Specialized Auditing Matters - Access Controls

Access controls in the database subsystem have the function of denying unauthorized access and data manipulation. In the case of discretionary access control, DAC, users can specify who can access data they own and what action they have with respect to that data. Conversely, mandatory access control, MAC, requires an administrator to assign security attributes, such as object classifications and employee clearances. These classifications are fixed and cannot be changed by database users.

Discretionary Access Controls
With discretionary access controls, a typical user may be authorized to perform the following functions within the database:

Create a schema.

Create, modify, or delete views associated with a schema.

Create, modify, or delete relations associated with the schema.

Create, modify, or delete tuples in relations associated with the database schema.

Retrieve data from tuples in relations associated with the schema.

These are privileges granted to users who are designated as the owners of a particular schema along with its related views. There is an important type of privilege, that of a user granting their privileges, or a portion of them, to another user. Privilege propagation is the case of a user granting privileges to another user, who in turn grants privileges to another user.

In the propagation of privileges, it is important for an auditor to determine the allowable degree of privilege propagation. It is equally important for an auditor to examine the degree of privilege revocation. For example, if it is discovered a user has abused her privileges, what affirmative steps were taken to revoke her access privileges?

Mandatory Access Controls
In MAC, database user access to a resource is governed by a strict security policy. Database resources in the way of data-objects/attributes and record/relations are assigned classification levels. It is also a common practice to assign a classification level to each record/relation equal to the highest classification level assigned to a data/item/attribute in the record/relation. When differing levels of classification are present in the database, users are not allowed to view all the data present in the database. They may view only those items they care cleared to see.

Managing access control rules are often done through the operating system and the database management system. For example, the operating system permits only authorized users to access the database subsystem, while the database management system restricts access and the degree of user data manipulation. Auditors must be aware this is somewhat of a redundant security procedure, but one that safeguards database contents.

When a database is distributed, it is even more difficult to ensure that database access and integrity are maintained and that complete and consistent access rules are enforced throughout the enterprise. It does not matter if the database is replicated at multiple sites, or if a different database is distributed to different sites from a central location, auditors should collect evidence that multiple access control mechanisms are implemented and are universal in supporting replication.

In any processing subsystem, the issue of data integrity is one of the primary audit concerns. In database management systems, the application software directly accesses and updates the database, however, the database management system depends on the application software to pass across the correct sequence of commands and update parameters taking appropriate actions when certain types of exceptions arise.

Software Controls and Update Protocols
Application software update protocols ensure that changes to the database reflect changes to entities and associations in data the database is supposed to reflect.

Ensure all records are processed correctly. If a master file is in sequential order, correct end of file protocols must be followed in an update program to make certain records are not lost from either a transaction or master file. Designing and implementing correct end of file protocols can be complex if multiple sequential transaction files and multiple sequential files are concurrently processed. Auditors should collect evidence that these protocols have been designed where they can detect, prevent, and correct end of file errors.

Sequence check transaction and master files. During batch update processes, the transaction file is often sorted prior to the update of the database master file or the database tables. There are times when the master file or tables, intended to be updated, might be sorted in a particular order. It may seem duplicitous for the update program to check the sequence of the transaction as it processes each record. Regardless, there are situations that occur resulting in records on the transaction or master file that are out of sequence.

Single-record multiple-transaction processing order. Database programs frequently receive multiple transactions targeting a single master record, also known as a tuple. The order in which transactions are processed against the master record is important. Different types of transactions must be given transaction codes resulting in them being sorted in correct order before being processed against the master record.

Suspense accounts. Suspense accounts are essentially a file for monetary transaction where a master record could not be located at the time the update was attempted. Monetary transactions, for which a master record cannot be located, must be charged to a suspense account. If they are lost because someone fails to correct their mismatch, someone may receive a product rebate payment to which they were not entitled. Auditors must be mindful that suspense accounts, relating to data mismatches, must exist and any suspense accounts with more than a zero balance show there are processing errors needing correction.