Professional Documents
Culture Documents
This program does not fully utilize all data gathered but the data gathered is intended to allow for follow up without additional requests
based on information found during testing.
USER A
2. Master Fixed role Only DBAs should be There is a risk that users 1. Obtain a query of users that belong to fixed roles.
database is membership granted fixed roles. can inadvertently or
properly is limited intentionally update
protected database configurations, Fixed Role Users
alter database SysAdmin
processing or delete
data. ServerAdmin
SetupAdmin
Security Admin
ProcessAdmin
DbCreator
DiskAdmin
BulkAdmin
4. Individual Fixed role Only authorized individuals There is a risk that users
database is membership should be granted these will have access to 1. Obtain a query of users that belong to Predefined Roles that may create a
properly is limited roles. sensitive information that
protected they are not authorized to risk to data privacy (but not to overall database integrity).
from updates view.
Fixed Role Users
db_datareader
6. Remote External Links to server connections If unauthorized links to 1. Through discussions with the DBA determine if external data connections
access should connections that are not needed should external data sources are are allowed and if so how they are managed and secured.
be limited and are disabled be removed. present, data could be
controlled if by default accessed and updated in
used and when an unintended manner.
used are
controlled in
an
acceptable
manner.
3.0 User Access
Control Control Guidance on Business risk Test Procedures Testing Performed
Objectives Control/Background
1. To ensure All users are Part of obtaining a new Accountability for actions 1. Through discussions with the DBA determine the process of assigning
that all users assigned account should include the taken within the system account details to a user.
are their own signing of an acceptance can only be achieved by
responsible unique use policy. More than likely, assigning all users their 2. Using the output from the user report obtained in procedure 2, determine if
for their own account a person in an organisation own unique account. The all accounts are owned by only one individual.
actions which is will sign such an agreement practice of sharing
accountable before they commence accounts or using the 3. Determine if default accounts have been properly secured.
to them and work. same account name for
for which different individuals
they are The security administrator decreases the level of
responsible should ensure: accountability when
irregular, unauthorised
Access policy and and inappropriate system
procedure exists and is actions have been taken.
current
5. Control over Accounts Vendors may require By not creating a Determine who the vendors are and if they have had access previously to the
vendor access created for system access for temporary vendor database. Confirm this via review of the USERS report.
use by emergency, maintenance or account decreases the
vendors are troubleshooting purposes. accountability of their
temporary work.
accounts Although vendors may
that are require the use of an Not removing a vendor
immediately existing account, good account immediately
removed practice says that they increases the risk that the
upon should be assigned a account will be used to
completion temporary account that can gain unauthorised access
of the be removed upon by the vendor or another
vendor completion of their party.
activities activities.
4.0 Roles, grants and privileges
DBA
Developer
General business
user
Operator
Process
C = CHECK constraint
D = Default or DEFAULT
constraint
Control Control Guidance on Business Risk Test Procedures Exceptions
Objectives Control/Background
F = FOREIGN KEY constraint
L = Log
FN = Scalar function
IF = Inlined table-function
P = Stored procedure
PK = PRIMARY KEY
constraint (type is K)
RF = Replication filter stored
procedure
S = System table
TF = Table function
TR = Trigger
U = User table
UQ = UNIQUE constraint
(type is K)
V = View
X = Extended stored
procedure
3. To ensure Database The IT department should 1. Review naming conventions leveraged by evaluating object naming
object usage, administration have a documented standard standards used (review output from SELECT * FROM
naming and to govern acceptable sys.sysobjects)
conventions programming database object usage,
and relevant follow naming conventions and 2. Interview management to understand if naming conventions
coding established IT coding standards. leveraged follow departmental standards and if these standards are
comments guidelines that properly documented.
follow ensure When database field
predefined adequate updates/additions or coding is
department technical required, it should be
rules. documentation consistently documented to
of the ensure any DBA or database
database programmer can easily
environment. determine the purpose of the
related objects which will
ensure effective and efficient
troubleshooting when the
database is not operating as
intended and will also server
as vehicle for a smooth
transition of responsibilities
within the organizations DBA
function.
7.0 Audit
Control Control Guidance on Business Risk Test Procedures Exceptions
Objectives Control/Background
1. Management Auditing is Database auditing is the The absence of recording 1. Discuss with the administrator if the audit function within SQL Server is
should monitor enabled and monitoring and recording of important events in the being utilised
functions or monitored on activities occurring within adatabase increases the
activities on the regular basis database. You typically auditrisk that unauthorised
database to ensure that no system actions, such as
unauthorised users are deleting or modifying 2. Confirm this by reviewing the Logging query to determine if the correct
removing data from the data sensitive data, or access parameter has been set.
dictionary or accessing tables
attempts may not be
they should not have the identified and resolved in
privileges to see. You may a timely manner.
also want to audit specific Further, auditing can be
tables to help determine the useful for gathering
volume of access occurring athistorical data for
peak times. particular database
activities.
2. Management Auditing is There are several different Auditing actions 1. List all the audit options set for all system privileges in the database:
should monitor enabled and types of auditing forms. One undertaken by persons
privileged monitored on of these is using the system
activities on the regular basis administrator privileges 2. Verify that the use of all sensitive system privilege commands are audited
database System level or reduces the likelihood of
privileged auditing inappropriate use.
use msdb