P. 1
IT Security Audit Policy

IT Security Audit Policy

|Views: 835|Likes:
Publicado porchiragi

More info:

Published by: chiragi on Jul 11, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/08/2012

pdf

text

original

“The DBMS features that provide for security and integrity are Encryption, Views,
Authorizations, and User-defined procedures “

Data base security is generally classified under 3 headings:

IT Security & Audit Policy Page 73 of 91

Physical security

Protection against natural disaster, fire, flood, theft,
malicious damage etc.

Operational security

Integrity, guarantee or protection (i.e. ensuring data is error
free) and Reliability (i.e. ensuring the maintenance of a
correct and whole database).

Authorisational
security

Ensuring the confidentiality of the data base for both private
and legal reasons

Physical Security

! Locate installation in geographically inert places, if possible.
! Install fire control mechanisms.
! Use of security locks, access and exit to installation through fixed monitoring
points will minimize theft and damage risks.
! Secure external doors, windows, walls etc, or better locate the installation in the
center of a building.

Operational Security

Protecting the integrity of the database, i.e. ensuring that the things that users do are
correct.

The integrity of a database is measured by the rules, which it must obey. Any given
operation (an access, update, deletion etc) is invalid if it violates the rules.
Many of the integrity constraints (rules) are associated with checking data items, e.g.:
! Correct domain for an attribute
! Type checking
! Limit checking
Other constraints might be concerned with records are as

! Cannot delete the associated record if there exists one to many relationship.

Authorisational Security

The most important responsibility of administrator is to secure data. Securing
database involves:

! Preventing unauthorized access to classified data.
! Preventing service engineer to access the data.
! Monitoring user access of data through auditing techniques.
! Use encryption techniques so that data is stored in 'coded' form. Anyone
accessing the data needs to decrypt the data.
! Implement views with to limit access of users to those areas of the database
that are permissible.
! Use program authorisation and passwords. Passwords can be applied at all

levels.
! Apply authorisation rules:
! Subject - WHO

IT Security & Audit Policy Page 74 of 91

! Object - WHAT
! Action - HOW
! Constraint – LIMIT

You're Reading a Free Preview

Descarga
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->