SlideShare ist ein Scribd-Unternehmen logo

Arinda oktaviana 11353204810 vii lokal g

Als PPTX, PDF herunterladen
A
Arinda oktaviana

Arinda oktaviana 11353204810

Bildung
1 von 53
Chapter 4: Security Part II: Auditing Database Systems OLEH : ARINDA OKTAVIANA (11353204810)
Learning Objectives • Understand the operational problems inherent in the flat-file approach to data management that gave rise to the database approach. • Understand the relationships among the fundamental component's of the database concept. • Recognize the defining characteristics of three database models: hierarchical, network, and relational. • Understand the operational features and associated risks of deploying centralized, partitioned, and replicated database models in the DDP environment. • Be familiar with the audit objectives and procedures used to test data management controls.
Flat files are data files that contain records with no structured relationships to other files. The flat-file approach is most often associated with so-called legacy systems. The flat-file environment promotes a single-user view approach to data management whereby end users own their data files rather than share them with other users Data redundancy- replication of essentially the same data in multiple files. It contributes to three significant problems in the flat-file environment: • Data storage • Data updating and • Currency of information Task-data dependency user’s inability to obtain additional information as his or her needs change Flat-File Approach
Flat-File Model
This replication of essentially the same data in multiple files is called data redundancy and contributes to three significant problems in the flat-file environment: data storage, data updating, and currency of information. These and a fourth problem (not specifically caused by data redundancy) called task-data dependency are discussed next. • Data Storage Efficient data management captures and stores data only once and makes this single source available to all users who need it. In the flat-file environment, this is not possible. To meet the private data needs of diverse users, organizations must incur the costs of both multiple collection and multiple storage procedures. Some commonly used data may be duplicated dozens, hundreds, or even thousands of times within an organization. • Data Updating Organizations store a great deal of data on master files and reference files that require periodic updating to reflect changes. For example, a change to a customer’s name or address must be reflected in the appropriate master files. When users keep separate and exclusive files, each change must be made separately for each user. These redundant updating tasks add significantly to the cost of data management.
• Task-Data Dependency Another problem with the flat-file approach is the user’s inability to obtain additional information as his or her needs change: this is known as task-data dependency. In other words, a user’s task is limited and decision making ability constrained by the data that heor she possesses and controls. Since users in a flat- file environment act independently, rather than as members of a user community, establishing a mechanism for the formal data sharing is difficult or impossible. Therefore, users in this environment tend to satisfy new information needs by procuring new data files. This takes time, inhibits per- formance, adds to data redundancy, and drives data management costs even higher. An organization can overcome the problems associated with flat files by implement-ing the database approach. The key features of this data management model are dis-cussed next.
Database Approach • Access to the data resource is controlled by a database management system (DBMS). • Centralizes organization’s data into a common database shared by the user community. • All users have access to data they need which may overcome flat- file problems. • Elimination of data storage problem: No data redundancy. • Elimination of data updating problem: Single update procedure eliminates currency of information problem. • Elimination of task-data dependency problem: Users only constrained by legitimacy of access needs.
Database Model • Elimination of Data Update Problem Because each data element exists in only one place, it requires only a single update pro-cedure. This reduces the time and cost of keeping the database current. • Elimination of Currency Problem A single change to a database attribute is automatically made available to all users of the attribute. For example, a customer address change entered by the billing clerk is imme-diately reflected in the marketing and product services views. • Elimination of Task-Data Dependency Problem The most striking difference between the database model and the flat-file model is the pooling of data into a common database that is shared by all organizational users. With access to the full domain of entity data, changes in user information needs can be satis-fied without obtaining additional private data sets. Users are constrained only by the lim-itations of the data available to the entity and the legitimacy of their need to access them. Therefore the database method eliminates the limited access that flat files, by their na-ture, dictate to users.
Elements of the Database Concept
DBMS Features and Data Definition Language • Program Development – Applications may be created by programmers and end users. • Backup and Recovery - Copies made during processing. • Database Usage Reporting - Captures statistics on database usage (who, when, etc.). • Database Access - Authorizes access to sections of the database. • Data definition language used to define the database to the DBMS on three levels (views).
Database Views • Internal view/ Physical view: Physical arrangement of records in the database.  Describes structures of data records, linkage between files and physical arrangement and sequence of records in a file. Only one internal view. • Conceptual view/ Logical view (schema): Describes the entire database logically and abstractly rather than physically. Only one conceptual view. • External view/ User view (subschema): Portion of database each user views. May be many distinct users. Data Manipulation Language (DML) • DML is the proprietary programming language that a particular DBMS uses to retrieve, process, and store data to / from the database. • Entire user programs may be written in the DML, or selected DML commands can be inserted into universal programs, such as COBOL and FORTRAN. • Can be used to ‘patch’ third party applications to the DBMS
Overview of DBMS Operation
Informal Access: Query Language • Query is an ad hoc access methodology for extracting information from a database. – Users can access data via direct query which requires no formal application programs. • IBM’s Structured Query Language (SQL) has emerged as the standard query language. • Query feature enhances ability to deal with problems that pop-up but poses an important control issue. – Must ensure it is not used for unauthorized database access.
Functions of the Database Administrator (DBA)
Organizational Interaction of the DBA
The Physical Database • Lowest level and only one in physical form. • Magnetic sports on metallic coated disks that create a logical collection of files and records. • Data structures are bricks and mortar of database. – Allows records to be located, stored, and retrieved. – Two components: organization and access methods. • The organization of a file refers to way records are physically arranged on the storage device - either sequential or random. • Access methods are programs used to locate records and to navigate through the database.
Database Terminology • Entity: Anything organization wants to capture data about. • Record Type: Physical database representation of an entity. • Occurrence: Related to the number of records of represented by a particular record type. • Attributes: Defines entities with values that vary (i.e. each employee has a different name). • Database: Set of record types that an organization needs to support its business processes.
Database Terminology • Entity: Anything organization wants to capture data about. • Record Type: Physical database representation of an entity. • Occurrence: Related to the number of records of represented by a particular record type. • Attributes: Defines entities with values that vary (i.e. each employee has a different name). • Database: Set of record types that an organization needs to support its business processes.
Associations • Record types that constitute a database exist in relation to other record types. Three basic record association: • One-to-one: For every occurrence of Record Type X there is one (or zero) of Record Type Y. • One-to-many: For every occurrence of Record Type X, there are zero, one or many occurrences of Record Type Y. • Many-to-many: For every occurrence of Record Types X and Y, there are zero, one or many occurrences of Record Types Y and X, respectively.
Record Associations
The Hierarchical Model • Basis of earliest DBAs and still in use today. • Sets that describe relationship between two linked files. • Each set contains a parent and a child. • Files at the same level with the same parent are siblings. • Tree structure with the highest level in the tree being the root segment and the lowest file in a branch the leaf. • Also called a navigational database. • Usefulness of model is limited because no child record can have more than one parent which leads to data redundancy.
Hierarchical Data Model
The Network Model
The Relational Model • Difference between this and navigational models is the way data associations are represented to the user. • Relational model portrays data in two-dimensional tables with attributes across the top forming columns. • Intersecting columns to form rows are tuples which are normalized arrays of data similar to records in a flat-file system. • Relations are formed by an attribute common to both tables in the relation.
Data Integration in the Relational Model
Centralized Databases in a Distributed Environment • Data retained in a central location. • Remote IT units send requests to central site which processes requests and transmits data back to the requesting IT units. • Actual processing of performed at remote IT unit. • Objective of database approach it to maintain data currency with can be challenging. • During processing, account balances pass through a state of temporary inconsistency where values are incorrect. • Database lockout procedures prevent multiple simultaneous access to data preventing potential corruption.
Distributed Databases: Partitioned Databases • Splits central database into segments distributed to their primary users. • Advantages: • Users’ control increased by having data stored at local sites. • Improved transaction processing response time. • Volume of transmitted data between IT units is reduced. • Reduces potential data loss from a disaster. • Works best for organizations that require minimal data sharing among units.
The Deadlock Phenomenon • Occurs when multiple sites lock each other out of the database, preventing each from processing its transactions. • Transactions in a “wait” state until locks removed. • Can result in transactions being incompletely processed and database being corrupted. • Deadlock is a permanent condition that must be resolved with special software that analyzes and resolve conflicts. • Usually involves terminating one or more transactions to complete processing of the other in deadlock. • Preempted transactions must be reinitiated.
The Deadlock Condition
Distributed Databases: Replicated Databases • Effective for situations with a high degree of data sharing, but no primary user. • Common data replicated at each site, reducing data traffic between sites. • Primary justification to support read-only queries. • Problem is maintaining current versions of database at each site. • Since each IT unit processes its own transactions, common data replicated at each site affected by different transactions and reflect different values.
Concurrency Control • Database concurrency is the presence of complete and accurate data at all user sites. • Designers need to employ methods to ensure transactions processed at each site are accurately reflected in the databases of all the other sites. • Commonly used method is to serialize transactions which involves labeling each transaction by two criteria: • Special software groups transactions into classes to identify potential conflicts. • Second part of control is to time-stamp each transaction.
Database Distribution Methods and the Accountant • Many issues and trade-offs in distributing databases. • Basic questions to be addressed: • Centralized or distributed data? • If distributed, replicated or partitioned? • If replicated, total or partial replication? • If partitioned, what is the allocation of the data segments among the sites? • Choices impact organization’s ability to maintain database integrity, preserve audit trails, and have accurate records.
Controlling and Auditing Data Management Systems • Controls over data management systems fall into two categories. • Access controls are designed to prevent unauthorized individuals from viewing, retrieving, corrupting or destroying data. • Backup controls ensure tat the organization can recover its database in the event of data loss.
Access Controls • User views (subschema) is a subset of the database that defines user’s data domain and access. • Database authorization table contains rules that limit user actions. • User-defined procedures allow users to create a personal security program or routine . • Data encryption procedures protect sensitive data. • Biometric devices such as fingerprints or retina prints control access to the database. • Inference controls should prevent users from inferring, through query options, specific data values they are unauthorized to access.
Subschema Restricting Access
Audit Procedures for Testing Database Access Controls • Verify DBA personnel retain responsibility for authority tables and designing user views. • Select a sample of users and verify access privileges are consistent with job description. • Evaluate cost and benefits of biometric controls. • Verify database query controls to prevent unauthorized access via inference. • Verify sensitive data are properly encrypted.
Backup Controls in the Database Environment • Since data sharing is a fundamental objective of the database approach, environment is vulnerable to damage from individual users. • Four needed backup and recovery features: • Backup feature makes a periodic backup of entire database which is stored in a secure, remote location. • Transaction log provides an audit trail of all processed transactions. • Checkpoint facility suspends all processing while system reconciles transaction log and database change log against the database. • Recovery module uses logs and backup files to restart the system after a failure.
Backup of Direct Access Files
Audit Procedures for Testing Database Access Controls • Verify backups are performed routinely and frequently. • Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure. • Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site.
Cobit 4.1 Excerpt EXECUTIVE OVERVIEW For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT).
COBIT’s General Acceptability COBIT is based on the analysis and harmonisation of existing IT standards and good practices and conforms to generally accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it acts as an integrator of IT governance practices and appeals to executive management; business and IT management; governance, assurance and security professionals; and IT audit and control professionals. It is designed to be complementary to, and used together with, other standards and good practices. Implementation of good practices should be consistent with the enterprise’s governance and control framework, appropriate for the organisation, and integrated with other methods and practices that are being used. Standards and good practices are not a panacea.
Their effectiveness depends on how they have been implemented and kept up to date. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming shelfware, management and staff should understand what to do, how to do it and why it is important. To achieve alignment of good practice to business requirements, it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every enterprise. Specific practices and standards covering discrete areas can be mapped up to the COBIT framework, thus providing a hierarchy of guidance materials. COBIT appeals to different users: • Executive management—To obtain value from IT investments and balance risk and control investment in an often unpredictable IT environment
• Business management—To obtain assurance on the management and control of IT services provided by internal or third parties • IT management—To provide the IT services that the business requires to support the business strategy in a controlled and managed way • Auditors—To substantiate their opinions and/or provide advice to management on internal controls COBIT has been developed and is maintained by an independent, not- for-profit research institute, drawing on the expertise of its affiliated association’s members, industry experts, and control and security professionals. Its content is based on ongoing research into IT good practice and is continuously maintained, providing an objective and practical resource for all types of users.
SEKIAN DAN TERIMAKASIHWassalamualaikum Wr. Wb…

Empfohlen

TID Chapter 10 Introduction To Database
TID Chapter 10 Introduction To DatabaseTID Chapter 10 Introduction To Database
TID Chapter 10 Introduction To Database
WanBK Leo
 
Chapter01
Chapter01Chapter01
Chapter01
sasa_eldoby
 
Ena ch01
Ena ch01Ena ch01
Ena ch01
rereelshahed
 
introduction to database
introduction to database introduction to database
introduction to database
Akif shexi
 
Database management systems
Database management systemsDatabase management systems
Database management systems
Joel Briza
 
ITI015En-The evolution of databases (I)
ITI015En-The evolution of databases (I)ITI015En-The evolution of databases (I)
ITI015En-The evolution of databases (I)
Huibert Aalbers
 
INTRODUCTION TO DATABASE
INTRODUCTION TO DATABASEINTRODUCTION TO DATABASE
INTRODUCTION TO DATABASE
Muhammad Bilal Tariq
 
Database Presentation
Database PresentationDatabase Presentation
Database Presentation
a9oolq8
 

Empfohlen

TID Chapter 10 Introduction To Database
TID Chapter 10 Introduction To DatabaseTID Chapter 10 Introduction To Database
TID Chapter 10 Introduction To Database
WanBK Leo
 
Chapter01
Chapter01Chapter01
Chapter01
sasa_eldoby
 
Ena ch01
Ena ch01Ena ch01
Ena ch01
rereelshahed
 
introduction to database
introduction to database introduction to database
introduction to database
Akif shexi
 
Database management systems
Database management systemsDatabase management systems
Database management systems
Joel Briza
 
ITI015En-The evolution of databases (I)
ITI015En-The evolution of databases (I)ITI015En-The evolution of databases (I)
ITI015En-The evolution of databases (I)
Huibert Aalbers
 
INTRODUCTION TO DATABASE
INTRODUCTION TO DATABASEINTRODUCTION TO DATABASE
INTRODUCTION TO DATABASE
Muhammad Bilal Tariq
 
Database Presentation
Database PresentationDatabase Presentation
Database Presentation
a9oolq8
 
Database Systems Concepts, 5th Ed
Database Systems Concepts, 5th EdDatabase Systems Concepts, 5th Ed
Database Systems Concepts, 5th Ed
Daniel Francisco Tamayo
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
Beni Krisbiantoro
 
Assignment on dbms
Assignment on dbmsAssignment on dbms
Assignment on dbms
Mohd Arif
 
Database & Database Users
Database & Database UsersDatabase & Database Users
Database & Database Users
M.Zalmai Rahmani
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
Trivuz ত্রিভুজ
 
old file system/traditional file sysytem
old file system/traditional file sysytemold file system/traditional file sysytem
old file system/traditional file sysytem
jizaka
 
Introduction to databases
Introduction to databasesIntroduction to databases
Introduction to databases
Aashima Wadhwa
 
PHP/MySQL First Session Material
PHP/MySQL First Session MaterialPHP/MySQL First Session Material
PHP/MySQL First Session Material
National IT Professionals Association of Afghanistan
 
Intoduction- Database Management System
Intoduction- Database Management SystemIntoduction- Database Management System
Intoduction- Database Management System
Dr. Jasmine Beulah Gnanadurai
 
Computer lecture (1) m.nasir
Computer lecture (1) m.nasirComputer lecture (1) m.nasir
Computer lecture (1) m.nasir
Muhammad Nasir
 
Database Management System And Design Questions
Database Management System And Design QuestionsDatabase Management System And Design Questions
Database Management System And Design Questions
Samir Sabry
 
Data base management
Data base management Data base management
Data base management
MiXvideos
 
Database system
Database systemDatabase system
Database system
Oduro Boakye
 
Lecture 01 introduction to database
Lecture 01 introduction to databaseLecture 01 introduction to database
Lecture 01 introduction to database
emailharmeet
 
Types of databases
Types of databases Types of databases
Types of databases
Md Showrov Ahmed
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1
Nickkisha Farrell
 
Database Systems - Introduction to Database Design (Chapter 4/1)
Database Systems - Introduction to Database Design (Chapter 4/1)Database Systems - Introduction to Database Design (Chapter 4/1)
Database Systems - Introduction to Database Design (Chapter 4/1)
Vidyasagar Mundroy
 
Dbms
DbmsDbms
Dbms
sangeethachandrabose
 
Basic Concept of Database
Basic Concept of DatabaseBasic Concept of Database
Basic Concept of Database
Marlon Jamera
 
Database History
Database HistoryDatabase History
Database History
Majong DevJfu
 
Echoes of asia
Echoes of asiaEchoes of asia
Echoes of asia
makassar muhammadiyah university
 
đề Thi thử thptqg năm 2017 có đáp án 16
đề Thi thử thptqg năm 2017 có đáp án 16đề Thi thử thptqg năm 2017 có đáp án 16
đề Thi thử thptqg năm 2017 có đáp án 16
DATA4U DATA4U
 

Weitere ähnliche Inhalte

Was ist angesagt?

Assignment on dbms
Assignment on dbmsAssignment on dbms
Assignment on dbms
Mohd Arif
 
Database Management System And Design Questions
Database Management System And Design QuestionsDatabase Management System And Design Questions
Database Management System And Design Questions
Samir Sabry
 
Lecture 01 introduction to database
Lecture 01 introduction to databaseLecture 01 introduction to database
Lecture 01 introduction to database
emailharmeet
 

Was ist angesagt? (20)

Database Systems Concepts, 5th Ed
Database Systems Concepts, 5th EdDatabase Systems Concepts, 5th Ed
Database Systems Concepts, 5th Ed
 
Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02Database design, implementation, and management -chapter02
Database design, implementation, and management -chapter02
 
Assignment on dbms
Assignment on dbmsAssignment on dbms
Assignment on dbms
 
Database & Database Users
Database & Database UsersDatabase & Database Users
Database & Database Users
 
Database - Design & Implementation - 1
Database - Design & Implementation - 1Database - Design & Implementation - 1
Database - Design & Implementation - 1
 
old file system/traditional file sysytem
old file system/traditional file sysytemold file system/traditional file sysytem
old file system/traditional file sysytem
 
Introduction to databases
Introduction to databasesIntroduction to databases
Introduction to databases
 
PHP/MySQL First Session Material
PHP/MySQL First Session MaterialPHP/MySQL First Session Material
PHP/MySQL First Session Material
 
Intoduction- Database Management System
Intoduction- Database Management SystemIntoduction- Database Management System
Intoduction- Database Management System
 
Computer lecture (1) m.nasir
Computer lecture (1) m.nasirComputer lecture (1) m.nasir
Computer lecture (1) m.nasir
 
Database Management System And Design Questions
Database Management System And Design QuestionsDatabase Management System And Design Questions
Database Management System And Design Questions
 
Data base management
Data base management Data base management
Data base management
 
Database system
Database systemDatabase system
Database system
 
Lecture 01 introduction to database
Lecture 01 introduction to databaseLecture 01 introduction to database
Lecture 01 introduction to database
 
Types of databases
Types of databases Types of databases
Types of databases
 
Database Management Systems 1
Database Management Systems 1Database Management Systems 1
Database Management Systems 1
 
Database Systems - Introduction to Database Design (Chapter 4/1)
Database Systems - Introduction to Database Design (Chapter 4/1)Database Systems - Introduction to Database Design (Chapter 4/1)
Database Systems - Introduction to Database Design (Chapter 4/1)
 
Dbms
DbmsDbms
Dbms
 
Basic Concept of Database
Basic Concept of DatabaseBasic Concept of Database
Basic Concept of Database
 
Database History
Database HistoryDatabase History
Database History
 

Andere mochten auch

January Newsletter of Health & Safety
January Newsletter of Health & SafetyJanuary Newsletter of Health & Safety
January Newsletter of Health & Safety
Sarah Jacot
 

Andere mochten auch (15)

Echoes of asia
Echoes of asiaEchoes of asia
Echoes of asia
 
đề Thi thử thptqg năm 2017 có đáp án 16
đề Thi thử thptqg năm 2017 có đáp án 16đề Thi thử thptqg năm 2017 có đáp án 16
đề Thi thử thptqg năm 2017 có đáp án 16
 
roldan siao cv
roldan siao cvroldan siao cv
roldan siao cv
 
Comercio internacional.docx interpretacion de la convencion y del contrato
Comercio internacional.docx interpretacion de la convencion y del contratoComercio internacional.docx interpretacion de la convencion y del contrato
Comercio internacional.docx interpretacion de la convencion y del contrato
 
Music magazines
Music magazinesMusic magazines
Music magazines
 
January Newsletter of Health & Safety
January Newsletter of Health & SafetyJanuary Newsletter of Health & Safety
January Newsletter of Health & Safety
 
Introduction to BP debate
Introduction to BP debateIntroduction to BP debate
Introduction to BP debate
 
Andy ResumeUSE
Andy ResumeUSEAndy ResumeUSE
Andy ResumeUSE
 
Media Deck - New Mexico Department of Tourism
Media Deck - New Mexico Department of TourismMedia Deck - New Mexico Department of Tourism
Media Deck - New Mexico Department of Tourism
 
з днем вчителя!
з днем вчителя!з днем вчителя!
з днем вчителя!
 
portfolio
portfolioportfolio
portfolio
 
Development pro forma
Development pro formaDevelopment pro forma
Development pro forma
 
Recruitment and selection
Recruitment and selectionRecruitment and selection
Recruitment and selection
 
Derecho minero 2
Derecho minero 2Derecho minero 2
Derecho minero 2
 
Resume
ResumeResume
Resume
 

Ähnlich wie Arinda oktaviana 11353204810 vii lokal g

9a797dbms chapter1 b.sc2
9a797dbms chapter1 b.sc29a797dbms chapter1 b.sc2
9a797dbms chapter1 b.sc2
Mukund Trivedi
 
Utsav Mahendra : Introduction to Database and managemnet
Utsav Mahendra : Introduction to Database and managemnetUtsav Mahendra : Introduction to Database and managemnet
Utsav Mahendra : Introduction to Database and managemnet
Utsav Mahendra
 
01-Database Administration and Management.pdf
01-Database Administration and Management.pdf01-Database Administration and Management.pdf
01-Database Administration and Management.pdf
TOUSEEQHAIDER14
 

Ähnlich wie Arinda oktaviana 11353204810 vii lokal g (20)

Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
 
9a797dbms chapter1 b.sc2
9a797dbms chapter1 b.sc29a797dbms chapter1 b.sc2
9a797dbms chapter1 b.sc2
 
Lecture 1 =Unit 1 Part 1.ppt
Lecture 1 =Unit 1 Part 1.pptLecture 1 =Unit 1 Part 1.ppt
Lecture 1 =Unit 1 Part 1.ppt
 
Unit 1.pptx
Unit 1.pptxUnit 1.pptx
Unit 1.pptx
 
Unit 2 DATABASE ESSENTIALS.pptx
Unit 2 DATABASE ESSENTIALS.pptxUnit 2 DATABASE ESSENTIALS.pptx
Unit 2 DATABASE ESSENTIALS.pptx
 
Chapter 1
Chapter 1Chapter 1
Chapter 1
 
CS3270 - DATABASE SYSTEM - Lecture (1)
CS3270 - DATABASE SYSTEM - Lecture (1)CS3270 - DATABASE SYSTEM - Lecture (1)
CS3270 - DATABASE SYSTEM - Lecture (1)
 
Dbms mca-section a
Dbms mca-section aDbms mca-section a
Dbms mca-section a
 
Database Management Systems (DBMS) are software systems used to store, retrie...
Database Management Systems (DBMS) are software systems used to store, retrie...Database Management Systems (DBMS) are software systems used to store, retrie...
Database Management Systems (DBMS) are software systems used to store, retrie...
 
Database management system lecture notes
Database management system lecture notesDatabase management system lecture notes
Database management system lecture notes
 
Ch1_Intro-95(1).ppt
Ch1_Intro-95(1).pptCh1_Intro-95(1).ppt
Ch1_Intro-95(1).ppt
 
Cp 121 lecture 01
Cp 121 lecture 01Cp 121 lecture 01
Cp 121 lecture 01
 
unit 1.pdf
unit 1.pdfunit 1.pdf
unit 1.pdf
 
Unit1 dbms
Unit1 dbmsUnit1 dbms
Unit1 dbms
 
DatabaseManagementSystem.pptx
DatabaseManagementSystem.pptxDatabaseManagementSystem.pptx
DatabaseManagementSystem.pptx
 
Chapter-1 Introduction to Database Management Systems
Chapter-1 Introduction to Database Management SystemsChapter-1 Introduction to Database Management Systems
Chapter-1 Introduction to Database Management Systems
 
Ch01
Ch01Ch01
Ch01
 
Utsav Mahendra : Introduction to Database and managemnet
Utsav Mahendra : Introduction to Database and managemnetUtsav Mahendra : Introduction to Database and managemnet
Utsav Mahendra : Introduction to Database and managemnet
 
01-Database Administration and Management.pdf
01-Database Administration and Management.pdf01-Database Administration and Management.pdf
01-Database Administration and Management.pdf
 
Rdbms
RdbmsRdbms
Rdbms
 

Kürzlich hochgeladen

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 

Kürzlich hochgeladen (20)

Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 

Arinda oktaviana 11353204810 vii lokal g

  • 1. Chapter 4: Security Part II: Auditing Database Systems OLEH : ARINDA OKTAVIANA (11353204810)
  • 2. Learning Objectives • Understand the operational problems inherent in the flat-file approach to data management that gave rise to the database approach. • Understand the relationships among the fundamental component's of the database concept. • Recognize the defining characteristics of three database models: hierarchical, network, and relational. • Understand the operational features and associated risks of deploying centralized, partitioned, and replicated database models in the DDP environment. • Be familiar with the audit objectives and procedures used to test data management controls.
  • 3. Flat files are data files that contain records with no structured relationships to other files. The flat-file approach is most often associated with so-called legacy systems. The flat-file environment promotes a single-user view approach to data management whereby end users own their data files rather than share them with other users Data redundancy- replication of essentially the same data in multiple files. It contributes to three significant problems in the flat-file environment: • Data storage • Data updating and • Currency of information Task-data dependency user’s inability to obtain additional information as his or her needs change Flat-File Approach
  • 5. This replication of essentially the same data in multiple files is called data redundancy and contributes to three significant problems in the flat-file environment: data storage, data updating, and currency of information. These and a fourth problem (not specifically caused by data redundancy) called task-data dependency are discussed next. • Data Storage Efficient data management captures and stores data only once and makes this single source available to all users who need it. In the flat-file environment, this is not possible. To meet the private data needs of diverse users, organizations must incur the costs of both multiple collection and multiple storage procedures. Some commonly used data may be duplicated dozens, hundreds, or even thousands of times within an organization. • Data Updating Organizations store a great deal of data on master files and reference files that require periodic updating to reflect changes. For example, a change to a customer’s name or address must be reflected in the appropriate master files. When users keep separate and exclusive files, each change must be made separately for each user. These redundant updating tasks add significantly to the cost of data management.
  • 6. • Task-Data Dependency Another problem with the flat-file approach is the user’s inability to obtain additional information as his or her needs change: this is known as task-data dependency. In other words, a user’s task is limited and decision making ability constrained by the data that heor she possesses and controls. Since users in a flat- file environment act independently, rather than as members of a user community, establishing a mechanism for the formal data sharing is difficult or impossible. Therefore, users in this environment tend to satisfy new information needs by procuring new data files. This takes time, inhibits per- formance, adds to data redundancy, and drives data management costs even higher. An organization can overcome the problems associated with flat files by implement-ing the database approach. The key features of this data management model are dis-cussed next.
  • 7. Database Approach • Access to the data resource is controlled by a database management system (DBMS). • Centralizes organization’s data into a common database shared by the user community. • All users have access to data they need which may overcome flat- file problems. • Elimination of data storage problem: No data redundancy. • Elimination of data updating problem: Single update procedure eliminates currency of information problem. • Elimination of task-data dependency problem: Users only constrained by legitimacy of access needs.
  • 8. Database Model • Elimination of Data Update Problem Because each data element exists in only one place, it requires only a single update pro-cedure. This reduces the time and cost of keeping the database current. • Elimination of Currency Problem A single change to a database attribute is automatically made available to all users of the attribute. For example, a customer address change entered by the billing clerk is imme-diately reflected in the marketing and product services views. • Elimination of Task-Data Dependency Problem The most striking difference between the database model and the flat-file model is the pooling of data into a common database that is shared by all organizational users. With access to the full domain of entity data, changes in user information needs can be satis-fied without obtaining additional private data sets. Users are constrained only by the lim-itations of the data available to the entity and the legitimacy of their need to access them. Therefore the database method eliminates the limited access that flat files, by their na-ture, dictate to users.
  • 9. Elements of the Database Concept
  • 10. DBMS Features and Data Definition Language • Program Development – Applications may be created by programmers and end users. • Backup and Recovery - Copies made during processing. • Database Usage Reporting - Captures statistics on database usage (who, when, etc.). • Database Access - Authorizes access to sections of the database. • Data definition language used to define the database to the DBMS on three levels (views).
  • 11. Database Views • Internal view/ Physical view: Physical arrangement of records in the database.  Describes structures of data records, linkage between files and physical arrangement and sequence of records in a file. Only one internal view. • Conceptual view/ Logical view (schema): Describes the entire database logically and abstractly rather than physically. Only one conceptual view. • External view/ User view (subschema): Portion of database each user views. May be many distinct users. Data Manipulation Language (DML) • DML is the proprietary programming language that a particular DBMS uses to retrieve, process, and store data to / from the database. • Entire user programs may be written in the DML, or selected DML commands can be inserted into universal programs, such as COBOL and FORTRAN. • Can be used to ‘patch’ third party applications to the DBMS
  • 12. Overview of DBMS Operation
  • 13. Informal Access: Query Language • Query is an ad hoc access methodology for extracting information from a database. – Users can access data via direct query which requires no formal application programs. • IBM’s Structured Query Language (SQL) has emerged as the standard query language. • Query feature enhances ability to deal with problems that pop-up but poses an important control issue. – Must ensure it is not used for unauthorized database access.
  • 14. Functions of the Database Administrator (DBA)
  • 16. The Physical Database • Lowest level and only one in physical form. • Magnetic sports on metallic coated disks that create a logical collection of files and records. • Data structures are bricks and mortar of database. – Allows records to be located, stored, and retrieved. – Two components: organization and access methods. • The organization of a file refers to way records are physically arranged on the storage device - either sequential or random. • Access methods are programs used to locate records and to navigate through the database.
  • 17. Database Terminology • Entity: Anything organization wants to capture data about. • Record Type: Physical database representation of an entity. • Occurrence: Related to the number of records of represented by a particular record type. • Attributes: Defines entities with values that vary (i.e. each employee has a different name). • Database: Set of record types that an organization needs to support its business processes.
  • 18. Database Terminology • Entity: Anything organization wants to capture data about. • Record Type: Physical database representation of an entity. • Occurrence: Related to the number of records of represented by a particular record type. • Attributes: Defines entities with values that vary (i.e. each employee has a different name). • Database: Set of record types that an organization needs to support its business processes.
  • 19. Associations • Record types that constitute a database exist in relation to other record types. Three basic record association: • One-to-one: For every occurrence of Record Type X there is one (or zero) of Record Type Y. • One-to-many: For every occurrence of Record Type X, there are zero, one or many occurrences of Record Type Y. • Many-to-many: For every occurrence of Record Types X and Y, there are zero, one or many occurrences of Record Types Y and X, respectively.
  • 21. The Hierarchical Model • Basis of earliest DBAs and still in use today. • Sets that describe relationship between two linked files. • Each set contains a parent and a child. • Files at the same level with the same parent are siblings. • Tree structure with the highest level in the tree being the root segment and the lowest file in a branch the leaf. • Also called a navigational database. • Usefulness of model is limited because no child record can have more than one parent which leads to data redundancy.
  • 24. The Relational Model • Difference between this and navigational models is the way data associations are represented to the user. • Relational model portrays data in two-dimensional tables with attributes across the top forming columns. • Intersecting columns to form rows are tuples which are normalized arrays of data similar to records in a flat-file system. • Relations are formed by an attribute common to both tables in the relation.
  • 25. Data Integration in the Relational Model
  • 26. Centralized Databases in a Distributed Environment • Data retained in a central location. • Remote IT units send requests to central site which processes requests and transmits data back to the requesting IT units. • Actual processing of performed at remote IT unit. • Objective of database approach it to maintain data currency with can be challenging. • During processing, account balances pass through a state of temporary inconsistency where values are incorrect. • Database lockout procedures prevent multiple simultaneous access to data preventing potential corruption.
  • 27. Distributed Databases: Partitioned Databases • Splits central database into segments distributed to their primary users. • Advantages: • Users’ control increased by having data stored at local sites. • Improved transaction processing response time. • Volume of transmitted data between IT units is reduced. • Reduces potential data loss from a disaster. • Works best for organizations that require minimal data sharing among units.
  • 28. The Deadlock Phenomenon • Occurs when multiple sites lock each other out of the database, preventing each from processing its transactions. • Transactions in a “wait” state until locks removed. • Can result in transactions being incompletely processed and database being corrupted. • Deadlock is a permanent condition that must be resolved with special software that analyzes and resolve conflicts. • Usually involves terminating one or more transactions to complete processing of the other in deadlock. • Preempted transactions must be reinitiated.
  • 30. Distributed Databases: Replicated Databases • Effective for situations with a high degree of data sharing, but no primary user. • Common data replicated at each site, reducing data traffic between sites. • Primary justification to support read-only queries. • Problem is maintaining current versions of database at each site. • Since each IT unit processes its own transactions, common data replicated at each site affected by different transactions and reflect different values.
  • 31. Concurrency Control • Database concurrency is the presence of complete and accurate data at all user sites. • Designers need to employ methods to ensure transactions processed at each site are accurately reflected in the databases of all the other sites. • Commonly used method is to serialize transactions which involves labeling each transaction by two criteria: • Special software groups transactions into classes to identify potential conflicts. • Second part of control is to time-stamp each transaction.
  • 32. Database Distribution Methods and the Accountant • Many issues and trade-offs in distributing databases. • Basic questions to be addressed: • Centralized or distributed data? • If distributed, replicated or partitioned? • If replicated, total or partial replication? • If partitioned, what is the allocation of the data segments among the sites? • Choices impact organization’s ability to maintain database integrity, preserve audit trails, and have accurate records.
  • 33. Controlling and Auditing Data Management Systems • Controls over data management systems fall into two categories. • Access controls are designed to prevent unauthorized individuals from viewing, retrieving, corrupting or destroying data. • Backup controls ensure tat the organization can recover its database in the event of data loss.
  • 34. Access Controls • User views (subschema) is a subset of the database that defines user’s data domain and access. • Database authorization table contains rules that limit user actions. • User-defined procedures allow users to create a personal security program or routine . • Data encryption procedures protect sensitive data. • Biometric devices such as fingerprints or retina prints control access to the database. • Inference controls should prevent users from inferring, through query options, specific data values they are unauthorized to access.
  • 36. Audit Procedures for Testing Database Access Controls • Verify DBA personnel retain responsibility for authority tables and designing user views. • Select a sample of users and verify access privileges are consistent with job description. • Evaluate cost and benefits of biometric controls. • Verify database query controls to prevent unauthorized access via inference. • Verify sensitive data are properly encrypted.
  • 37. Backup Controls in the Database Environment • Since data sharing is a fundamental objective of the database approach, environment is vulnerable to damage from individual users. • Four needed backup and recovery features: • Backup feature makes a periodic backup of entire database which is stored in a secure, remote location. • Transaction log provides an audit trail of all processed transactions. • Checkpoint facility suspends all processing while system reconciles transaction log and database change log against the database. • Recovery module uses logs and backup files to restart the system after a failure.
  • 38. Backup of Direct Access Files
  • 39. Audit Procedures for Testing Database Access Controls • Verify backups are performed routinely and frequently. • Backup policy should balance inconvenience of frequent activity against business disruption caused by system failure. • Verify that automatic backup procedures are in place and functioning and that copies of the database are stored off-site.
  • 40. Cobit 4.1 Excerpt EXECUTIVE OVERVIEW For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT).
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50. COBIT’s General Acceptability COBIT is based on the analysis and harmonisation of existing IT standards and good practices and conforms to generally accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it acts as an integrator of IT governance practices and appeals to executive management; business and IT management; governance, assurance and security professionals; and IT audit and control professionals. It is designed to be complementary to, and used together with, other standards and good practices. Implementation of good practices should be consistent with the enterprise’s governance and control framework, appropriate for the organisation, and integrated with other methods and practices that are being used. Standards and good practices are not a panacea.
  • 51. Their effectiveness depends on how they have been implemented and kept up to date. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures. To avoid practices becoming shelfware, management and staff should understand what to do, how to do it and why it is important. To achieve alignment of good practice to business requirements, it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every enterprise. Specific practices and standards covering discrete areas can be mapped up to the COBIT framework, thus providing a hierarchy of guidance materials. COBIT appeals to different users: • Executive management—To obtain value from IT investments and balance risk and control investment in an often unpredictable IT environment
  • 52. • Business management—To obtain assurance on the management and control of IT services provided by internal or third parties • IT management—To provide the IT services that the business requires to support the business strategy in a controlled and managed way • Auditors—To substantiate their opinions and/or provide advice to management on internal controls COBIT has been developed and is maintained by an independent, not- for-profit research institute, drawing on the expertise of its affiliated association’s members, industry experts, and control and security professionals. Its content is based on ongoing research into IT good practice and is continuously maintained, providing an objective and practical resource for all types of users.