Database Management Systems
Database management systems (DBMS) are software programs that control a database user's access and modification rights. The systems also facilitate referential integrity (by managing cross references between primary and foreign key relationships), support data import and export functions, and provide backup and recovery services.
Database management systems may also provide access to data dictionaries. Data dictionaries are documentation tools that store descriptions of the structure and format of data and data tables. Advanced data dictionaries may store source code copies of field, record, and code descriptions for use during software design and development activities.
Primary issues to consider when reviewing the design and configuration of database management systems include access controls and auditing features. Management should restrict direct (privileged) access to a database (as opposed to accessing information through an application) to authorized personnel.
Most DBMS have a journaling feature that allows organizations to track data changes. Journaling provides audit trails of data changes and facilitates the safe recovery of data if errors occur. If available, organizations should employ automated auditing tools, such as journaling, that identify who accessed or attempted to access a database and what, if any, data was changed.
Many DBMS can validate users at record and row levels and log their activities. The detailed validation levels provide strong security controls. Examiners should consider validation levels when assessing the adequacy of DBMS controls. Strong DBMS controls include data-change logs, input validity checks, locking and rollback mechanisms (ability to recover a previous database if the database becomes corrupted), password and data file encryption. System developers should consider incorporating these types of security features when designing databases. If strong controls or auditing features are unavailable, management should implement compensating controls such as segregation-of-duty or dual controls.