What do you look for in a Database Audit?

  • Guys, my boss is asking me to come up with a simple document where we have SQL Server 2005 standards SAS70 complaint. I am not a new to SQL Server but I never wrote anything like that. I know you will say, "it depends on..." or "everyone's different".. but not in this case I can assure you. There are many DBAs out there who never had to face SAS, SOX, C2, etc.. I, personally, don't even now where to begin such a document.. I think other people will benefit too if you will post such a document or at least show how to build one. Specifically, I am interested in Security and Configuration. I appreciate your help, very much,

    Boris.

    if one wants it.. one will justify it.

  • you might try here: http://www.sas70.com/faq/faq14.html

    And then post a new thread in the SQL Server 2005, Security forum asking for more info.

  • Again, being an auditor who does SAS 70's all the time, I will again say there is no "database compliance program" specified in the AICPA's guide to performing a SAS 70.

    If I were you, I'd read, very closely, the AICPA's standard objectives around security. Then I'd look at what's in scope for the SAS 70 (what business processes or applications), then assess whether or not the business controls in place make looking at the database in the first place relevant (is someone tying all system inputs to all system outputs? if so, database may not be irrelevant). If the database is still in scope...then, it's up to you to determine what's relevant, not the auditors.

    However, to be helpful, auditors tend to focus more on things like who has access to the database and if that access is highly restricted and consistent w/ segregation of duties (e.g., no developers, no business users - no one without a "need" to directly access the database). If you can establish access is highly restricted, other things might then matter - like how are changes made, how are things like the listener configured, what's the patch level, how is the OS configured to restrict access to non-binary configuration files.

    hope this helps.

Viewing 3 posts - 16 through 17 (of 17 total)

You must be logged in to reply to this topic. Login to reply