Microsoft SQL Server Database Audit/Assurance Program 


Microsoft SQL Server Database Audit/Assurance Program  Download (542K; Member Only)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the SQL Server Knowledge Center community

The Microsoft® SQL Server® Database Audit/Assurance Program is designed to provide a relatively complete guide to the audit of SQL Server. This audit/assurance program focuses on configuration of the relevant Microsoft SQL Server database implementations. The selection of the applications/functions and specific servers will be based on the SQL-Server-related risks to which these systems expose the enterprise.

The authors recognize that each audit team will customize this audit/assurance program to fit the specific circumstances of the project and enterprise. Some enterprises will choose to audit SQL Server in phases; some may address SQL Server in a single project. Perhaps most important, the authors recognize that SQL Server will probably change somewhat more frequently than this audit guide and program. Thus, each audit team that uses this audit/assurance program must perform its own research to gain reasonable assurance that it addresses the most relevant and current SQL Server risks.

Some sections of this audit/assurance program address ancillary functions such as access control, computer operations and physical security. The authors attempted to limit this audit/assurance program to risks unique to or introduced into those areas by SQL Server. Thus, this audit/assurance program does not purport to act as a comprehensive guide to auditing those other areas, some of which could require a project as large as the audit of SQL Server itself. Example resources, current as of August 2010, include, but are not limited to the ISACA:

  • Information Security Management Audit/Assurance Program—For the review of processes associated with governance, policy, monitoring, incident management and management of the information security function; the implementation of security configurations; and the selection and maintenance of security technologies
  • Network Perimeter Security Audit/Assurance Program—For the review of network perimeter security, including associated policies, standards and procedures and the effectiveness of the security implementation
  • Change Management Audit/Assurance Program—For the review of change management process and incident management