Audit Memo

Audit Planning Memorandum for Database Environment Date 02/04/2013 To Audit Senior Management School Board Temple University Prepared By Shan Jiang - backcloth Types of RDBMS MySQL 5. 0 an open-source informationbase used extensively in small or medium-sized web applications. One of the simplest databases to secure from hacking because of the small attack surface it exposes Number of DB servers 3 Business units rely on the DBs Sales and Distribution, Financial Services, Procurement, and Accounts Receivable.Organizational structure of the group who manages the DBs Data Owner, system administrator, and database administrator. 1. 0 Internal Audit Objective and backcloth 2. 1 Internal Audit Objective The objective of this review is to visit confidentiality, integrity, and handiness of XYZ Companys MySQL 5. 0 database environment. 2. 2 Internal Audit reach and Approach The scope of this review includes an assessment of MySQL 5. 0 database environment. Specifically, this review all ow include * Physical and administrative control Concurrent memory access controls * Change controls * emcee configuration control * Database checkpoints * Schema Modifications * Redundancy elimination and relationship verification * Database restructuring * Data backup and disaster recovery plan 2. 3 Deliverables Audit deliverables will consist of the following * Fieldwork documentation * Finding Issues * Audit draft report * Action plan and recommendation * Audit final report It is planned that the supra deliverables will be delivered to you by 02/07/2013 for your review and subsequent discussion. . 0 High-Level Work Program Policy and standards, data backup and procedures, levels of access controls for data, data encryption, confidentiality, integrity, availability of data elements, database checkpoints at junctures, database reorganization, database restructuring procedures and write report. 3. 0 General Information 4. 4 Internal Audit Team The inwrought audit team, with role s and responsibilities, includes the following people * Lua Li associate, audit database basic step and general controls. *Jia Meng associate, audit database operating system security * Shan Jiang associate, audit database accounts and permissions management * Zhou Zhou senior associate, audit rallying cry strength and review database privileges * Chao Lang senior associate, audit data encryption * Jia Yu manager, verify database auditing and activity monitoring. 4. 5 Duration of Internal Audit The duration of this internal audit will be for one month commencing on 02/11/2013. 02/11/2013-02/15/2013 Planning 02/16/2013-02/20/2013 Fieldwork and documentation 2/21/2013-02/25/2013 Issue discovery and validation 02/26/2013-04/01/2013 Solution development 04/02/3013-04/07/2013 Report drafting and issuance 04/08/2013-04/11/2013 Final report and issue tracking It is evaluate that the fieldwork, working papers and drafting of deliverables will be completed by Internal Audit Team. 4. 6 Loca tion of Internal Audit The location of the internal audit will be performed at XYZ Company. It is predicted that a site visit to XYZ Company will be conducted during the course of this review. 4. 7 Temple University preliminary Audits Previous Audit Version March 3, 2012Previous Critical Findings Developers have direct access to update production code without permission. Impact It is fixed. The DBMS team implemented a baseline tool for protecting the production code. The ability to check new code into this tool will be limited to the DBA. The team also enter procedures requiring approval and testing prior to submitting new production code for check-in. 4. 8 Key Contacts Contact Position Department E-mail Contact No. Jim park Database Administrator IT emailprotected com 435-234-8899 Lucas Xiao System Administrator IT emailprotected om 123-324-3211 David Han Database Developer IT emailprotected com 876-123-1234 Ryan Li System Analyst IT emailprotected com 542-345-0989 Billy Zhou M anager IT emailprotected com 324-123-4321 4. 0 High-Level Work Schedule Date parturiency Contact 02/11/2013-02/15/2013 Verify policies and procedures about database version and available patches David Han 02/16/2013-02/20/2013 Determine baseline for adequate security setting and permissions on the directory and registry keys. Ryan Li 02/21/2013-02/25/2013 Verify legitimate accounts creation and password management capabilities. Jim Green 02/26/2013-02/28/2013 Confidentiality, integrity, availability and encryption of data Lucas Xiao 03/01/2013-03/03/2013 Database checkpoints at junctures Ryan Li 03/04/2013-03/05/2013 Database reorganization Lucas Xiao 03/06/2013-03/08/2013 Database restructuring procedures Jim Green 03/09/2013-03/11/2013 Ready to report Billy Zhou 5. 0 Key concerns of management. Operating system administrators gains easy access to MySQL Server. SQL Server DBAs has local administrator privileges on Windows. Data breaches that compromise IP or personal privacy. 6. 0 Manager Sign-off Billy Zhou 02/07/2013