Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota

Application Controls - Agenda Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45 Timesheets Scenario – 10:45 Adjourn – 11:30

Where were you in 1991?

Best Practices Apply defense-in-depth. Use a positive security model. Fail safely. Run with least privilege. Avoid security by obscurity.

Best Practices Keep security simple. Detect intrusions and keep logs. Never trust infrastructure and services. Establish secure defaults. Use open standards

Application Security – Reports Overview Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

Report Overview Reports should support functional activities o Management reports – tie to business need o Exception reports Pragmatic and useful

Report Auditing Confirm activity is writing to report o Test data and test environment o Obtain reports from production Interview functional user to confirm reports serve needs Confirm reports are reviewed

Application Reports and Controls Recap Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

Application Input Controls #1 REVIEW AND EVALUATE DATA INPUT CONTROLS Prevent #2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED Detect

Application Interface Controls #3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.

Data Synchronization #4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.

Authentication #7. DOES AN AUTHENTICATION METHOD EXIST? Way to access application #12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE? Two Factor Single Sign-on

Session Timeout #14. ARE USERS LOGGED OUT WHEN INACTIVE?

User Provisioning & De- Provisioning #13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED? Approval #11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED? Automated Removal

Authorization #8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS? Type of access provided #10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION? #16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?

Application Administration #9. IS THE ADMIN FUNCTION ADEQUATE? User Admin System Admin

Data Encryption #15. IS DATA PROTECTED IN TRANSIT AND AT REST? -Encrypted in all states

Application Audit Trail #5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.

Data Traceability #6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.