S 4.68 Ensuring consistent database management

Initiation responsibility: Head of IT Section, IT Security Management, Administrators

Implementation responsibility: Administrators

In principle, the ID of the database administrator is not subject to any restrictions concerning the use of the database system, which increases the threat of errors and misuse. For this reason, the database administrator should receive a standard user ID in addition to his administrator ID, and only use the latter when absolutely necessary.

Appropriate allocation of tasks, specification of guidelines, and measures for co-ordination are required to ensure that administrators do not perform any inconsistent or incomplete operations. The following requirements must be met here:

• The techniques of performing and documenting modifications are to be specified.

• The type and scope of modifications, as well as their reasons, are to be described.

• In principle, changes to database objects or data must be approved by the administrator of the related IT application. Modifications to central database objects require the approval of all the administrators of the concerned IT applications.

• The times of planned changes must be specified and announced.

• A full backup of the database must be created before any changes are performed.

To avoid misuse to the greatest possible extent and preclude inconsistencies, all the database objects of an application should be managed under a user ID created specially for that application. As a result, changes to the database objects can only be performed under this special user ID, and are not possible even under the ID of the database administrator. The password of this special user ID should only be known to the database administrator responsible for the application in question.

Example:

The data of three applications, A, B and C are managed in a database. All database objects allocated exclusively to application A are configured under the database user ID apnA and managed only via this ID. The database objects of the other two applications are assigned similarly. As a result, modifications to the database objects of any of the three applications can only be performed using the corresponding database user ID (provided that appropriately restrictive access rights have been defined).

Database objects required by at least two of the three applications should be created and managed under a central database ID.

The passwords of the three application-specific IDs should only be known to the administrator responsible for maintaining and updating the database objects of the respective applications. In contrast, the password of the database ID used to manage the central database objects is not known to any of these administrators; instead it is placed in charge of a further administrator. This prevents an application-specific administrator from performing modifications to central database objects which might impair the functionality of the other applications.

Additional controls:

• What measures have been taken to ensure that actions by database administrators do not result in inconsistencies?

• Have all database administrators received an additional ID with restricted rights?

• Are the additional user IDs employed by default?