Auditing Database Systems

Chapter 4:

Presented by: Group 2 402A

The Flat-File Approach

e.g., Figure 4.1 [p.131] Disadvantages

Data storage Data updating Currency of information Task-data dependency (limited access)

DATABASE APPROACH
e.g.,

Figure 4.2 [p.133] How database approach eliminates the four disadvantages of flat files
Data

storage Data updates Currency of information Task-data dependency (limited access)

ELEMENTS OF THE DATABASE CONCEPT

Figure 4.3 [p.143) Database Environment

DBMS Users Database administrator Physical database

DBMS

Typical features

Program development

Backup and recovery

Database usage reporting Database access

DBMS

Data definition language (DDL) Views

Internal / physical view

Conceptual / logical view

External / user view

USERS

Formal access: application interfaces Data manipulation language (DML) DBMS operations: 6 steps [Figure 4.4 p135] Informal access: query

Define query SQL is industry de facto standard query language Select, from, where commands Review Figure 4.5 [p.137] SQL process

DBA

DBA

Manages the database resources Table 4.1 [p.138]

Database

planning Database design Database implementation Database operations & maintenance Change & growth

Data dictionary Interactions

[Figure 4.6]

PHYSICAL DATABASE

Data structures See Table 4.2 p. 140 Data organization

Sequential Random

Data access methods

DATABASE MODELS
Hierarchical Network

Relational

HIERARCHICAL MODEL

Data Integration in the Hierarchical Model. [Figure 4.10] Navigational Databases. [Figure 4.9] Limitations:

1st rule [example: Figure 4.9] 2nd rule [Figure 4.11]

NETWORK MODEL

Similar to the Hierarchical Model (Navigational Database)

Distinction between the network model and hierarchical model is that the network model permits a child record to have multiple parents. [Figure 4.12]

RELATIONAL MODEL - TERMS

Attributes(data fields)- across the top of the table forming columns. Tuples- Intersecting the columns to form rows in the table .

RELATIONAL MODEL:

E. F. Codd originally proposed the principles of the relational model in the late 1960s. The most apparent difference between the relational model and the navigational models is the way in which data associations are represented to the user. The relational model portrays data in the form of two-dimensional tables. [Figure 4.13]

RELATIONAL MODEL: 2-dimensional

RELATIONAL MODEL:
Properly designed tables possess the following four characteristics:
All occurrences at the intersection of a row and a column are a single value. No multiple values (repeating groups) are allowed. The attribute values in any column must all be of the same class. Each column in a given table must be uniquely named. However, different tables may contain columns with the same name. Each row in the table must be unique in at least one attribute. This attribute is the primary key.

RELATIONAL MODEL:
The linkages in the relational model are implicit. To illustrate this distinction, compare the file structures of the relational tables in Figure 4.14 with those of the hierarchical example in Figure 4.10.

RELATIONAL MODEL:

DATABASES IN A DISTRIBUTED ENVIRONMENT

Centralized Databases [Figure 4.15]

Data Currency in a DDP Environment Distributed Databases Partitioned Databases [Figure 4.16] Replicated Databases [Figure 4.18]

Database in DDP

The problem with this approach is maintaining current versions of the database at each site.

Concurrency control

Classified Time-stamps

DATABASES IN A DISTRIBUTED ENVIRONMENT

The Deadlock Phenomenon [Figure 4.17]

Deadlock Resolution.

CONTROLLING & AUDITING DBMS

Access controls User views / subschema [see Figure 4.20, p.156] Database authorization table [Table 4.3,
p.157]

User-defined procedures Mothers maiden name Data encryption Biometric devices Inference controls (query) example (Table 4.4 p. 158)

CONTROLLING & AUDITING DBMS: Audit Procedures

AUDIT OBJECTIVE: Verify that database access authority and privileges are granted to users in accordance with legitimate needs. Tables and subschemas

Review policy and job descriptions Examine programmer authority tables for access to DDL Interview programmers and DBA

Appropriate access authority Biometric controls Inference controls Encryption controls

CONTROLLING & AUDITING DBMS: Flat-file and Database Controls

Backups
Backup Controls in the Flat-File Environment Backup Controls in the Database Environment

CONTROLLING & AUDITING DBMS: Flat-File Controls

Backup Controls in the Flat-File Environment
GPC Backup Technique (grandparent parentchild) [Figure 4.21]

Direct Access File Backup. [Figure 4.22]

Off-Site Storage

CONTROLLING & AUDITING DBMS: Audit Procedures (Flat-File)

AUDIT OBJECTIVE: Verify that backup controls in place are effective in protecting data files from physical damage, loss, accidental erasure, and data corruption through system failures and program errors.
Audit Procedures for Testing Flat-File Backup Controls:
Sequential Backup Direct

File (GPC) Backup.

Transaction Files.

Access File Backup. Storage.

Off-Site

CONTROLLING & AUDITING DBMS: Database Controls

Backup Controls in the Database Environment:

Backup. [Figure 4.23] Transaction Log (Journal). Checkpoint Feature. Recovery Module.

CONTROLLING & AUDITING DBMS: Audit Procedures AUDITOBJECTIVE: Verify that controls over the data resource are sufficient to preserve the integrity and physical security of the database.
Audit

Procedures for Testing Database Backup Controls:

The

auditor should verify that backup is performed routinely and frequently to facilitate the recovery of lost, destroyed, or corrupted data without excessive reprocessing. The auditor should verify that automatic backup procedures are in place and functioning, and that copies of the database are stored off-site for further security.

Auditing Database Systems

End of Presentation

Chapter 4: