Oracle database security

Oracle database security

Oracle database security

Introduction

Databases are a key component in most business-related data systems. The 02 transactions are noted in the database. The accounting system of any business 20 relies on a database. But how manage we understand that the data stored in the database and the reports made from these, can be relied upon? We have to assess the interior te controls that the system is based upon. The theme of this paper is the carrying out of a tu security review of an Oracle database. The paper is in writing from the perspective of an external auditor unaligned from the entity being audited. sti In The Federal Information System Controls Audit Manual (FISCAM), supplied by The United States General Accounting Office (GAO), describes a methodology that can be NS used when assessing interior controls associated to computer-based data systems. FISCAM is used as the basis for the themes enclosed in this paper.

The layout of an audit

To be adept to assess the security of a system the auditor first of all has to gain ample information of the system being evaluated.

The reason of the system

Why is this scheme run? Is the processes it support of crucial significance to the company? The significance of the system or parts of it is essential input to a risk assessment.

The structure of the system

Network diagrams specifying hardware and software might be a useful starting point. As we are intensifying on databases, it is also significant to start accumulating data about this subject. What kind of database is used? What functioning system runs on the servers where the database system software resides? What applications access facts and numbers in the database? Are there several application-specific databases or manage several applications access the same database? How manage the applications interface with the database?

Security policies and plans

These will be the base for the interior controls system in the entity, and also a possible starting issue for the audit.

Information about the association and its procedures

Organization charts could be a starting issue here. To cut into a little farther procedural manuals or similar descriptions could be useful. This is significant as towards an initial evaluation of if there exist procedures for crucial activities security- wise (e.g. procedures for administration of user-id's, procedures for backup and recovery).

Risk assessment

After profiting an understanding of the entity's operations, the auditor must assess the risks associated with ...