Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota.

Published byDomenic Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota."— Presentation transcript:

1 Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota

2 Application Controls - Agenda Introduction & Ice Breaker - 9:00 App. Best Practices - 9:10 App. Reports - 9:25 App. Control Recap – 9:30 Database Security – 9:45 Timesheets Scenario – 10:45 Adjourn – 11:30

3 Where were you in 1991?

4 Best Practices Apply defense-in-depth. Use a positive security model. Fail safely. Run with least privilege. Avoid security by obscurity.

5 Best Practices Keep security simple. Detect intrusions and keep logs. Never trust infrastructure and services. Establish secure defaults. Use open standards

6 Application Security – Reports Overview Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

7 Report Overview Reports should support functional activities o Management reports – tie to business need o Exception reports Pragmatic and useful

8 Report Auditing Confirm activity is writing to report o Test data and test environment o Obtain reports from production Interview functional user to confirm reports serve needs Confirm reports are reviewed

9 Application Reports and Controls Recap Quinn Gaalswyk, CISA Senior Information Systems Auditor University of Minnesota

10 Application Input Controls #1 REVIEW AND EVALUATE DATA INPUT CONTROLS Prevent #2 DETERMINE THE NEED FOR ERROR/EXCEPTION REPORTS RELATED TO DATA INTEGRITY, AND EVALUATE WHETHER THIS NEED HAS BEEN FULFILLED Detect

11 Application Interface Controls #3 REVIEW AND EVALUATE THE CONTROLS IN PLACE OVER DATA FEEDS TO AND FROM INTERFACING SYSTEMS.

12 Data Synchronization #4 IN CASES WHERE THE SAME DATA ARE KEPT IN MULTIPLE DATABASES AND/OR SYSTEMS, PERIODIC 'SYNC' PROCESSES SHOULD BE EXECUTED TO DETECT ANY INCONSISTENCIES IN THE DATA.

13 Authentication #7. DOES AN AUTHENTICATION METHOD EXIST? Way to access application #12. ARE THERE STRONG PASSWORD CONTROLS IN PLACE? Two Factor Single Sign-on

14 Session Timeout #14. ARE USERS LOGGED OUT WHEN INACTIVE?

15 User Provisioning & De- Provisioning #13. IS BUSINESS NEED VERIFIED BEFORE ACCESS IS GRANTED? Approval #11. ARE RIGHTS REMOVED WHEN NO LONGER NEEDED? Automated Removal

16 Authorization #8. IS AUTHENTICATION AND AUTHORIZATION REQUIRED FOR ACCESS? Type of access provided #10. IS THERE TRANSACTION APPROVAL IN THE APPLICATION? #16. CAN DEVELOPERS CHANGE PRODUCTION SYSTEMS?

17 Application Administration #9. IS THE ADMIN FUNCTION ADEQUATE? User Admin System Admin

18 Data Encryption #15. IS DATA PROTECTED IN TRANSIT AND AT REST? -Encrypted in all states

19 Application Audit Trail #5 REVIEW AND EVALUATE THE AUDIT TRAILS PRESENT IN THE SYSTEM AND THE CONTROLS OVER THOSE AUDIT TRAILS.

20 Data Traceability #6 THE SYSTEM SHOULD PROVIDE A MEANS TO TRACE A TRANSACTION OR PIECE OF DATA FROM THE BEGINNING TO THE END OF THE PROCESS ENABLED BY THE SYSTEM.

Download ppt "Application Review and Auditing Databases Quinn Gaalswyk, CISA Ted Wallerstedt, CISA, CIA Office of Internal Audit University of Minnesota."

Similar presentations

The World of Access Controls

The World of Access Controls
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Network Detective Prepared For: ABC Corp Prepared By: Roger G. Best.

Network Detective Prepared For: ABC Corp Prepared By: Roger G. Best.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Information Security Policies and Standards

Information Security Policies and Standards
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Controls for Information Security

Controls for Information Security
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
Identity Management, what does it solve By Gautham Mudra.

Identity Management, what does it solve By Gautham Mudra.
SAP An Introduction October 2012.

SAP An Introduction October 2012.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota.

Application Controls - Intro Ted Wallerstedt, CISA, CIA Principal Information Systems Auditor University of Minnesota.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google