|
Booklet:
Operations Section: Risk Mitigation and Control Implementation Subsection: Database Management |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Databases
are centralized collections of data for use by business applications.
They typically store critical and sensitive information including customer
account data. Databases can exist on mainframes, networks, and stand alone
PCs. Because they can be repositories of the financial institution’s
most critical information, databases pose unique risks. Failure to adequately
manage and secure databases can lead to unintentional or unauthorized
modification, destruction, or disclosure of sensitive information. Unauthorized
disclosure of confidential information can result in reputation, legal,
and operational risk to the institution and possible financial loss.
The sensitivity and classification of the information stored in the database
form the basis for establishing controls. A database that stores confidential
information may require a more significant control environment than a
database that stores non-sensitive information. Management should consider
the security and performance implications of the security options available
with modern database management systems. It is possible to control, monitor,
and log access to data down to the record and row level, but there is
a systems performance cost.
Database administrators use a database management system (DBMS) to configure
and operate databases. Because DBMS software provides high level, privileged
database access, management should restrict use of this software to authorized
personnel. One function of the database administrator is to create particular
views of information stored in the database that are unique for each type
of user. For example, a loan processor will have a different view of information
in the database than a branch teller. The different user groups will also
have different abilities to add, modify, or delete information. The database
administrator is responsible for providing users with access to the appropriate
level of information. The primary risk associated with database administration
is that an administrator can alter sensitive data without those modifications
being detected. A secondary risk is that an administrator can change access
rights to information stored within the database as well as their own
access rights. As a preventive control against these risks, the institution
should restrict and review access administration and data altering by
the administrator. Close monitoring of database administrator activities
by management is both a preventive and detective control.
An independent testing environment is particularly important for maintaining
data integrity, but represents an information security risk in database
environments. The independent testing environment prevents the corruption
of actual production data because the users conduct the tests on copies
of data rather than the actual database. Testing on a live production
database can lead to a compromise of data integrity or prevent users from
accessing data when they need it. For example, a live test of an Internet
banking database may slow processing speeds and ultimately prevent customers
from accessing their account information if additional operational problems
develop. Where testing environments utilize copies of actual production
data, security controls over access to the viewing and copying of sensitive
data should be as strong as in the production environment. Alternatively,
management might consider scrambling of production data for use in testing
as a way to protect confidentiality. Changes to databases should follow
the financial institution’s change control procedures once testing
is complete.
Database administrators monitor the database and maintain general awareness
of normal operations. Trained and aware administrators performing these
activities can complement the information security function. Because databases
can store sensitive information, they are often the targets of malicious
activity by both internal and external sources. Administrators monitoring
databases should be alert to changes in normal activities that may indicate
inappropriate error conditions or activity. For example, a virus may infect
a database and cause the response times for user queries to increase significantly.
An administrator who becomes aware of this or other unusual conditions
should act appropriately to protect sensitive information, restore normal
operations, and notify the information security officer.
Connections to databases have important information security implications.
Databases store critical information but perform no processing. Application
software processes information through information queries, modifications,
additions, and deletions. In order for an application to access a database
a user account and password should be established. In some cases, these
are hard-coded or built into the application and transparent to the actual
employee. Security is established through the employee's access level
and user ID/password to gain access to the application. This user account
should only permit those functions required by the application instead
of a broad administrator user account.