What the Accountant Must Know about the Security of Database Management Systems
Levine, Marc H., Siegel, Joel G., The National Public Accountant
As more and more commercial entities turn to the Internet and the number of online businesses increase, the need to protect the information, data, and assets of these security sensitive entities becomes a major concern. Security concerns include alteration or loss of database information, user violations (obtaining unauthorized data, obtaining another's password to gain illegal access to the database), database violations (theft, alteration, or copying of data), violations by programmers and administrators (creating programs that do not have adequate controls, and/or making unauthorized changes to programs making them susceptible to control breakdowns).
Establish a Control Plan for the Database Management System
To make sure that all employees are cognizant of the security procedures and policies to be followed in a database management system (DBMS), a control plan must be established. The control plan should be in writing (perhaps in the form of a manual), concise, and easy to understand and implement. It should not be longer than 10 pages and should discuss the rationale behind database security and the importance of confidentiality of company information. The control plan should be distributed through-out the company. All individuals who work with the system should be accountable for the standards of security that are enumerated in the plan. Although the standards need to be worded flexibly enough to be successfully adapted to different parts of the business, consistency must be maintained throughout the organization.
Important guidelines that should be considered in the design of an entity's DBMS control plan are indicated below:
* All the components of the entity should be included--none should be omitted from the control plan.
* All databases operating in each segment of the business, regardless of function, should be part of the control plan and protected by it.
* All applications supported within each database should he included in the plan.
* All applications operating in a database should include the name of the person responsible for the authorization of users.
* Enumeration of the different forms of backup that will be utilized should be included.
* Auditing considerations such as types of auditing that would be required as well as its frequency of occurrence, persons responsible for performing audit functions, etc., should be included.
* Each application should enumerate all the controls that should be in effect for that application.
* The structure and composition of all user names and passwords must be included.
A good DBMS security system should be able to discriminate between authorized and unauthorized users. Several methods currently being used or in the process of being developed ascertain whether an authorized user has presented him or herself for access to a system. These include:
Identification Information--The system should be capable of ascertaining the individual's identification data by comparing it to information already stored. For example, a person's name may be accompanied by his or her company identification number, or personal identification code. The system may query the individual for more personal information (e.g., mother's maiden name, date of birth) in order to access information of a more sensitive nature. Other forms of identification might include the user's driver's license number or passport number. More recently, systems have been developed which can compare an individual's picture to an online database copy of his or her driver's license or passport photos.
Biometric Identification--Systems have or will soon have the capability of comparing a user's signature, voice print, palm print, fingerprint, iris print, facial thermograms, or other personal traits as a means of limiting access to the network database system. …