DB2 Audit Plan

Objective:

Our Audit will include a review of security, administration, change management, and disaster recovery. The purpose of our review will be to identify opportunities for improvement, which may impact security, availability, and HIPPA privacy regulations.

Background:

  • [Your Company Name] currently utilizes over ### databases – which are contained in ### subsystems (DB2 instances).
  • Approximately ### applications and application components are associated with DB2 databases.
  • The majority of these databases contain XXX type data and / or sensitive corporate information, etc…..
  • Among the systems relying on DB2 databases are System1, system 2, system 3

To date, there has not been a known thorough and detailed assessment of the DB2 DBMS.

Miscellaneous:

  • Keep in mind that the DB2 environment is across Mainframe and Client-Server.
  • Keep in mind that we are looking for proper controls, not necessarily documentation.
  • The majority of these databases contain XXXX type data

Areas of Responsibility to Investigate:

DBA

Configuration and Installation Settings
HIPPA Implications / Sarbanes Implications
Why Investigate: / Installation and configuration settings are critical to the security and performance of a DBMS system.
What to Expect: / A standard approach to installing and configuring all of the DB2 databases. Their settings will be consistent across the servers. If the settings do vary, there will be documentation for the deviation.
How to Investigate: / We will check this by getting configuration/installation setting information from the servers and then make sure they are consistent across servers and are consistent with the appropriate documentation.
Performance – Capacity Planning
HIPPA Implications / Sarbanes Implications
Why Investigate: / Capacity Planning is critical to the continued success of [Your Company Name]’s technological movement. We need to get our arms around the capacity of our servers.
In addition, we need to continuously monitor the servers for key performance factors. If the servers have problems, someone should be notified as soon as possible.
What to Expect: / We expect to find some type of systematic approach to load testing on the servers. We also expect to find a systematic approach to monitoring the servers for performance, and if that performance fails outside of a predetermined range, a notice will be delivered to the appropriate parties for immediate attention.
How to Investigate: / We will check this by getting information related to their systematic approach to load testing the servers. It will be reviewed for effectiveness. Also we expect to see a list of performance monitors that are being monitored. We will also look at the thresholds set for the performance monitors, as well who is notified if the performance monitor finds an exception.
DBA Change Control – DB Object Management (Tables, Stored Procedures, etc..)
HIPPA Implications / Sarbanes Implications
Why Investigate: / DB objects are where the data is actually housed or manipulated. These items are critical to the data, which is critical to the applications.
What to Expect: / We expect to find documented processes that allow for the addition of new DB objects and the modification of existing DB objects. There may also be a section on “emergency” modifications that may not necessarily follow the normal process.
How to Investigate: / We will check for documentation on these procedures and then check out the permissions associated with the creation and modification of DB objects. We’ll investigate some of the additions/changes that have been made to the DB objects and see if the procedures were followed.
DBA Change Control – DB Settings
HIPPA Implications / Sarbanes Implications
Why Investigate: / DB settings are critical to the stability of a database. Any changes to these settings must strictly be monitored.
What to Expect: / We expect to find a standard approach to changing settings on all of the DB2 databases.
How to Investigate: / We will check this by evaluating the documentation for effectiveness and checking the permissions for consistency for the procedures.
DBA Change Control – Monitoring
HIPPA Implications / Sarbanes Implications
Why Investigate: / Monitoring DBA changes is critical to the overall stability of the DBMS.
What to Expect: / We expect to find a standard approach to monitoring all changes to the DB (objects, configs, data, etc..)
How to Investigate: / We will check the output of the monitoring system for effectiveness and timely review.
Support Methodology – Break/Fix
HIPPA Implications / Sarbanes Implications
Why Investigate: / How does the change control process affect the support methodology? Does it still apply in emergency break/fix situations?
What to Expect: / We expect to find a standard approach to monitoring all changes to the DB (objects, configs, data, etc..) There should also be a set of procedures for handling break/fix items on an emergency basis.
How to Investigate: / We will check for documentation, processes or procedures and check for adherence.
Audit Trails (Data and DB Software) – Management
HIPPA Implications / Sarbanes Implications
Why Investigate: / Audit trails are very beneficial in tracking down problems, changes, etc.
We need to see if they are utilizing audit logs, and how they are managing them. (pulling the right data, data overload, etc.)
What to Expect: / We expect to find that audit logs are used at a minimum, if at all.
How to Investigate: / Through interviews, we will determine if they are formally using audit logs.
Audit Trails (Data and DB Software) – Filters
HIPPA Implications / Sarbanes Implications
Why Investigate: / Audit logs can be handled in many different ways, from efficiently to inefficiently. If the logs are being complied, it’s important they are used correctly.
What to Expect: / Typically if audit trails are utilized, they are used to pull way more data than is necessary. We expect that if the data is being collected, it’s being “dumped” and not filtered, categorized, etc…
How to Investigate: / Through interviews, determine if they use logs, if so, do they filter their findings?
Audit Trails (Data and DB Software) – Configuration
HIPPA Implications / Sarbanes Implications
Why Investigate: / Audit trails are not only important to changing data and objects, but also to changing configuration.
What to Expect: / We expect to find that audit trails for configuration changes are not being used.
How to Investigate: / Through interview, we’ll determine if they audit configuration changes. If so, to what extent.
Patches and Updates
HIPPA Implications / Sarbanes Implications
Why Investigate: / Patched and Updates are critical to software for stability.
What to Expect: / We expect to find a process in place that allows the department to be alerted of new patches/updates for their architecture (OS, DB, any hardware, etc..). There will also be a systematic approach to evaluate, and if needed, implement the changes.
How to Investigate: / Verify through interview that they have a process and check the adherence and effectiveness.
Policies and Procedures – Documentation
HIPPA Implications / Sarbanes Implications
Why Investigate: / Policies and procedures are very helpful to maintain an organized, systematic, and sophisticated system.
What to Expect: / We expect to find some limited documentation, specifically for security.
How to Investigate: / Through interviews, we will investigate if they have any policies and procedures.
Owners: / Identify owners of documentation.
Disaster Recovery – Data
HIPPA Implications / Sarbanes Implications
Why Investigate: / Disaster recovery is critical to the integrity of our valuable data.
What to Expect: / We expect to find detailed information on the Disaster Recovery procedures for the “data” in the database.
How to Investigate: / Review the information provide for effectiveness.
Disaster Recovery – Database
HIPPA Implications / Sarbanes Implications
Why Investigate: / Disaster recovery is critical to the stability of our valuable systems.
What to Expect: / We expect to find detailed information on the Disaster Recovery procedures for the database itself.
How to Investigate: / Review the information provide for effectiveness.
Disaster Recovery – Other
HIPPA Implications / Sarbanes Implications
Why Investigate: / Disaster recovery is critical to the overall effectiveness or our systems.
What to Expect: / We expect to find detailed information on the Disaster Recovery procedures for the servers, system, etc…
How to Investigate: / Review the information provide for effectiveness.

Security Administration

User Access – (NT, RACF, ACF2, Other)
HIPPA Implications / Sarbanes Implications
Why Investigate: / User access is a critical piece of the security model for the Database. This is what allows someone to view data.
What to Expect: / We expect to see that the users must be authenticated via an other mechanism, before granted access to the DB2 database.
How to Investigate: / Check to see that there are no DB types of authentication. They should all go through NT, RACF, ACFS, etc)
User Access Documentation and Standards
HIPPA Implications / Sarbanes Implications
Why Investigate: / User access is a critical piece of the security model for the Database. This is what allows someone to view data.
What to Expect: / We expect to find a formal system to request access. This system will have an approval and verification process.
How to Investigate: / Through interviews, check on the model and processes they use. Verify that the process is being used and monitored.
Change Management – Terms and Transfers (cradle to grave)
HIPPA Implications / Sarbanes Implications
Why Investigate: / This is usually a high-risk area in user access administration. As associates transfer to other departments, their access should reflect the change in privileges. The cradle-to-grave process is to maintain a users access as they enter the company until the day they are no longer with [Your Company Name].
What to Expect: / Expect to find that there are policies and procedures surrounding this, but there maybe associates that have privileges they shouldn’t have.
How to Investigate: / Review their policies and procedures to see if they are being followed. We’ll review a couple associates that have recently transferred or were terminated to verify changes in privileges.
Change Management – Monitoring
HIPPA Implications / Sarbanes Implications
Why Investigate: / This is an important part of the overall system of user administration. Monitoring is needed for approved and non-approved changes.
What to Expect: / Would expect to find some procedure in place to get a listing of all user access changes and reconcile those back to the approvals that were submitted for access changes.
How to Investigate: / Verfiy that the process they are using to monitor changes is adequate to catch all changes that might occur. If it is, then ensure that it is being monitored on a regular basis.
Disaster Recovery – Backup and Recovery
HIPPA Implications / Sarbanes Implications
Why Investigate: / If something happens to the systems, it might be necessary to reconstruct user access changes that may have taken place and were not restored.
What to Expect: / We expect to find a well organized system that would facilitate the recreation process of permissions from a certain point in time.
How to Investigate: / We will look at the policies and procedures surrounding the user access changes. We will investigate if the system would support a recovery process.
Disaster Recovery
HIPPA Implications / Sarbanes Implications
Why Investigate: / This is the system that houses all of the user access changes. It must be recoverable in order to facilitate the recovery of user permission changes.
What to Expect: / We expect to find a well documented process for disaster recovery around this database.
How to Investigate: / We will review the disaster recovery plan for effectiveness.
Name – section
HIPPA Implications / Sarbanes Implications
Why Investigate: / Briefly list why to investigate
What to Expect: / Briefly list what you expect to find
How to Investigate: / Briefly list how you are going to investigate this item.