S 2.125 Installation and configuration of a database

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

In principle, a distinction needs to be made between an initial installation of database software and installation in existing database systems.

When database software is installed initially, no users have yet been configured for accessing the database and no data is already in existence (except for any data which forms part of other database systems). Consequently, initial installation is relatively simple and hardly disrupts the normal IT operation.

In contrast, installation in existing systems should, if possible, be performed outside regular working hours in order to minimise disruption of normal IT operation. Users should, at least, be informed about all impending activities so that they can prepare themselves for potential disruptions and delays in operation.

The installation and configuration of a database comprise the following activities:

1. Installation of the database software

Before database software is installed, a check is required as to whether the IT system has been prepared accordingly, e.g. if sufficient memory is available and if the operating system has been configured appropriately.

The database software must be installed in compliance with the manufacturer's instructions. If possible, the default settings recommended by the manufacturer should be accepted. This applies particularly to technical parameters which control the size of various internal tables of the database management system, for example. In the case of security-related parameters, it might be necessary to deviate from the default settings.

The installation of the database software must be documented adequately. This includes, in particular, a detailed explanation of parameters which deviate from the default settings recommended by the manufacturer.

If optional features offered by the manufacturer need to be used, they should be configured appropriately during installation.

All activities in this phase are to be performed by the general database administrator.

2. Creating the database

The process of creating a database includes a specification of parameters which can no longer be changed after the database has been put into operation. The meanings of these parameters and suitable values to which they can be assigned are explained in detail in the manufacturer's installation documents and appropriate manuals, which should be referred to for this purpose.

In case any post installation work is required following the creation of the database, the related instructions must also be looked up in the installation and administration manuals.

Such procedures must also be documented.

All activities in this phase are to be performed by the general database administrator in consultation with the application-specific administrators (in order to specify the size of the database, for example).

3. Configuring the database

The third phase consists of implementing the user and group concepts and - if required - the role concept. For this purpose, the general database administrator configures the individual authorisation profiles, and creates all the groups and administrative user IDs (for the application-specific administrators). In this process, the instructions specified in S 2.132 Provisions forCconfiguring Database Isers / User Groups should be observed. Naturally, access rights pertaining to individual database objects can only be defined if these objects are already in existence (refer to step 4).

If the database software supports a distribution of data among several files or hard disks, it is necessary to specify additional parameters assigning the creation of these files as well as the corresponding memory sectors.

All the performed settings must be documented in detail (refer to S 2.25 Documentation on the System Configuration).

All activities in this phase are to be performed by the general database administrator.

4. Creating and configuring database objects

In this last phase, the database objects of the individual applications are created in accordance with the database security concept (refer to S 2.126 Creation of a Database Security Concept). If possible, this procedure should be automated and logged using scripts. After the database objects have been created, the related access rights for roles, groups and users are to be assigned. Specific users can now also be configured on the basis of the existing authorisation profiles.

All activities in this phase are to be performed by the application-specific administrators.

Additional controls:

• Have users been informed about an impending installation?

• Are all the parameters and related values required during installation known before the database is created?

• Are all post installation tasks required after the creation of the database known?

• Have the installation, creation and configuration of the database and its objects been documented?