Information Technology Reference
In-Depth Information
Audit objectives will cover technical aspects of the database as indicated above. Manage-
ment might also include performance of the database, and the expert might be required to
use defined metrics to assess performance of the database.
There are various standards and guidelines which can be used to audit a database system.
ISACA has developed IS audit guidelines for databases. You will also find various types
of standards for securing and configuring databases. Individual enterprises do also develop
internal guidelines, which they normally use to configure and administer databases.
Database experts can make use of various tools to audit database. The tools allow the expert
to extract and analyse data and data structures. The expert can also analyse information in
audit trails and other reporting tools.
Auditing databases can be a big and challenging task, and depending on the size and struc-
ture of the databases, the IS audit team may require the use of more than one expert. Some
enterprises have implemented multiple databases, and each database has a specific func-
tion. Where security and system recovery is a major concern, some enterprises have imple-
mented failover databases and replication servers.
Auditing Firewalls
Firewalls are designed to secure the internal networks from outside threats, and regular
audits are recommended in order to ensure that firewalls are providing the required secur-
ity. Due to changes in firewall configuration in the course of IT operations, it is possible
that new vulnerability may be introduced. Many times hackers also try to penetrate our fire-
walls using known firewall ports such as port 8080 for Internet traffic.
Auditing firewalls require a good understanding of firewall software and how the devices
are configured. Less skilled auditors can access the firewalls using web interfaces which
are easy to use. An expert in firewalls is required to interpret the data being generated and
posted to reporting tools by the firewalls. Many firewall monitoring tools can present data
in graphical and table form which is easy to understand. Despite all these nice tools, there
is still need for a firewall expert who can interpret the data and make appropriate conclu-
sions and recommendations.
Firewalls can also be used to create demilitarised zones (DMZ) which are used to secure
IT systems which sit between the internal network and the public. Servers located in the
DMZ are accessed by customers or the public without necessarily getting into the internal
network. Firewalls can be installed using different designs and configurations depending
on the services required.
Audit objectives for firewalls are mainly concerned with securing the internal network
from external threats such as hackers and other unauthorised persons. It is also possible to
use firewalls to perform routing functionality or to protect the internal network from vir-
Search WWH ::
Custom Search