application review and auditing databases
DESCRIPTION
Application Review and Auditing Databases. Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota. Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/1.jpg)
Application Review and Auditing Databases
Quinn Gaalswyk, CISATed Wallerstedt, CISA, CIA
Office of Internal AuditUniversity of Minnesota
![Page 2: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/2.jpg)
Application Controls - Agenda
• Introduction & Ice Breaker - 9:00• App. Best Practices - 9:10• App. Reports - 9:25• App. Control Recap – 9:30• Database Security – 9:45• Timesheets Scenario – 10:45• Adjourn – 11:30
![Page 3: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/3.jpg)
Where were you in 1991?
![Page 4: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/4.jpg)
Best Practices
• Apply defense-in-depth.
• Use a positive security model.
• Fail safely.
• Run with least privilege.
• Avoid security by obscurity.
![Page 5: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/5.jpg)
Best Practices
• Keep security simple.
• Detect intrusions and keep logs.
• Never trust infrastructure and services.
• Establish secure defaults.
• Use open standards
![Page 6: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/6.jpg)
Application Security –Reports Overview
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
![Page 7: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/7.jpg)
Report Overview• Reports should support functional activities
oManagement reports – tie to business need
oException reports• Pragmatic and useful
![Page 8: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/8.jpg)
Report Auditing• Confirm activity is writing to report
oTest data and test environmentoObtain reports from production
• Interview functional user to confirm reports serve needs
• Confirm reports are reviewed
![Page 9: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/9.jpg)
Application Reports and Controls Recap
Quinn Gaalswyk, CISASenior Information Systems Auditor
University of Minnesota
![Page 10: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/10.jpg)
Application Input Controls#1 REVIEW AND EVALUATE DATA INPUT CONTROLS
Prevent
#2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED
Detect
![Page 11: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/11.jpg)
Application Interface Controls
#3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.
![Page 12: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/12.jpg)
Data Synchronization
#4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.
![Page 13: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/13.jpg)
Authentication#7. DOES AN AUTHENTICATIONMETHOD EXIST?
Way to access application
#12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE?
Two Factor Single Sign-on
![Page 14: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/14.jpg)
Session Timeout
• #14. ARE USERS LOGGED OUT WHEN INACTIVE?
![Page 15: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/15.jpg)
User Provisioning & De-Provisioning
#13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED?
Approval
#11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED?
Automated Removal
![Page 16: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/16.jpg)
Authorization#8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS?
Type of access provided
#10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION?
#16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?
![Page 17: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/17.jpg)
Application Administration
#9. IS THE ADMIN FUNCTION ADEQUATE?
User Admin System Admin
![Page 18: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/18.jpg)
Data Encryption
#15. IS DATA PROTECTED IN TRANSIT AND AT REST?
-Encrypted in all states
![Page 19: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/19.jpg)
Application Audit Trail
#5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.
![Page 20: Application Review and Auditing Databases](https://reader033.vdocuments.us/reader033/viewer/2022051821/56814f65550346895dbd1aa2/html5/thumbnails/20.jpg)
Data Traceability
#6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.