COBIT (4.1 and earlier) - Use it Effectively

ISACA > Knowledge Center > Professional-English > COBIT (4.1 and earlier) - Use it Effectively > ViewDiscussion.aspx

Find Resources and Connect with members on topics that interest you.

Featured Topics
Browse Over 100 Topics
Search Topics
My Topics

Young Professionals

Risk Management

Big Data

Audit Tools and Techniques

Privacy/Data Protection

CyberSecurity

Suggest a New Topic

Sort by Category
Sort Alphabetically
COBIT 4.1 Controls Collaboration

Applications

Audit

Business Processes

Career Management

Cloud Computing/Virtualization

COBIT

Controls and Monitoring

Country

India

Databases

Fraud and Computer Crime

Governance and Management

Industry

Information Security

IT Service Management

Mobile/Wireless

Operating Systems

Privacy/Data Protection

Privacy/Data Protection

Regulations

Risk

Standards

Access Control

Application Controls

Application Security

Audit Guidelines

Audit Standards

Audit Tools and Techniques

Basel

Big Data

Business Analytics/Intelligence

Business Continuity-Disaster Recovery Planning

Business Process Management

Career Management

Casinos and Gambling

Change Management

Cloud Computing

COBIT (4.1 and earlier) - Use it Effectively

COBIT (4.1 and earlier) Implementation

COBIT 5 - Implementation

COBIT 5 - Use It Effectively

Compliance

Computer Crime

Continuous Monitoring/Auditing

Controls Monitoring

CyberSecurity

Enterprise Architecture

Enterprise Data Management

Financial Reporting Compliance

Forensics

Frameworks

Fraud

Governance of Enterprise IT

Green IT

Healthcare

HIPAA

HP Non-Stop (Tandem)

Identity Management

IFRS

Incident Management

India

Information Security Management

Information Security Policies/Procedures

Intrusion Prevention/Detection

ISAE 3402

ISO/IEC 20000

ISO/IEC 27000 Series

ISO/IEC 38500

ITIL

J-SOX

Mobile Computing

Network Security

Oracle

Oracle Database

Oracle E-Business Suite

OS/400

PCI DSS

PeopleSoft

Performance Measurement

Physical Security

Privacy/Data Protection

Project/Program/Portfolio Management (P3M)

Quality Standards

Risk Assessment

Risk Management

SAP

Sarbanes-Oxley (SOX)

Security Tools

Security Trends

Service Management

SharePoint

Solvency II

SQL Server

Strategic Planning/Alignment

Students

Unix-like

Value Delivery

Virtualization

Windows

Wireless

XBRL

Young Professionals

z/OS-OS/390

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

ME - Monitor and Evaluate

Application Controls

Process Controls

Search

Please sign in to see your topics.

Subscribe to this discussion

Data change control

Is it a normalpractice for a company to perform direct data changes (this means changes made todata files outside of normal processes and procedures, using tools as SQL)?

This seems to beout of the scope of CobiT Process AI6 Manage Changes.

How does CobiT deal withwith this?

Posted by Gustavo Solis on March 4, 2011 02:38PM

You must sign in to rate content.

(Unrated)

Comments

RE: Data change control

Hi,

It is definitely not normal to make changes to data files outside of change management processes and procedures, but it is quite possible and normal to make changes to data using SQL without using the application interface.

In the consideration of Cobit, you should make sure that such changes are placed under the control of your change management process. It means that the change must be analyzed, authorized, tested before being implemented and that there is a rollback plan. In this particular case, testing and rollback planning are extremely important as the change is not done through the application interface and thus will have a much higher risk. Also, only authorized people should have the technical access right required to make such change.

---
IT governance by examples at http://agileskills2.org/ITGBE/

Kent Tong at 3/10/2011 7:37:51 AM

You must sign in to rate content.

(1 ratings)

RE: Data change control

It wouldn't be advisable (in fact, would be very dangerous) for any company to alter production data outside of defined processes.

A small addition to above response is that a log of changes made (including who made them) should be automatically created and saved in a secure environment. A common ID should not be used to make these changes. Any change made must be made with authorised documented approval, with the approval being stored in a secure environment.

PO2.4 Integrity Management touches upon defining processes to ensure integrity of data in databases.

Regards.

Vikram K Malkani at 9/2/2011 4:29:34 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

Another addition - DS5 too mentions ensuring data integrity by defining processes.

Vikram K Malkani at 9/2/2011 4:38:24 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

An IT standard or procedure document should be created to manage the risks for this activity. Manage Change is suggested objective. This occurs in a number of organizations than most would be willing to admit as part of production support emergency changes. I agree with Vikram statement on not allowing a generic/firecall ID too. All production support should occur with the production support users ID. This may require implementation of a production emergency group privilege however acheives greater accountability. Ironically, I posted a similar query in the change management community a few weeks back. I do not believe there's been much, if any, discussion.

Steve_W at 12/2/2011 5:35:12 PM

You must sign in to rate content.

(Unrated)

RE: Data change control

An IT standard or procedure document should be created to manage the risks for this activity. Manage Change is suggested objective. This occurs in a number of organizations than most would be willing to admit as part of production support emergency changes. I agree with Vikram statement on not allowing a generic/firecall ID too. All production support should occur with the production support users ID. This may require implementation of a production emergency group privilege however acheives greater accountability. Ironically, I posted a similar query in the change management community a few weeks back. I do not believe there's been much, if any, discussion.

Steve_W at 12/2/2011 5:35:12 PM

You must sign in to rate content.

(Unrated)

RE: Data change control

Another addition - DS5 too mentions ensuring data integrity by defining processes.

Vikram K Malkani at 9/2/2011 4:38:24 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

It wouldn't be advisable (in fact, would be very dangerous) for any company to alter production data outside of defined processes.

A small addition to above response is that a log of changes made (including who made them) should be automatically created and saved in a secure environment. A common ID should not be used to make these changes. Any change made must be made with authorised documented approval, with the approval being stored in a secure environment.

PO2.4 Integrity Management touches upon defining processes to ensure integrity of data in databases.

Regards.

Vikram K Malkani at 9/2/2011 4:29:34 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

Hi,

It is definitely not normal to make changes to data files outside of change management processes and procedures, but it is quite possible and normal to make changes to data using SQL without using the application interface.

In the consideration of Cobit, you should make sure that such changes are placed under the control of your change management process. It means that the change must be analyzed, authorized, tested before being implemented and that there is a rollback plan. In this particular case, testing and rollback planning are extremely important as the change is not done through the application interface and thus will have a much higher risk. Also, only authorized people should have the technical access right required to make such change.

---
IT governance by examples at http://agileskills2.org/ITGBE/

Kent Tong at 3/10/2011 7:37:51 AM

You must sign in to rate content.

(1 ratings)

RE: Data change control

Hi,

It is definitely not normal to make changes to data files outside of change management processes and procedures, but it is quite possible and normal to make changes to data using SQL without using the application interface.

In the consideration of Cobit, you should make sure that such changes are placed under the control of your change management process. It means that the change must be analyzed, authorized, tested before being implemented and that there is a rollback plan. In this particular case, testing and rollback planning are extremely important as the change is not done through the application interface and thus will have a much higher risk. Also, only authorized people should have the technical access right required to make such change.

---
IT governance by examples at http://agileskills2.org/ITGBE/

Kent Tong at 3/10/2011 7:37:51 AM

You must sign in to rate content.

(1 ratings)

RE: Data change control

It wouldn't be advisable (in fact, would be very dangerous) for any company to alter production data outside of defined processes.

A small addition to above response is that a log of changes made (including who made them) should be automatically created and saved in a secure environment. A common ID should not be used to make these changes. Any change made must be made with authorised documented approval, with the approval being stored in a secure environment.

PO2.4 Integrity Management touches upon defining processes to ensure integrity of data in databases.

Regards.

Vikram K Malkani at 9/2/2011 4:29:34 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

Another addition - DS5 too mentions ensuring data integrity by defining processes.

Vikram K Malkani at 9/2/2011 4:38:24 AM

You must sign in to rate content.

(Unrated)

RE: Data change control

An IT standard or procedure document should be created to manage the risks for this activity. Manage Change is suggested objective. This occurs in a number of organizations than most would be willing to admit as part of production support emergency changes. I agree with Vikram statement on not allowing a generic/firecall ID too. All production support should occur with the production support users ID. This may require implementation of a production emergency group privilege however acheives greater accountability. Ironically, I posted a similar query in the change management community a few weeks back. I do not believe there's been much, if any, discussion.

Steve_W at 12/2/2011 5:35:12 PM

You must sign in to rate content.

(Unrated)

Leave a Comment

* required

You must login to leave a comment.

« Return to All Discussions « Return to Topic

© 2013 ISACA. All Rights Reserved