Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Database Auditors

Posted on 2010-11-15
6
Medium Priority
?
261 Views
Last Modified: 2012-05-10
My department (Database Unit) is scheduled to be audited in January 2011.  I've never be in this situation before, none have I done any database documentation.  

Please, what exactly do I need to get prepared for database auditing.

How is database documentation done?  

What needs to be documented for the auditing.

Any special template?

Please respond with detail steps.

Thanks
0
Comment
Question by:Favorable
6 Comments
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 1336 total points
ID: 34136673
>> How is database documentation done?  

You can use these third party tools to get documentation done easily:

1. ApexSQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)
2. RedGate SQL Doc (http://www.apexsql.com/sql_tools_doc.aspx)

>> what exactly do I need to get prepared for database auditing.

Database Auditing is nothing but confirming your database to be online with the standards defined for your organization.
If you have SQL Server 2008 or 2008 R2, then you can enforce all these standards using Policies and Facets which would alert you in case of any violations. Else you need to manually check for these kind of violations and correct it accordingly.
0
 
LVL 7

Expert Comment

by:Cboudroz
ID: 34137514
Normally its more about security.

Make sure your have a some rules wright down for security and that they can be confirm on the server:


ex:

List of DBA
List of Data reader
List of Data Writer
ALL User need to used Store procedure to access data
Sensitive data are encrypted (Credit card)
Difference between DEVELOPPEMENT server and production server.
Maintenance plan
...


0
 

Author Comment

by:Favorable
ID: 34138416
Do you have a script that will list all the user and privilleges assigned?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 23

Assisted Solution

by:Racim BOUDJAKDJI
Racim BOUDJAKDJI earned 664 total points
ID: 34139309
If the Auditors are MS, they will be conducting something called a SQLRAP and will be looking for several points among which *security*

Proceed by priority:

> Deploy a monitoring: install SCOM Management Pack for SQL Server.  Show you have things under control...
> Security: Take away BUILTIN/ADMIN from the logins.  Most auditors I have met perceive it as a major security threat
> Security: on your sensitive databases, reduce the numer of logins to the minimum;  Tell the auditors, you have ongoing projects to rectify previous poor security.  That will buy you time...
> Make sure your sensitive databases are backed up.  That way you can always say: Hey I know my database are not secured BUT I CAN restore them anytime if loose them...
> Break TEMPDB into as many files as there cores on the servers hosting them...Shows the auditor you are conscious about best practices...

The actions above are among the ones that will give you some respect from auditors...

Hope this helps...
0
 

Author Comment

by:Favorable
ID: 34140864
Will I need any special template or just word and excel?
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 1336 total points
ID: 34141920
Steps to Audit DDL commands here:

http://www.mssqltips.com/tip.asp?tip=1006

Audit Logging through Profiler trace and Audit mode:

http://www.sqlmag.com/article/auditing/get-compliant-with-sql-server-2005-audit-logging.aspx

Best Practices Analyser (which would list you all possible violations):

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=da0531e4-e94c-4991-82fa-f0e3fbd05e63&displaylang=en
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question