Welcome » IT Booklets » Development and Acquisition » Development Procedures » Databases » Database Management Systems
Database management systems (DBMS) are software programs that
control a database user's access and modification rights. The
systems also facilitate referential integrity (by managing cross
references between primary and foreign key relationships), support
data import and export functions, and provide backup and recovery
Database management systems may also provide access to data
dictionaries. Data dictionaries are documentation tools that store
descriptions of the structure and format of data and data tables.
Advanced data dictionaries may store source code copies of field,
record, and code descriptions for use during software design and
Primary issues to consider when reviewing the design and
configuration of database management systems include access
controls and auditing features. Management should restrict direct
(privileged) access to a database (as opposed to accessing
information through an application) to authorized personnel.
Most DBMS have a journaling feature that allows organizations to
track data changes. Journaling provides audit trails of data
changes and facilitates the safe recovery of data if errors occur.
If available, organizations should employ automated auditing tools,
such as journaling, that identify who accessed or attempted to
access a database and what, if any, data was changed.
Many DBMS can validate users at record and row levels and log their
activities. The detailed validation levels provide strong security
controls. Examiners should consider validation levels when
assessing the adequacy of DBMS controls. Strong DBMS controls
include data-change logs, input validity checks, locking and
rollback mechanisms (ability to recover a previous database if the
database becomes corrupted), password and data file encryption.
System developers should consider incorporating these types of
security features when designing databases. If strong controls or
auditing features are unavailable, management should implement
compensating controls such as segregation-of-duty or dual