Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Database Auditors

Posted on 2010-11-15
6
239 Views
Last Modified: 2012-05-10
My department (Database Unit) is scheduled to be audited in January 2011.  I've never be in this situation before, none have I done any database documentation.  

Please, what exactly do I need to get prepared for database auditing.

How is database documentation done?  

What needs to be documented for the auditing.

Any special template?

Please respond with detail steps.

Thanks
0
Comment
Question by:Favorable
6 Comments
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 334 total points
ID: 34136673
>> How is database documentation done?  

You can use these third party tools to get documentation done easily:

1. ApexSQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)
2. RedGate SQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)

>> what exactly do I need to get prepared for database auditing.

Database Auditing is nothing but confirming your database to be online with the standards defined for your organization.
If you have SQL Server 2008 or 2008 R2, then you can enforce all these standards using Policies and Facets which would alert you in case of any violations. Else you need to manually check for these kind of violations and correct it accordingly.
0
 
LVL 7

Expert Comment

by:Cboudroz
ID: 34137514
Normally its more about security.

Make sure your have a some rules wright down for security and that they can be confirm on the server:


ex:

List of DBA
List of Data reader
List of Data Writer
ALL User need to used Store procedure to access data
Sensitive data are encrypted (Credit card)
Difference between DEVELOPPEMENT server and production server.
Maintenance plan
...


0
 

Author Comment

by:Favorable
ID: 34138416
Do you have a script that will list all the user and privilleges assigned?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Assisted Solution

by:Racim BOUDJAKDJI
Racim BOUDJAKDJI earned 166 total points
ID: 34139309
If the Auditors are MS, they will be conducting something called a SQLRAP and will be looking for several points among which *security*

Proceed by priority:

> Deploy a monitoring: install SCOM Management Pack for SQL Server.  Show you have things under control...
> Security: Take away BUILTIN/ADMIN from the logins.  Most auditors I have met perceive it as a major security threat
> Security: on your sensitive databases, reduce the numer of logins to the minimum;  Tell the auditors, you have ongoing projects to rectify previous poor security.  That will buy you time...
> Make sure your sensitive databases are backed up.  That way you can always say: Hey I know my database are not secured BUT I CAN restore them anytime if loose them...
> Break TEMPDB into as many files as there cores on the servers hosting them...Shows the auditor you are conscious about best practices...

The actions above are among the ones that will give you some respect from auditors...

Hope this helps...
0
 

Author Comment

by:Favorable
ID: 34140864
Will I need any special template or just word and excel?
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 334 total points
ID: 34141920
Steps to Audit DDL commands here:

http://www.mssqltips.com/tip.asp?tip=1006

Audit Logging through Profiler trace and Audit mode:

http://www.sqlmag.com/article/auditing/get-compliant-with-sql-server-2005-audit-logging.aspx

Best Practices Analyser (which would list you all possible violations):

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=da0531e4-e94c-4991-82fa-f0e3fbd05e63&displaylang=en
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question