User Rights Auditing Information
One of the greatest challenges to ensuring that a database achieves its security objectives is the complexity of managing the various classes of users, roles and privileges associated with the database itself and the myriad of applications it may support. This is further complicated by the importance of comprehensive segregation of duties requirements and the ability to demonstrate the same for compliance with relevant laws and regulations.
Key activities include:
- Leveraging an open-source or commercial database vulnerability assessment tool to identify which users have access to each system, which data and functionality they can access, the level of access that has been granted, and whether it is an appropriate level of access based on the user’s business function or need to know;
- Understand directly and indirectly granted access rights and group and role memberships;
- Where applicable map the output against organization provided expectations and identify deviations of user entitlement from that which is expected; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a User Rights Audit are:
- Quickly identify configuration errors relating to user access rights that may yield inappropriate levels of access to sensitive data;
- Demonstrate compliance with key laws and regulations that have stringent separation of duties control requirements;
- Capable of being run on automated, regular basis to provide baseline and ongoing vulnerability management metrics; and,
- Can be used to focus other database assessment activities on those areas of greatest concern.
User Rights Auditing: Best Used
- As a means to determine if Separation of Duties objectives are being achieved in complex databases; and,
- As part of an ongoing vulnerability/configuration management program, especially in support of demonstration of ongoing compliance with relevant standards/regulations.
