S 2.125 Installation and configuration of a database
Initiation responsibility: Head of IT, Information Security Management
Implementation responsibility: Administrator
As a matter of principle, a distinction needs to be made between the initial installation of database software and the installation in an existing database system.
When the database software is installed for the first time, there are initially no users configured for access to the database and no data is available in the database (except for any data in other database systems), and installation is usually not a problem and hardly disrupts normal IT operations.
In contrast, installations in existing systems should be performed outside the regular working hours, if possible, in order to minimise the disruptions of normal IT operations as far as possible. In any case, the users should be informed about all impending activities so that they can prepare themselves for potential disruptions and delays in operation.
Installation and configuration of a database comprises the following tasks:
1. Installation of the database software
Before the database software is installed, the IT system must be checked to see if it has been prepared according to the plans, e.g. if there is enough memory space available and if the operating system has been configured accordingly.
The database software must be installed according to the manufacturer's instructions. Whenever possible, the default settings recommended by the manufacturer should be accepted. This applies especially to the technical parameters, for example the parameters that control the size of the various internal tables of the DBMS. In the case of security-relevant parameters, it might be necessary to deviate from the default settings under some circumstances.
The installation of the database software must be documented appropriately. This includes, in particular, a detailed explanation of any parameters with settings differing from the default settings recommended by the manufacturer.
If optional features offered by the manufacturer are to be used, these should be configured appropriately during installation.
All tasks performed in this step are performed by the general database administrator.
2. Creating the database
When creating a database, parameters need to be specified that cannot be changed any more once the database has been put into operation.
The meanings of these parameters and the appropriate selection of their values are explained in detail in the manufacturer's installation documents and manuals and they should be referred to for this purpose.
Furthermore, the installation and/or administration manual contains instructions for any necessary post-installation work required after creating the database.
This procedure must also be documented.
All tasks in this step are performed by the general database administrator in consultation with the application-specific administrators (to specify the size of the database, for example).
3. Configuring the database
In the third step, the user and group concepts, as well as the role concept are implemented, if used. For this, the general database administrator configures the individual authorisation profiles and creates all the groups and administrative user IDs (for the application-specific administrators). During implementation, the provisions defined in S 2.132 Provisions for Configuring Database Users / User Groups should be checked and followed. If the corresponding access rights depend on individual database objects, these rights can naturally only be defined when these database objects actually exist (see step 4).
If the database software supports the distribution of data among several files or hard disks, it is necessary to specify additional parameters defining the creation of these files and/or the related storage areas.
All settings performed must be documented in detail (refer to S 2.25 Documentation of the system configuration).
All tasks performed in this step are performed by the general database administrator.
4. Creating and configuring database objects
In the last step, the database objects of the individual applications are created in accordance with the database security concept (see S 2.126 Creation of a Database Security Concept). If possible, this procedure should be automated and generate logs automatically using scripts. After the database objects have been created, the access rights needed by the roles, groups, and users must be assigned. Specific users can now also be created based on the existing authorisation profiles.
All tasks performed in this step are performed by the application-specific administrators.
Review questions:
- Are the installation of the database software and the creation of the database documented appropriately?
- Are the manufacturer's documents taken into consideration when installing the database software and creating the database?
- Are all settings performed during database configuration documented in detail?
- Is the authorisation concept taken into consideration during database configuration?
- Are the creation and configuration of the database objects, including the access authorisations, logged and/or documented?