Scribd Logo
Upload

Welcome to Scribd!

  • Access Controls

    Uploaded by

    abbiecdefg
    5 views11 pages
    CIS

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    CIS

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views11 pages

    Access Controls

    Uploaded by

    abbiecdefg
    CIS

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    ACCESStoCONTROLS

    prevent
    unauthorized

    Designed

    individuals from viewing, retrieving,


    corrupting, or destroying the entitys
    data

    RISKS
    Corruption
    Theft
    Misuse
    Destruction of data

    USER VIEWS (SUBSCHEMA)


    Subset of total database that

    defines the users data domain


    and provides access to the
    database

    DATABASE AUTHORIZATION
    TABLE
    Contains rules that limit the

    actions a user can take

    USER-DEFINED
    PROCEDURES
    Allows the user to create a

    personal security program or


    routine
    to
    provide
    more
    positive user identification than
    a single password

    BIOMETRIC DEVICES
    Measure

    various
    personal
    characteristics,
    such
    as
    fingerprints, voice prints, retina
    prints,
    or
    signature
    characteristics

    INFERENCE CONTROLS
    to preserve the quality and confidentiality of the database, these

    should be in place to prevent users from inferring, through query


    features, specific data values that they are otherwise unauthorized
    to access
    Through the database query, individual users may be granted access to

    confidential data to which they are normally denied access

    INFERENCE CONTROLS
    3 Types of Compromises to the
    Database
    Positive Compromise
    User determines the specific value of a data item
    Negative Compromise
    User determines that a data item does not have a specific value
    Approximate Compromise
    User is unable to determine the exact value of an item but is able to
    estimate it with sufficient accuracy to violate the confidentiality of the
    data

    AUDIT OBJECTIVE RELATING


    TO DATABASE ACCESS
    Verify that database access authority and privileges are

    granted to users in accordance with their legitimate needs

    AUDIT PROCEDURES FOR


    TESTING DATABASE ACCESS
    Responsibility
    for Authority Tables &
    CONTROLS
    Subschemas
    The auditor should verify that Database Administration (DBA) personnel

    retain exclusive responsibility for authority tables and designing user


    reviews
    3 Sources of Evidence:
    Company policy & job descriptions
    Programmer authority tables for access privileges to data definition language

    (DDL) commands
    Appropriate
    Access with DBA programmers & personnel
    Personal interviews

    Authority

    Auditor can select a sample of users & verify that the access privileges

    stored in the authority table are consistent with their job descriptions

    AUDIT PROCEDURES FOR


    TESTING DATABASE ACCESS
    CONTROLS
    Biometric
    Controls

    Auditor should evaluate the costs and benefits of biometric controls,

    usually when very sensitive data are accessed by limited number of users

    Inference
    Controls
    Auditor should verify that database query controls exist to prevent

    unauthorized access through interference

    Encryption
    Controls
    Auditor should verify that sensitive data are properly encrypted

    You might also like