S 4.69 Regular checks of database security

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

The database administrator should check the security of the database system at regular intervals, but at least once a month. All of the checks listed below should be performed; checks marked with (*) can usually be automated with appropriate scripts:

• Are the required backup and security mechanisms active and effective?

• Are there any database users who have not been assigned a password? (*)

• Are there any users who have not used the database system for an extended period of time?

• Apart from the database administrator, who has access to the files of the database software and the data files at the level of the operating system? (*)

• Apart from the database administrator, who has access to the system tables?

• Who is allowed to access the database with an interactive SQL editor?

• Which user IDs are authorised to modify the database objects of the applications? (*)

• Which user IDs have read and / or write access to the data of the applications? (*)

• Which users have the same rights as the database administrator? (*)

• Does the database system have a sufficient quantity of free resources? (*)

Note:

System tables are used to manage the database itself. The items managed in these tables include the individual database objects, database IDs, access rights and allocations of files to storage media. The system tables are generated by the database management system during the creation of the database. In principle, the contents of these tables can be modified with the access rights granted to the database IDs of the administrators. If the data of the system tables is modified with UPDATE-, INSERT- or DELETE instructions, there is a high risk that the database will be destroyed. For this reason, rights to modify the system tables should not be granted. Even read-access should be restricted, as all the information in the database can be viewed via the system tables.

Additional controls:

• When was the last security check performed?

• Are the implementation and results of security checks documented?