Virtual CISO Services ISO 27001
Database Operational Assessment Information
Only by a thorough review of the critical processes governing the operation of a database can we have assurance that the confidentiality of the data it processes is protected, the integrity of the data it maintains is enforced, and the availability of the data it transits is ensured. Operational Audits are the most effective mechanism to provide this assurance.
Key activities include:
- Leveraging available information (Threat Assessments, Application System Security Plans, Database Vulnerability Assessment) to understand which operational activities are critical to the security of the database;
Conducting a design and/or compliance review of those operational activities (e.g., external interfaces, recovery operations, application interfaces, underlying OS dependencies, tables/views, system audit) that are deemed essential to the ongoing achievement of critical security objectives; and,
Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Operational Audit are: - Provides assurance that those operational activities that the database’s security is dependent upon are in place and operating as intended; and,
Provides a measure of assurance that the control environment can perpetuate the current security posture over an extended period of time.
Database Operational Assessment: Best Used
- As part of a compliance management program as a means to demonstrate compliance with relevant laws and regulations over an extended period of time; and,
- As part of a broader “certification and accreditation” exercise to provide a higher level of assurance for critical databases.