As in all auditing practices, the overarching controls design stem from CIA, confidentiality, integrity, and availability.
Auditing database subsystems is an examination of the controls governing the database, beginning with policies and procedures where access to the database is controlled preventing unauthorized access. Auditors must examine the implementation of the various types of integrity controls. There are many good texts about database design and implementation. Before an auditor attempts to engage a review of database operations, it is strongly suggested she have sufficient training and experience. As in all audit practices, auditors should not audit areas where they do not possess expertise.
Database Definitions
Before the discussion travels too much farther, here are some definitions that may be needed by an auditor engaged in database subsystem examination:
Accountability is achieved with two types of access restricting mechanisms, user identification and user authentication controls. Compliance with these controls is achieved through auditing. Major auditing concerns for databases are directed to information security events including logins, granting and revoking access privileges to relations, user activity logs, etc.
Several years ago a government worker, having broad access to databases containing extremely sensitive information, decided to illicitly sell his knowledge and services. He was aware that his database activities were logged, but he was equally aware those logs were infrequently reviewed. The database was configured in such a fashion that anyone with access to the database was capable of viewing and copying information outside the their assigned duties. Over a period of years, he accessed information for which he did not have a need to know and sold it. The employee was discovered through exterior means and subsequently prosecuted for his criminal activities.
These are a few definitions that should help the auditor in database assessments:
Aggregation: The result of combining distinct units of data when handling information. Aggregation of data at one level may result in the total amount of data being designated at a higher privilege level. Data manipulation: Populate and modify the contents of a database by adding, modifying, deleting, and creating rows and columns. Discretionary Access Control: DAC is a method by which access to objects is restricted to authorized users or groups of users. Access is discretionary in that access privileges may be passed to users either directly or indirectly by the object's owner. Inference: Derivation of new information from known information. An inference problem refers to derived information that may be classified at a level for which the user does not have privileges and a need to know. The inference problem is that of users deducing unauthorized information from information they have legitimately acquired. The problem of database inference has significant consequences. For example, physicians specialize in the treatment of specific diseases. It is possible for healthcare provider staffs to infer a patient's ailment by identifying the attending doctor. This type of information could be easily gleaned by viewing the patient information accompanied by the doctor's name. Drugs are also generally associated with a particular disease consequently; it is possible for staff members to infer a patient's ailment by identifying prescriptions. Mandatory Access Control: MAC is a procedure of established access controls relating to resources assigned a classification level and users are assigned clearance levels. For example, users are not allowed to read a resource classified at a certain level, unless their clearance level is equal or greater than the resource's classification. Referential integrity: A database has referential integrity if all foreign keys reference existing primary keys. Schema definition: Used to define the structure of the database, integrity constraints, and access privileges. Schema manipulation: Modify the database structure, integrity constraints, and privileges associated with the tables and views within the database. Transaction management: The ability to define and manage database transactions.