1. In Module 5, we learned what to look for when auditing database systems and storage systems. In general, lets consider both of these as information systems (databases store information and so do storage systems). In this activity you will have to consider the use of these systems in an organization and the importance of their associated audits.

Auditing Essays

You will prepare and submit a number of short papers assigned by the instructor. These auditing examples are an opportunity for you to analyze issues drawn from the reading for the module. Your written analysis will be approximately two to three pages in length. Assignments completed in a narrative essay or composition format must follow APA guidelines. This course will require students to use the citation and reference style established by the American Psychological Association (APA), and students should follow the guidelines set forth in Publication Manual of the American Psychological Association (6th ed.). (2010). Washington, D.C.: American Psychological Association.

In Module 2, we were introduced to the Turner Assembly Group. Take another look at the company network:

Turner Assembly Group Company Network

Additional network information:

Device details: Human Resources contains 6 computers and one printer, one WAP and one camera. Assembly floor contains 8 computers (two are in a break area Kiosk for employee Internet access), two printers, four cameras, two WAPs). Management staff contains 8 computers, two printers, one WAP, one camera.

Human Resources, Assembly floor, and Management Staff are on separate VLANs.

Firewall provides URL filtering (blacklisted URLs denied) and active IDS.

All Internet browsing requests from internal LAN are proxied through the DMZ web server.

Full back up is performed on-site every Saturday. Differential backups on Tuesday and Thursday. Backup media is then removed to an off-site location.

Real-time backups of file changes are encrypted and uploaded to an external storage provider (Carbonite).

WAPs are protected by WPA2 encryption.

All files are stored on the NAS, including individual folders for staff files.

All computers are Windows 7 except the servers in the DMZ and internal LAN, which are Windows Server 2008.

No employees except IT administration have administrative access to their computers.

All computers run anti-virus software with current signatures and have their software firewalls enabled.

One of the application servers hosts Microsoft SQL Server.

The various Access databases used in the organization (HR employee database, contracts database, and inventory database) are stored on the NAS. The NAS capacity is 16 TB (16,000 GB) and is only 20% full. It is a RAID5 system using multiple 2 GB drives with two hot spares available.

Other information that may pertain:

The company does not accept or process credit card information so there is no need for PCI compliance.

The company does maintain personal health records for its employees.

These records are stored in an encrypted format and transmitted via VPN when necessary.

The company has never undergone an IT audit. There have been no external or internal penetration tests. The IT administrator does, however, run weekly vulnerability scans on all computers on the network.

No security awareness training has been provided to any of the employees.

Employees are allowed to use their own mobile devices on the company network.

In your essay, please respond to the following:

How do the auditing steps presented in the database and storage auditing chapters align with the Turner company network?

Does anything in the network architecture or additional information provided raise any red flags in terms of auditing?

What information would the audit team need from the IT security administrator in order to complete the audit?

See the Course Calendar for the due date.

Compose your work using a word processor (or other software as appropriate) and save it frequently to your computer. Be sure to check your work and correct any spelling or grammatical errors before you upload it.

When you are ready to submit your work, click "Browse My Computer" and find your file. Once you have located your file, click "Open" and, if successful, the file name will appear under the Attached files heading. Scroll to the bottom of the page and click "Submit."

Reference

Davis, C., Schiller, M., & Wheeler, K. (2011). IT auditing using controls to protect information assets (2nd ed.). New York, NY: McGraw-Hill Companies.

Auditing Databases

Checklist for Auditing Databases

1. Obtain the database version and compare it against policy requirements. Verify that the database is running a version the vendor continues to support.

2. Verify that policies and procedures are in place to identify when a patch is available and to apply the patch. Ensure that all approved patches are installed per your database management policy.

3. Determine whether a standard build is available for new database systems and whether that baseline has adequate security settings.

4. Ensure that access to the operating system is properly restricted.

5. Ensure that permissions on the directory in which the database is installed, and the database files themselves, are properly restricted.

6. Ensure that permissions on the registry keys used by the database are properly restricted.

7. Review and evaluate procedures for creating user accounts and ensuring that accounts are created only when theres a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.

8. Check for default usernames and passwords.

9. Check for easily guessed passwords.

10. Check that password management capabilities are enabled.

11. Verify that database permissions are granted or revoked appropriately for the required level of authorization.

12. Review database permissions granted to individuals instead of groups or roles.

13. Ensure that database permissions are not implicitly granted incorrectly.

14. Review dynamic SQL executed in stored procedures.

15. Ensure that row-level access to table data is implemented properly.

16. Revoke PUBLIC permissions where not needed.

17. Verify that network encryption is implemented.

18. Verify that encryption of data at rest is implemented where appropriate.

19. Verify the appropriate use of database auditing and activity monitoring.

20. Evaluate how capacity is managed for the database environment to support existing and anticipated business requirements.

21. Evaluate how performance is managed and monitored for the database environment to support existing and anticipated business requirements.

Checklist for Auditing Storage

1. Document the overall storage management architecture, including the hardware and supporting network infrastructure.

2. Obtain the software version and compare it against policy requirements.

3. Verify that policies and procedures are in place to identify when a patch is available and to evaluate and apply applicable patches. Ensure that all approved patches are installed per your policy.

4. Determine what services and features are enabled on the system and validate their necessity with the system administrator.

5. Review and evaluate procedures for creating administrative accounts and ensuring that accounts are created only when theres a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.

6. Evaluate the process and policies used for granting and revoking access to storage.

7. Evaluate how capacity is managed for the storage environment to support existing and anticipated business requirements.

8. Evaluate how performance is managed and monitored for the storage environment to support existing and anticipated business requirements.

9. Evaluate the policies, processes, and controls for data backup frequency, handling, and remote storage.

10. Verify that encryption of data-at-rest is implemented where appropriate.

11. Verify that network encryption of data-in-motion is implemented where appropriate.

12. Evaluate the low-level and technical controls in place to segregate or firewall highly sensitive data from the rest of the storage environment.

13. Review and evaluate system administrator procedures for security monitoring.

14. Perform the steps from Chapter 4, Auditing Data Centers and Disaster Recovery, as they pertain to the system you are auditing.