Getting Your Databases Audit Ready

Rick Link, Managing Director

Your database is perhaps one of the most sensitive targets for cybercriminals as they are your company’s primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to manage and protect your databases from unauthorized access, whether intentional or otherwise.

Several weeks ago I sat down with journalist Ericka Chickowski from Dark Reading to discuss getting your databases ready for an IT audit. I wanted to share a few more details that I discussed with Ms. Chickowski as one of the initial steps an auditor will do once the database audit has been announced, and that is to request access to the organization’s IT policies, standards and procedures.  

Policies should be authorized at the highest level in an organization which establishes the tone that IT management requires for business practices and technology controls throughout the organization. Correct policy development aligned with the business strategies helps ensure the proper alignment of security controls and also drive what the technology standards and procedures look like. Policies are defined by the organizations or departments senior management and once developed and approved typically require minimal updates and/or enhancements; however, they should be reviewed and refreshed on an annual basis to incorporate new business and technology risks.

Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers, and that must be written and communicated to groups of people inside and outside the organization.

Standards are the required expectations for technology systems’ database technologies’ configuration and parameter settings which ensures consistency for security including encryption, file and field synchronization, integrity, logging, backups, replication and naturally security access controls. Standards like policies require compliance; however, standards provide specific technical requirements, such as system design concepts, software interface mechanisms, and/or specific steps to be followed. Generally speaking, policies are intended to last for many years, while standards are intended to last for only a few years.

Procedures are the granular measures taken by people on the day-to-day jobs like recycling a database, making a backup or whatever else it takes to administer database technologies efficiently and securely. Procedures are specific, and sometimes detailed, operational actions and/or methods that personnel must follow to achieve and complete a certain goal, while working under the established policies and/or standards defined by management.

If these documents are not in order and periodically refreshed to address evolving business and technology risks; an organization may be failing to meet regulatory and compliance requirements. The failure to adhere to industry regulatory standards and requirements increase the risk to the organization of penitential penalties and fines and also negative publicity that may impact the company’s brand and client satisfaction. Weekly there are many news stories of examples of database breaches where credit cards were compromised, electronic healthcare records disclosed and financial records accessed.

Compliance is only the starting point when it comes to securing your systems and the databases where your critical data resides. Once you have completed an audit, the next step is to conduct a database assessment and/or an automated security configuration test so I will follow soon with a discussion about these topics.

Rick Link


Rick Link — Managing Director

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS