Booklet: Development and Acquisition
Section: Development
Subsection: Databases
 

 

 

 

 

 

Databases contain stored information and are structured in various ways. Legacy systems often use hierarchical or networked structures. Hierarchical databases are structured similar to an organizational chart. Lower data elements are dependent on (communicate data between) a single data element above them. Each data element can have multiple elements linked below it, but only one link to a data element above it. Networked databases are similar to hierarchical databases, but data elements can link to multiple elements above or below them.

Relational databases, which are currently the most prevalent type database, are organized as tables with data structured in rows and columns. (Data paths are not predefined because relationships are defined at the data value level.) Rows (or records) contain information that relates to a single subject, such as a customer, employee, or vendor. Columns (or fields) contain information related to each subject, such as customer identification numbers, dates of birth, or business addresses. Each record (item in a row), links to a corresponding field element (item in a column) that is defined as the primary key. Primary keys are the main identifiers associated with stored information and facilitate access to the information. In certain situations, the primary key may be comprised of data from more than one field.


The graphic is a chart showing a sample of fields in the horizontal cells and records in the vertical cells. The "primary key" in the sample is customer numbers.

Relational databases are usually comprised of multiple tables, which may reside on a single server or in a distributed environment. If related records are stored on multiple tables (for example, if a customer’s primary information, as shown in the table above, is maintained at a customer service center and the customer’s deposit account information is maintained on a second table/database at a local branch), the same primary key must be used in both tables to ensure data integrity. The keys in secondary tables, however, are referred to as foreign keys.
Object-relational databases have been developed that apply ad hoc object-oriented protocols in relational database environments. Definitive standards do not currently exist to support the wide acceptance of strictly object-oriented databases and database management systems. However, various proprietary standards do exist, and organizations are attempting to develop standardized object-oriented database protocols.

DATABASE MANAGEMENT SYSTEMS
Database management systems (DBMS) are software programs that control a database user’s access and modification rights. The systems also facilitate referential integrity (by managing cross references between primary and foreign key relationships), support data import and export functions, and provide backup and recovery services.

Database management systems may also provide access to data dictionaries. Data dictionaries are documentation tools that store descriptions of the structure and format of data and data tables. Advanced data dictionaries may store source code copies of field, record, and code descriptions for use during software design and development activities.

Primary issues to consider when reviewing the design and configuration of database management systems include access controls and auditing features. Management should restrict direct (privileged) access to a database (as opposed to accessing information through an application) to authorized personnel.

Most DBMS have a journaling feature that allows organizations to track data changes. Journaling provides audit trails of data changes and facilitates the safe recovery of data if errors occur. If available, organizations should employ automated auditing tools, such as journaling, that identify who accessed or attempted to access a database and what, if any, data was changed.
Many DBMS can validate users at record and row levels and log their activities. The detailed validation levels provide strong security controls. Examiners should consider validation levels when assessing the adequacy of DBMS controls. Strong DBMS controls include data-change logs, input validity checks, locking and rollback mechanisms (ability to recover a previous database if the database becomes corrupted), password and data file encryption. System developers should consider incorporating these types of security features when designing databases. If strong controls or auditing features are unavailable, management should implement compensating controls such as segregation-of-duty or dual controls.