Solved

Database Auditors

Posted on 2010-11-15
6
230 Views
Last Modified: 2012-05-10
My department (Database Unit) is scheduled to be audited in January 2011.  I've never be in this situation before, none have I done any database documentation.  

Please, what exactly do I need to get prepared for database auditing.

How is database documentation done?  

What needs to be documented for the auditing.

Any special template?

Please respond with detail steps.

Thanks
0
Comment
Question by:Favorable
6 Comments
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 334 total points
Comment Utility
>> How is database documentation done?  

You can use these third party tools to get documentation done easily:

1. ApexSQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)
2. RedGate SQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)

>> what exactly do I need to get prepared for database auditing.

Database Auditing is nothing but confirming your database to be online with the standards defined for your organization.
If you have SQL Server 2008 or 2008 R2, then you can enforce all these standards using Policies and Facets which would alert you in case of any violations. Else you need to manually check for these kind of violations and correct it accordingly.
0
 
LVL 7

Expert Comment

by:Cboudroz
Comment Utility
Normally its more about security.

Make sure your have a some rules wright down for security and that they can be confirm on the server:


ex:

List of DBA
List of Data reader
List of Data Writer
ALL User need to used Store procedure to access data
Sensitive data are encrypted (Credit card)
Difference between DEVELOPPEMENT server and production server.
Maintenance plan
...


0
 

Author Comment

by:Favorable
Comment Utility
Do you have a script that will list all the user and privilleges assigned?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 23

Assisted Solution

by:Racim BOUDJAKDJI
Racim BOUDJAKDJI earned 166 total points
Comment Utility
If the Auditors are MS, they will be conducting something called a SQLRAP and will be looking for several points among which *security*

Proceed by priority:

> Deploy a monitoring: install SCOM Management Pack for SQL Server.  Show you have things under control...
> Security: Take away BUILTIN/ADMIN from the logins.  Most auditors I have met perceive it as a major security threat
> Security: on your sensitive databases, reduce the numer of logins to the minimum;  Tell the auditors, you have ongoing projects to rectify previous poor security.  That will buy you time...
> Make sure your sensitive databases are backed up.  That way you can always say: Hey I know my database are not secured BUT I CAN restore them anytime if loose them...
> Break TEMPDB into as many files as there cores on the servers hosting them...Shows the auditor you are conscious about best practices...

The actions above are among the ones that will give you some respect from auditors...

Hope this helps...
0
 

Author Comment

by:Favorable
Comment Utility
Will I need any special template or just word and excel?
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 334 total points
Comment Utility
Steps to Audit DDL commands here:

http://www.mssqltips.com/tip.asp?tip=1006

Audit Logging through Profiler trace and Audit mode:

http://www.sqlmag.com/article/auditing/get-compliant-with-sql-server-2005-audit-logging.aspx

Best Practices Analyser (which would list you all possible violations):

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=da0531e4-e94c-4991-82fa-f0e3fbd05e63&displaylang=en
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now