To| Audit Senior Management|
School Board| Temple University|
Prepared By| Shan Jiang|
Types of RDBMS: MySQL 5.0 - an open-source database used extensively in small or medium-sized web applications. One of the simplest databases to secure from hacking because of the small attack surface it exposes Number of DB servers: 3
Business units rely on the DBs: Sales and Distribution, Financial Services, Procurement, and Accounts Receivable. Organizational structure of the group who manages the DBs: Data Owner, system administrator, and database administrator.
1.0 Internal Audit Objective and Scope
2.1 Internal Audit Objective
The objective of this review is to audit confidentiality, integrity, and availability of XYZ Company’s MySQL 5.0 database environment.
2.2 Internal Audit Scope and Approach
The scope of this review includes an assessment of MySQL 5.0 database environment. Specifically, this review will include:
* Physical and administrative control
* Concurrent access controls
* Change controls
* Server configuration control
* Database checkpoints
* Schema Modifications
* Redundancy elimination and relationship verification
* Database restructuring
* Data backup and disaster recovery plan
Audit deliverables will consist of the following:
* Fieldwork documentation
* Finding Issues
* Audit draft report
* Action plan and recommendation
* Audit final report
It is planned that the above deliverables will be delivered to you by 02/07/2013 for your review and subsequent discussion.
2.0 High-Level Work Program
Policy and standards, data backup and procedures, levels of access controls for data, data encryption, confidentiality, integrity, availability of data elements, database checkpoints at junctures, database reorganization, database restructuring procedures and write report.
3.0 General Information
4.4 Internal Audit Team
The internal audit team, with roles and responsibilities, includes the following people:
* Lua Li: associate, audit database basic step and general controls. * Jia Meng: associate, audit database operating system security * Shan Jiang: associate, audit database accounts and permissions management * Zhou Zhou: senior associate, audit password strength and review database privileges * Chao Lang: senior associate, audit data encryption
* Jia Yu: manager, verify database auditing and activity monitoring.
4.5 Duration of Internal Audit
The duration of this internal audit will be for one month commencing on 02/11/2013.
02/16/2013-02/20/2013 Fieldwork and documentation
02/21/2013-02/25/2013 Issue discovery and validation
02/26/2013-04/01/2013 Solution development
04/02/3013-04/07/2013 Report drafting and issuance
04/08/2013-04/11/2013 Final report and issue tracking
It is anticipated that the fieldwork, working papers and drafting of deliverables will be completed by Internal Audit Team.
4.6 Location of Internal Audit
The location of the internal audit will be performed at XYZ Company.
It is predicted that a site visit to XYZ Company will be conducted during the course of this review.
4.7 Temple University Previous Audits
Previous Audit Version: March 3, 2012
Previous Critical Findings: Developers have direct access to update production code without permission. Impact: It is fixed. The DBMS team implemented a baseline tool for protecting the production code. The ability to check new code into this tool will be limited to the DBA. The team also documented procedures requiring approval and testing prior to submitting new production code for check-in.
4.8 Key Contacts