Auditing

Auditing Database Systems
Introduction
We will be talking about...
● Security and control of organization
databases.
● The term database is used in a broad context to
include two general approaches:
1.Flat-file model
2.Database model
Introduction
We will be talking about...
● Common database models
1.Hierarchical
2.Network
3.Relational
● Role of database technology in the distributed
environment.
● Control and audit issues related to data
management.
Data Management Approach
1.The flat-file approach
2.The database approach
Flat files are data files that contain
records with no structured relationships
to other files.
The flat-file environment promotes a
single-user view approach to data
management whereby end users own
their data files rather than share them
with other users.
Data files are therefore structured,
formatted, and arranged to suit the
specific needs of the owner or primary
user of the data.
Such structuring, however, may exclude
data attributes that are useful to other
users, thus preventing successful
integration of data across the
organization.
When multiple users need the same data
for different purposes, they must obtain
separate data sets structured to their
specific needs.
This replication of essentially the same
data in multiple files is called data
redundancy.
1.The flat-file approach (problems)
Data Storage – to meet the needs of diverse
users, costs of multiple storage procedures
must be incurred.
Data Updating - any changes or additions
must be performed multiple times.
Currency of Information – has the potential
problem of failing to update all affected
files.
Task-Data Dependency - user unable to
obtain additional information as his or her
needs change.
Access to the data resource is controlled
by a database management system
(DBMS).
The DBMS stands between the user and
the database per se.
Thus, commercial DBMS’s (e.g., Access
or Oracle) actually consist of a database
plus software to manage the database,
especially controlling access and other
internal controls software to generate
reports, create data-entry forms, etc.
The DBMS is a special software system
that is programmed to know which data
elements each user is authorized to
access.
Centralizes the organization's data into a
common database that is shared by
other users.
2.The database approach (advantages)
No data redundancy: Data is stored only once,
eliminating data redundancy and reducing
storage costs.
Single update: Because data is in only one place,
it requires only a single update, reducing the
time and cost of keeping the database current.
Current values: A change to the database made
by any user yields current data values for all
other users.
Task-data independence: As users’ information
needs expand, the new needs can be more
easily satisfied than under the flat-file.
Elements of the Database Environment
1.Database management system

2.Users
3.The database administrator
4.The physical database
5.DBMS models
1.Database management system (features)

a)Program development
b)Backup and recovery
c)Database usage reporting
d)Database access

a)Program development
The DBMS contains application
development software.
b)Backup and recovery
During processing, the DBMS
periodically makes backup copies
of the physical database.

c)Database usage reporting
This feature captures statistics on
what data are being used, when
they are used, and who uses them.
d)Database access
Authorizes access to sections of the
database.

d)Database access
Software modules
1.Data definition language
2.Data manipulation language
3.Query language
Database Access Software Modules
1.Data definition language

DDL is a programming language used to
define the database per se.
It identifies the names and the
relationship of all data elements,
records, and files that constitute the
database (e.g., create table, alter
table).
2.Users
Users may access the database through a
formal application interfaces (formal
access). User programs, prepared by
systems professionals, send data access
requests (calls) to the DBMS, which
validates the requests and retrieves the
data for processing.
2.Users
Users may use data manipulation
language (DML), which is the proprietary
programming language that a particular
DBMS uses to retrieve, process, and store
data (e.g., insert, update, delete).
Entire user programs may be written in the
DML, or, alternatively, selected DML
commands can be inserted into programs
that are written in universal languages such
as Java, C++, and PHP.
Database Manipulation Language
Database Manipulation Language
2.Users
Users may access a database through the
informal method of queries (informal
access).
A query is an ad hoc access methodology
for extracting information from a database.
Users can access data via direct query,
which requires no formal user programs
using the DBMS's built-in query facility.
2.Users
Users may use Structured Query
Language (SQL) to access and
manipulate databases. SQL has emerged
as the standard query language for both
mainframe and microcomputer DBMSs.
Can be an internal control issue since users
may be making an ‘end run’ around the
controls built into the conventional
programs.
2.Users
SQL is a fourth-generation, nonprocedural
language (English-like commands) with
many commands that allow users to input,
retrieve, and modify data easily.
The SELECT command is a powerful tool for
retrieving data.
SQL Select Command
3.Database administrator (DBA), functions

3.Database administrator (DBA)

By keeping database access authority
separate from systems development
and maintenance (application
programming), the organization is better
able to control and protect the database.
Intentional and unintentional attempts at
unauthorized access are more likely to
be discovered when the activities of
these two groups are segregated.
3.Database administrator (DBA)

One of the important functions of the DBA
is the creation and maintenance of the
data dictionary. The data dictionary
describes every data element in the
database. This enables all users (and
programmers) to share a common view
of the data resource, thus greatly
facilitating the analysis of user needs.
Most DBMSs employ special software
for managing the data dictionary.
4.The Physical Database

The lowest level of the database and the
only level that exists in physical form.
Consists of magnetic spots on metallic
coated disks.
The other levels of the database (the user
view, conceptual view, and internal view)
are abstract representations of the
physical level.
4.The Physical Database

At the physical level, the database forms a
logical collection of records and files that
constitute the firm's data resource.
5.DBMS Models
A data model is an abstract representation
of the data about entities. The purpose of
the data model is to represent entity
attributes in a way that is understandable to
users. Each DBMS is based on a particular
conceptual model.
Three common models are:
a)Hierarchical
b)Network
c)Relational
5.DBMS Models
Database terminology
● Data Attribute/ Field: a single item of
data
● Entity: database representation of an
individual resource, event, or agent
about which we choose to collect data
● Record Type: table or file
● Database: the set of record types that

an organization needs to support its
business processes
5.DBMS Models
Association
● Represented by a line connecting two entities
● May be described by a verb, such as ships,
requests, or receives
Cardinality – the degree of association between two
entities
● The number of possible occurrences in one
table that are associated with a single
occurrence in a related table
● Used to determine primary keys and foreign
keys
5.DBMS Models
The relational model
Portrays data in the form of two-
dimensional tables.
Across the top of the table are
attributes (data fields) forming
columns. Intersecting the columns
to form rows in the table are tuples.
Each row in the table must be unique
in at least one attribute (the
primary key).
Databases in a Distributed Environment
● Databases can be centralized OR they can be

distributed.
● Distributed databases fall into two categories:
– Partitioned
– Replicated
● Partitioned database approach splits the
central database into segments or partitions
that are distributed to their primary users.
● To achieve data currency, simultaneous access

to individual data elements by multiple IT units
must be prevented. The solution to this problem
is to employ a database lockout, which is a
software control (usually a function of the
DBMS) that prevents multiple simultaneous
accesses to data.
● In a distributed environment, it is possible for
multiple sites to lock out each other from the
database, thus preventing each from
processing its transactions (the deadlock
phenomenon).
The Deadlock Condition
● A deadlock is a permanent condition that must

be resolved by a special software that analyzes
each deadlock condition to determine the best
solution.
● Resolving a deadlock usually involves
terminating one or more transactions to
complete processing of the other transactions in
the deadlock. The preempted transactions
must then be reinitiated.
● Replicated databases are effective in

companies where there exists a high degree of
data sharing but no primary user. Common data
are replicated at each IT unit site.
● Database currency is the presence of complete
and accurate data at all user sites. A commonly
used method for concurrency control is to
serialize transactions.
Control and Audit of
Data Management Systems
Two crucial database control issues:
● Access controls
– Audit objectives: (1) those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data
● Backup controls
– Audit objectives: backup controls can
adequately recover lost, destroyed, or
corrupted data
Control and Audit of
Data Management Systems
Access Controls
● User views - based on sub-schemas
● Database authorization table - allows greater
authority to be specified
● User-defined procedures - used to create a
personal security program or routine
● Data encryption - encoding algorithms
● Biometric devices - fingerprints, retina prints, or
signature characteristics
Subschema Restricting Access
Database Authorization Table
Access Controls
Audit procedures: verify…

● responsibility for authority tables & subschemas
● granting appropriate access authority
● use or feasibility of biometric controls
● use of encryption
Backup Controls
● Database backup – automatic periodic copy of

data
● Transaction log – list of transactions that
provides an audit trail (the resulting changes to
the database in a separate database change
log)
● Checkpoint features – suspends data during
system reconciliation
● Recovery module – restarts the system after a
failure
Backup Controls
Audit procedures: verify…

● that production databases are copied at regular
intervals
● backup copies of the database are stored off
site to support disaster recovery

Auditing

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Auditing

Caricato da

Copyright:

Formati disponibili

Auditing Database Systems

1.Database management system

1.Database management system (features)

1.Database management system (features)

1.Database management system (features)

1.Database management system (features)

1.Data definition language

3.Database administrator (DBA), functions

3.Database administrator (DBA)

3.Database administrator (DBA)

4.The Physical Database

4.The Physical Database

● Database: the set of record types that

● Databases can be centralized OR they can be

● To achieve data currency, simultaneous access

● A deadlock is a permanent condition that must

● Replicated databases are effective in

Audit procedures: verify…

● Database backup – automatic periodic copy of

Audit procedures: verify…

Potrebbero piacerti anche