Audit Planning Memorandum for Database Environment Date| 02/04/2013| To| Audit Senior Management| School Board| Temple University| Prepared By| Shan Jiang| ————————————————- Background Types of RDBMS: MySQL 5.0 – an open-source database used extensively in small or medium-sized web applications.One of the simplest databases to secure from hacking because of the small attack surface it exposes Number of DB servers: 3 Business units rely on the DBs: Sales and Distribution, Financial Services, Procurement, and Accounts Receivable.
Organizational structure of the group who manages the DBs: Data Owner, system administrator, and database administrator.
1. 0 Internal Audit Objective and Scope 2. 1 Internal Audit Objective The objective of this review is to audit confidentiality, integrity, and availability of XYZ Company’s MySQL 5. 0 database environment. 2. 2 Internal Audit Scope and Approach The scope of this review includes an assessment of MySQL 5. 0 database environment. Specifically, this review will include: * Physical and administrative control Concurrent access controls * Change controls * Server configuration control * Database checkpoints * Schema Modifications * Redundancy elimination and relationship verification * Database restructuring * Data backup and disaster recovery plan 2. 3 Deliverables Audit deliverables will consist of the following: * Fieldwork documentation * Finding Issues * Audit draft report * Action plan and recommendation * Audit final report It is planned that the above deliverables will be delivered to you by 02/07/2013 for your review and subsequent discussion. . 0 High-Level Work Program Policy and standards, data backup and procedures, levels of access controls for data, data encryption, confidentiality, integrity, availability of data elements, database checkpoints at junctures, database reorganization, database restructuring procedures and write report. 3. 0 General Information 4. 4 Internal Audit Team The internal audit team, with roles and responsibilities, includes the following people: * Lua Li: associate, audit database basic step and general controls. *
Jia Meng: associate, audit database operating system security * Shan Jiang: associate, audit database accounts and permissions management * Zhou Zhou: senior associate, audit password strength and review database privileges * Chao Lang: senior associate, audit data encryption * Jia Yu: manager, verify database auditing and activity monitoring. 4. 5 Duration of Internal Audit The duration of this internal audit will be for one month commencing on 02/11/2013. 02/11/2013-02/15/2013 Planning 02/16/2013-02/20/2013 Fieldwork and documentation 2/21/2013-02/25/2013 Issue discovery and validation 02/26/2013-04/01/2013 Solution development 04/02/3013-04/07/2013 Report drafting and issuance 04/08/2013-04/11/2013 Final report and issue tracking It is anticipated that the fieldwork, working papers and drafting of deliverables will be completed by Internal Audit Team. 4. 6 Location of Internal Audit The location of the internal audit will be performed at XYZ Company. It is predicted that a site visit to XYZ Company will be conducted during the course of this review. 4. 7 Temple University Previous Audits Previous Audit Version: March 3, 2012
Previous Critical Findings: Developers have direct access to update production code without permission. Impact: It is fixed. The DBMS team implemented a baseline tool for protecting the production code. The ability to check new code into this tool will be limited to the DBA. The team also documented procedures requiring approval and testing prior to submitting new production code for check-in. 4. 8 Key Contacts Contact| Position| Department| E-mail| Contact No. | Jim Green| Database Administrator| IT| [email protected] com| 435-234-8899| Lucas Xiao| System Administrator| IT| [email protected] om| 123-324-3211| David Han| Database Developer| IT| [email protected] com| 876-123-1234| Ryan Li| System Analyst| IT| [email protected] com| 542-345-0989| Billy Zhou| Manager| IT| [email protected] com| 324-123-4321| 4. 0 High-Level Work Schedule Date| Task| Contact| 02/11/2013-02/15/2013| Verify policies and procedures about database version and available patches| David Han| 02/16/2013-02/20/2013| Determine baseline for adequate security setting and permissions on the directory and registry keys. | Ryan Li| 02/21/2013-02/25/2013| Verify legitimate accounts creation and password management capabilities. Jim Green| 02/26/2013-02/28/2013| Confidentiality, integrity, availability and encryption of data| Lucas Xiao| 03/01/2013-03/03/2013| Database checkpoints at junctures| Ryan Li| 03/04/2013-03/05/2013| Database reorganization| Lucas Xiao| 03/06/2013-03/08/2013| Database restructuring procedures| Jim Green| 03/09/2013-03/11/2013| Ready to report| Billy Zhou| 5. 0 Key concerns of management. Operating system administrators gains easy access to MySQL Server. SQL Server DBA’s has local administrator privileges on Windows. Data breaches that compromise IP or personal privacy. 6. 0 Manager Sign-off Billy Zhou 02/07/2013