Audit Memo

scrutinise supply Memorandum for selective informationbase Environment date 02/04/2013 To Audit Senior Management School Board synagogue University ready By Shan Jiang - Background Types of Rdatabase management dodging MySQL 5. 0 an open-source database used extensively in small or medium-sized web applications. One of the simplest databases to secure from hacking because of the small labialize surface it exposes Number of DB servers 3 Business units rely on the DBs Sales and Distribution, Financial Services, Procurement, and Accounts Receivable.Organizational structure of the group who manages the DBs selective information Owner, system administrator, and database administrator. 1. 0 Internal Audit Objective and Scope 2. 1 Internal Audit Objective The objective of this review is to study confidentiality, integrity, and availability of XYZ Companys MySQL 5. 0 database environment. 2. 2 Internal Audit Scope and Approach The orbit of this review includes an assessment of MySQ L 5. 0 database environment. Specifically, this review depart include * bodily and administrative control Concurrent approach path controls * Change controls * Server physical body control * Database checkpoints * Schema Modifications * Redundancy elimination and relationship verification * Database restructuring * Data backup and disaster recovery plan 2. 3 Deliverables Audit deliverables will consist of the following * Fieldwork documentation * Finding write outs * Audit draft spread over * Action plan and recommendation * Audit final report It is mean that the above deliverables will be delivered to you by 02/07/2013 for your review and subsequent discussion. . 0 High-Level Work Program Policy and standards, data backup and procedures, levels of access controls for data, data encryption, confidentiality, integrity, availability of data elements, database checkpoints at junctures, database reorganization, database restructuring procedures and write report. 3. 0 familiar In formation 4. 4 Internal Audit Team The internal audit team, with roles and responsibilities, includes the following people * Lua Li associate, audit database basic step and widely distributed controls. *Jia Meng associate, audit database operating system security * Shan Jiang associate, audit database accounts and permissions management * cabbage Zhou aged(a) associate, audit password strength and review database privileges * Chao Lang senior associate, audit data encryption * Jia Yu manager, verify database auditing and activity monitoring. 4. 5 age of Internal Audit The duration of this internal audit will be for one month commencing on 02/11/2013. 02/11/2013-02/15/2013 Planning 02/16/2013-02/20/2013 Fieldwork and documentation 2/21/2013-02/25/2013 Issue discovery and validation 02/26/2013-04/01/2013 Solution development 04/02/3013-04/07/2013 Report mechanical drawing and issuance 04/08/2013-04/11/2013 Final report and issue tracking It is evaluate that the fieldwork, workin g papers and drafting of deliverables will be completed by Internal Audit Team. 4. 6 Location of Internal Audit The muddle of the internal audit will be performed at XYZ Company. It is predicted that a localise visit to XYZ Company will be conducted during the course of this review. 4. 7 Temple University Previous Audits Previous Audit Version March 3, 2012Previous Critical Findings Developers defy direct access to update achievement code without permission. Impact It is fixed. The DBMS team implemented a baseline tool for protecting the production code. The ability to check new code into this tool will be limited to the DBA. The team also documented procedures requiring approval and testing former to submitting new production code for check-in. 4. 8 Key feelings Contact pip Department E-mail Contact No. Jim Green Database Administrator IT emailprotected com 435-234-8899 Lucas Xiao schema Administrator IT emailprotected om 123-324-3211 David Han Database Developer IT emailp rotected com 876-123-1234 Ryan Li System Analyst IT emailprotected com 542-345-0989 billy club Zhou double-decker IT emailprotected com 324-123-4321 4. 0 High-Level Work Schedule Date Task Contact 02/11/2013-02/15/2013 Verify policies and procedures about database version and available patches David Han 02/16/2013-02/20/2013 Determine baseline for adequate security setting and permissions on the directory and registry keys. Ryan Li 02/21/2013-02/25/2013 Verify legitimate accounts construct and password management capabilities. Jim Green 02/26/2013-02/28/2013 Confidentiality, integrity, availability and encryption of data Lucas Xiao 03/01/2013-03/03/2013 Database checkpoints at junctures Ryan Li 03/04/2013-03/05/2013 Database reorganization Lucas Xiao 03/06/2013-03/08/2013 Database restructuring procedures Jim Green 03/09/2013-03/11/2013 train to report Billy Zhou 5. 0 Key concerns of management. Operating system administrators gains easy access to MySQL Server. SQL Server DBAs has local administrator privileges on Windows. Data breaches that compromise IP or personal privacy. 6. 0 Manager Sign-off Billy Zhou 02/07/2013