What do you look for in a Database Audit?

Question

Post reply

What do you look for in a Database Audit?

Viewing 3 posts - 16 through 17 (of 17 total)

You must be logged in to reply to this topic. Login to reply

boris_shvartsman Mr or Mrs. 500 Points: 552 More actions · Answer 1

Guys, my boss is asking me to come up with a simple document where we have SQL Server 2005 standards SAS70 complaint. I am not a new to SQL Server but I never wrote anything like that. I know you will say, "it depends on..." or "everyone's different".. but not in this case I can assure you. There are many DBAs out there who never had to face SAS, SOX, C2, etc.. I, personally, don't even now where to begin such a document.. I think other people will benefit too if you will post such a document or at least show how to build one. Specifically, I am interested in Security and Configuration. I appreciate your help, very much,

Boris.

if one wants it.. one will justify it.

Steve Jones - SSC Editor SSC Guru Points: 728159 More actions · Answer 2

Steve Jones - SSC Editor

SSC Guru

Points: 728159

March 11, 2009 at 10:06 am

#957627

you might try here: http://www.sas70.com/faq/faq14.html

And then post a new thread in the SQL Server 2005, Security forum asking for more info.

Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com

taylor lehmann SSC Journeyman Points: 99 More actions · Answer 3

Again, being an auditor who does SAS 70's all the time, I will again say there is no "database compliance program" specified in the AICPA's guide to performing a SAS 70.

If I were you, I'd read, very closely, the AICPA's standard objectives around security. Then I'd look at what's in scope for the SAS 70 (what business processes or applications), then assess whether or not the business controls in place make looking at the database in the first place relevant (is someone tying all system inputs to all system outputs? if so, database may not be irrelevant). If the database is still in scope...then, it's up to you to determine what's relevant, not the auditors.

However, to be helpful, auditors tend to focus more on things like who has access to the database and if that access is highly restricted and consistent w/ segregation of duties (e.g., no developers, no business users - no one without a "need" to directly access the database). If you can establish access is highly restricted, other things might then matter - like how are changes made, how are things like the listener configured, what's the patch level, how is the OS configured to restrict access to non-binary configuration files.

hope this helps.