User Account

All Pages

Auditing database systems and storage systems

Assignment Help Accounting Basics
Reference no: EM13925305

1. In Module 5, we learned what to look for when auditing database systems and storage systems. In general, lets consider both of these as information systems (databases store information and so do storage systems). In this activity you will have to consider the use of these systems in an organization and the importance of their associated audits.

Auditing Essays

You will prepare and submit a number of short papers assigned by the instructor. These auditing examples are an opportunity for you to analyze issues drawn from the reading for the module. Your written analysis will be approximately two to three pages in length. Assignments completed in a narrative essay or composition format must follow APA guidelines. This course will require students to use the citation and reference style established by the American Psychological Association (APA), and students should follow the guidelines set forth in Publication Manual of the American Psychological Association (6th ed.). (2010). Washington, D.C.: American Psychological Association.

In Module 2, we were introduced to the Turner Assembly Group. Take another look at the company network:

Turner Assembly Group Company Network

Additional network information:

Device details: Human Resources contains 6 computers and one printer, one WAP and one camera. Assembly floor contains 8 computers (two are in a break area Kiosk for employee Internet access), two printers, four cameras, two WAPs). Management staff contains 8 computers, two printers, one WAP, one camera.

Human Resources, Assembly floor, and Management Staff are on separate VLANs.

Firewall provides URL filtering (blacklisted URLs denied) and active IDS.

All Internet browsing requests from internal LAN are proxied through the DMZ web server.

Full back up is performed on-site every Saturday. Differential backups on Tuesday and Thursday. Backup media is then removed to an off-site location.

Real-time backups of file changes are encrypted and uploaded to an external storage provider (Carbonite).

WAPs are protected by WPA2 encryption.

All files are stored on the NAS, including individual folders for staff files.

All computers are Windows 7 except the servers in the DMZ and internal LAN, which are Windows Server 2008.

No employees except IT administration have administrative access to their computers.

All computers run anti-virus software with current signatures and have their software firewalls enabled.

One of the application servers hosts Microsoft SQL Server.

The various Access databases used in the organization (HR employee database, contracts database, and inventory database) are stored on the NAS. The NAS capacity is 16 TB (16,000 GB) and is only 20% full. It is a RAID5 system using multiple 2 GB drives with two hot spares available.

Other information that may pertain:

The company does not accept or process credit card information so there is no need for PCI compliance.

The company does maintain personal health records for its employees.

These records are stored in an encrypted format and transmitted via VPN when necessary.

The company has never undergone an IT audit. There have been no external or internal penetration tests. The IT administrator does, however, run weekly vulnerability scans on all computers on the network.

No security awareness training has been provided to any of the employees.

Employees are allowed to use their own mobile devices on the company network.

In your essay, please respond to the following:

How do the auditing steps presented in the database and storage auditing chapters align with the Turner company network?

Does anything in the network architecture or additional information provided raise any red flags in terms of auditing?

What information would the audit team need from the IT security administrator in order to complete the audit?

See the Course Calendar for the due date.

Compose your work using a word processor (or other software as appropriate) and save it frequently to your computer. Be sure to check your work and correct any spelling or grammatical errors before you upload it.

When you are ready to submit your work, click "Browse My Computer" and find your file. Once you have located your file, click "Open" and, if successful, the file name will appear under the Attached files heading. Scroll to the bottom of the page and click "Submit."

Reference

Davis, C., Schiller, M., & Wheeler, K. (2011). IT auditing using controls to protect information assets (2nd ed.). New York, NY: McGraw-Hill Companies.

Auditing Databases

Checklist for Auditing Databases

1. Obtain the database version and compare it against policy requirements. Verify that the database is running a version the vendor continues to support.

2. Verify that policies and procedures are in place to identify when a patch is available and to apply the patch. Ensure that all approved patches are installed per your database management policy.

3. Determine whether a standard build is available for new database systems and whether that baseline has adequate security settings.

4. Ensure that access to the operating system is properly restricted.

5. Ensure that permissions on the directory in which the database is installed, and the database files themselves, are properly restricted.

6. Ensure that permissions on the registry keys used by the database are properly restricted.

7. Review and evaluate procedures for creating user accounts and ensuring that accounts are created only when theres a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.

8. Check for default usernames and passwords.

9. Check for easily guessed passwords.

10. Check that password management capabilities are enabled.

11. Verify that database permissions are granted or revoked appropriately for the required level of authorization.

12. Review database permissions granted to individuals instead of groups or roles.

13. Ensure that database permissions are not implicitly granted incorrectly.

14. Review dynamic SQL executed in stored procedures.

15. Ensure that row-level access to table data is implemented properly.

16. Revoke PUBLIC permissions where not needed.

17. Verify that network encryption is implemented.

18. Verify that encryption of data at rest is implemented where appropriate.

19. Verify the appropriate use of database auditing and activity monitoring.

20. Evaluate how capacity is managed for the database environment to support existing and anticipated business requirements.

21. Evaluate how performance is managed and monitored for the database environment to support existing and anticipated business requirements.

Checklist for Auditing Storage

1. Document the overall storage management architecture, including the hardware and supporting network infrastructure.

2. Obtain the software version and compare it against policy requirements.

3. Verify that policies and procedures are in place to identify when a patch is available and to evaluate and apply applicable patches. Ensure that all approved patches are installed per your policy.

4. Determine what services and features are enabled on the system and validate their necessity with the system administrator.

5. Review and evaluate procedures for creating administrative accounts and ensuring that accounts are created only when theres a legitimate business need. Also review and evaluate processes for ensuring that accounts are removed or disabled in a timely fashion in the event of termination or job change.

6. Evaluate the process and policies used for granting and revoking access to storage.

7. Evaluate how capacity is managed for the storage environment to support existing and anticipated business requirements.

8. Evaluate how performance is managed and monitored for the storage environment to support existing and anticipated business requirements.

9. Evaluate the policies, processes, and controls for data backup frequency, handling, and remote storage.

10. Verify that encryption of data-at-rest is implemented where appropriate.

11. Verify that network encryption of data-in-motion is implemented where appropriate.

12. Evaluate the low-level and technical controls in place to segregate or firewall highly sensitive data from the rest of the storage environment.

13. Review and evaluate system administrator procedures for security monitoring.

14. Perform the steps from Chapter 4, Auditing Data Centers and Disaster Recovery, as they pertain to the system you are auditing.

Reference no: EM13925305

Questions Cloud

Rental yards provides construction equipment : Round Table Rental Yards provides construction equipment, trailers, crutches, etc., on short-term rentals. Historically, Art, the owner, has purchased the items that he rents out, but his business has been expanding so rapidly that he is considering ..
Identify six guidelines for drafting effective website conte : Identify six guidelines for drafting effective website content, and offer guidelines for becoming a valuable wiki contributor.Drafting Website ContentMajor sections on websites, particularly those that are fairly static (unlike, say, a blog) function..
Mutually exclusive projects and contingent projects : Raider Productions has to decide whether to build its warehouse in Dallas or Houston. This decision falls into the class of a. independent projects. b. mutually exclusive projects. c. contingent projects. d. marginal projects.
Conduct an analysis of the industry and competitors : What are the best tools to use in this situation and provide a brief summary of at least 2 of these tools and why do you think these are the best ways to analyze the market?
Auditing database systems and storage systems : 1. In Module 5, we learned what to look for when auditing database systems and storage systems. In general, lets consider both of these as information systems (databases store information and so do storage systems). In this activity you will have ..
How will the software impact the production environment : Evaluate and select a security tool for recommendation that you learned about in the iLabs modules or the EC-Council text books.
What can you say about joes performance : Performance analysis shows that he has realized an information ratio of 1 and a t statistic of 1 over this period. What can you say about Joe's performance?
How the blood pressure can be measured : What does a blood pressure measurement of 110/70 mean?
Cash dividend declaration : cash dividend declaration and payment of $1 per share 3) property dividend declaration and payment of shares representing a short-term

Reviews

Write a Review

Accounting Basics Questions & Answers

  Doug maltbee formed a lawn service business as a summer job

doug maltbee formed a lawn service business as a summer job. to start the business on may 1 he deposited 1000 in a new

  Evaluate the issue price of bonds

On January 1, 2011 Piper Co. issued ten-year bonds with a face value of $1,000,000 and a stated interest rate of 10%, payable semiannually on June 30 and December 31. The bonds were sold to yield 12%. Calculate the issue price of the bonds.

  When the object of reconstruction is usually to

when the object of reconstruction is usually to re-organise capital or to compound with creditors or to effect

  After all of the netting of gains or losses is completed

betty whose tax rate is 33 is in the business of breeding and racing horses. except the transactions below she has no

  Assignment international trade and finance speech

Assume that you have been appointed as the Speaker of the House. You must deliver a speech about the current state of the U.S. macroeconomy to a number of amateur reporters who are unfamiliar with economics.

  How much profitsprofitsarrow-10x10png will increase or

royal company manufactures 22000 units of part r-3 each year for use on its production line. at this level of activity

  The management of wymer corporation would like to

the management of wymer corporation would like to investigate the possibility of basing its predetermined overhead rate

  Introduction to internal controls

An introduction to internal controls, explaining in your own words the two primary goals of internal control.

  Kerry company has 1000 shares of 100 par value 12 preferred

kerry company has 1000 shares of 100 par value 12 preferred stock and 11000 shares of 10 par value common stock

  Nature of liabilities

What are the essential characteristic that make an item a liability? How does one distinguish between a current liability and a long-term liability?

  The company sold 34000 units in the east region and 13000

diego company manufactures one product that is sold for 80 per unit in two geographic regions-the east and west

  Significant pattern of differential treatment

Other hand, the Hispanic/Anglo results were comparable to the black/white results discussed earlier, with no significant pattern of differential treatment favoring either Hispanics or Anglos. How much were testers told they could afford?

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd