Databases are centralized collections of data for use by business applications. They typically store critical and sensitive information including customer account data. Databases can exist on mainframes, networks, and stand alone PCs. Because they can be repositories of the financial institution's most critical information, databases pose unique risks. Failure to adequately manage and secure databases can lead to unintentional or unauthorized modification, destruction, or disclosure of sensitive information. Unauthorized disclosure of confidential information can result in reputation, legal, and operational risk to the institution and possible financial loss.
The sensitivity and classification of the information stored in the database form the basis for establishing controls. A database that stores confidential information may require a more significant control environment than a database that stores non-sensitive information. Management should consider the security and performance implications of the security options available with modern database management systems. It is possible to control, monitor, and log access to data down to the record and row level, but there is a systems performance cost.
Database administrators use a database management system (DBMS) to configure and operate databases. Because DBMS software provides high level, privileged database access, management should restrict use of this software to authorized personnel. One function of the database administrator is to create particular views of information stored in the database that are unique for each type of user. For example, a loan processor will have a different view of information in the database than a branch teller. The different user groups will also have different abilities to add, modify, or delete information. The database administrator is responsible for providing users with access to the appropriate level of information. The primary risk associated with database administration is that an administrator can alter sensitive data without those modifications being detected. A secondary risk is that an administrator can change access rights to information stored within the database as well as their own access rights. As a preventive control against these risks, the institution should restrict and review access administration and data altering by the administrator. Close monitoring of database administrator activities by management is both a preventive and detective control.
An independent testing environment is particularly important for maintaining data integrity, but represents an information security risk in database environments. The independent testing environment prevents the corruption of actual production data because the users conduct the tests on copies of data rather than the actual database. Testing on a live production database can lead to a compromise of data integrity or prevent users from accessing data when they need it. For example, a live test of an Internet banking database may slow processing speeds and ultimately prevent customers from accessing their account information if additional operational problems develop. Where testing environments utilize copies of actual production data, security controls over access to the viewing and copying of sensitive data should be as strong as in the production environment. Alternatively, management might consider scrambling of production data for use in testing as a way to protect confidentiality. Changes to databases should follow the financial institution's change control procedures once testing is complete.
Database administrators monitor the database and maintain general awareness of normal operations. Trained and aware administrators performing these activities can complement the information security function. Because databases can store sensitive information, they are often the targets of malicious activity by both internal and external sources. Administrators monitoring databases should be alert to changes in normal activities that may indicate inappropriate error conditions or activity. For example, a virus may infect a database and cause the response times for user queries to increase significantly. An administrator who becomes aware of this or other unusual conditions should act appropriately to protect sensitive information, restore normal operations, and notify the information security officer.
Connections to databases have important information security implications. Databases store critical information but perform no processing. Application software processes information through information queries, modifications, additions, and deletions. In order for an application to access a database a user account and password should be established. In some cases, these are hard-coded or built into the application and transparent to the actual employee. Security is established through the employee's access level and user ID/password to gain access to the application. This user account should only permit those functions required by the application instead of a broad administrator user account.