliability and integrity of the audited entity
Ensure the organization complies with policies, procedures, regulations, laws, and
standards of the government and the industry

•

Establish plans, policies, and procedures for conducting audits

Database Security and Auditing

8


Auditing Activities (continued)

•
•
•
•
•

Keep abreast of all changes to audited entity
Keep abreast of updates and new audit regulations
Provide all audit details to all company employees involved in the audit
Publish audit guidelines and procedures
Act as liaison between the company and the external audit team


Database Security and Auditing

9


Auditing Activities (continued)

•
•
•
•

Act as a consultant to architects, developers, and business analysts
Organize and conduct internal audits
Ensure all contractual items are met by the organization being audited
Identify the audit types that will be used

Database Security and Auditing

10


Auditing Activities (continued)

•
•

Identify security issues that must be addressed
Provide consultation to the Legal Department


Database Security and Auditing

11


Auditing Environment

•

Auditing examples:

–
–

•
•

Financial auditing
Security auditing

Audit also measures compliance with government regulations and laws
Audits take place in an environment:

–
–

Auditing environment
Database auditing environment


Database Security and Auditing

12


Auditing Environment (continued)

•

Components:

–
–
–
–

Objectives: an audit without a set of objectives is useless
Procedures: step-by-step instructions and tasks
People: auditor, employees, managers
Audited entities: people, documents, processes, systems

Database Security and Auditing

13


Auditing Environment (continued)

Database Security and Auditing


14


Auditing Environment (continued)

Database Security and Auditing

15


Auditing Environment (continued)

•
•

Database auditing environment differs slightly from generic auditing environment
Security measures are inseparable from auditing

Database Security and Auditing

16


Auditing Process

•

Quality Assurance (QA):

–

–

•

Ensure system is bug free and functioning according to its specifications
Ensure product is not defective as it is being produced

Auditing process: ensures that the system is working and complies with the
policies, regulations and laws

Database Security and Auditing

17


Auditing Process (continued)

•

Performance monitoring: observes if there is degradation in performance at
various operation times

•

Auditing process flow:

–
–

System development life cycle

Auditing process:

•
•
•

Understand the objectives
Review, verify, and validate the system
Document the results

Database Security and Auditing

18


Auditing Process (continued)

Database Security and Auditing

19


Auditing Process (continued)

Database Security and Auditing

20


Auditing Objectives


•
•

Part of the development process of the entity to be audited
Reasons:

–
–
–
–

Complying
Informing
Planning
Executing

Database Security and Auditing

21


Auditing Objectives (continued)

•

Top ten database auditing objectives:

–
–

–
–
–

Data integrity
Application users and roles
Data confidentiality
Access control
Data changes

Database Security and Auditing

22


Auditing Objectives (continued)

•

Top ten database auditing objectives (continued):

–
–
–
–
–

Data structure changes
Database or application availability
Change control

Physical access
Auditing reports

Database Security and Auditing

23


Auditing Classifications and Types

•
•
•
•

Industry and business sectors use different classifications of audits
Each classification can differ from business to business
Audit classifications: also referred as types
Audit types: also referred as purposes

Database Security and Auditing

24


Audit Classifications

•

Internal audit:


–
–

Conducted by a staff member of the company being audited
Purpose:

•
•
•

Verify that all auditing objectives are met
Investigate a situation prompted by an internal event or incident
Investigate a situation prompted by an external request

Database Security and Auditing

25