Virtual CISO Services ISO 27001
Database Architecture Review Information
A review and analysis of relevant database artifacts (e.g., requirements, database security requirements, application security requirements for applications leveraging the database) to identify how the database architecture, technologies enabled, and configuration, protects critical assets, sensitive data stores and business critical interconnections in accordance with the organizations business and security objectives. Key activities include:
- Leveraging available documentation (where available) to understand potential attack vectors to focus the audit activities on the most critical elements;
- Consult with members of the database development team and management to understand;
- the business goals, and control objectives (security requirements) as they relate to data confidentiality, integrity, availability, and provability;
- ingress, egress, and intra database data flows (and corresponding security treatment);
- database architecture and key database components;
- core technologies integral to the database and/or those that the database is reliant upon to achieve its security objectives; and,
- core operational processes integral to the database and/or those that the database is reliant upon to achieve its security objectives.
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by a Security Code Review are:
- Provides a high level of design assurance by looking at the database in a comprehensive and holistic manner;
- Findings can be used to identify other necessary assurance activities and to optimally focus downstream assessment/testing activities on relevant issues/targets for large scale enterprise level databases;
- Allows an entity to address security deficiencies in the design phase and address said deficiencies at the lowest possible cost.
Database Architecture Review: Best Used
Database Security Architecture Reviews are best used:
- During the early design phases of the development life cycle to ensure that security is “baked in” to the database. This approach reduces the likelihood that security will need to be “bolted on” to the database pre-deployment at greater expense and less efficacy.
- Post design and pre-deployment to validate that the deployment is consistent with the design and to focus the certification and accreditation activities on those areas that will provide the greatest return/level of assurance.