S 4.69 Regular checks of database security

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The database administrator should perform a security check on the database system (DBS) at regular intervals, but at least once per month. This interval should be stated in the operating concept. Depending on the results of the security check, the corresponding safeguards should be implemented to eliminate any deviations from the specifications stated in the operating concept. These safeguards and the responsibilities for their implementation should also be specified in the operating concept.

The following aspects should at least be examined when performing the security check. The aspects marked with an asterisk (*) can usually be automated using corresponding scripts:

• Are the verifications (the documentation of changes, for example) necessary according to the operating concept created properly?
• Are the necessary and planned backup and security mechanisms enabled, and if so, are they effective?
• Are there any database users without a password or with passwords that are easy to guess? (*)
• Are there any database users that do not require the scope of rights assigned to them any more to perform their tasks?
• Who besides the database administrator has access to the files of the database software or to the files of the database at the operating system level? (*)
• Who besides the database administrator has access to the system tables of the database?
• Who is allowed to access the database using an interactive SQL editor?
• Which user IDs have access rights authorising them to change the database objects of the applications? (*)
• Which user IDs have access rights authorising them to read and/or change the data of the applications? (*)
• Which users have the same rights as the database administrator? (*)
• Does the database system have enough free resources? (*)

Review questions:

• Is a security check on the database system carried out at regular intervals?
• Are necessary safeguards to eliminate any deviations implemented based on the results of the security check on the database system?
• Is the performance of the security check specified in the operating concept for the database system?