What is a database and what evidence do I need to support my database controls?
In simple terms, a database is an organized collection of data stored and accessed electronically. For the purposes of your audit, you should focus on any production databases used to support your in-scope product or service. If your organization does not have a database, this element may be out of scope for your audit. If you’re unsure, feel free to contact your Customer Success Manager (CSM) with any questions. If you are a consulting company, your Customer Relationship Management (CRM) system will not be considered a database.
What should my database evidence items look like?
Within your evidence repository, there are a few evidence items related to databases. These evidence items are
Administrator Access to Database
What your auditor is looking for: A system generated list (or series of screenshots) of privileged or administrative users with access to the internal database. The easiest way to provide this is oftentimes a SQL query showing the privileged DB users, ideally with permissions information included. The screenshot or list must include a date/time stamp or other indication of when the screenshot was taken. If your database is hosted on AWS or Azure, you can also use our Terraform integrations to pull this information automatically!
If your DB is not directly accessible by human users, for instance if the only interactions with the DB are through API calls or automated actions, speak with your CSM. If this is the case your CSM can help you edit your control and evidence language to reflect that the DB is not directly accessible. Instead of uploading a screenshot of the DB admins for this control, we would need some kind of evidence (even if that evidence is code snippets) showing that direct access to the DB is not possible.
Database User List
What your auditor is looking for: A system generated list (or series of screenshots) of all users with access to the internal database. You can use the same screenshot for this item as the Administrator Access to Database item if you include permissions information that clearly shows who the standard vs. privileged users are.
The easiest way to provide this is oftentimes a SQL query showing the DB users, ideally with permissions information included. The screenshot or list must include a date/time stamp or other indication of when the screenshot was taken.
Password Settings - Database
What your auditor is looking for: A screenshot of the database layer password settings. The screenshot must include a date/time stamp or other indication of when the screenshot was taken. The configurations should mirror the password policies within relevant security policies.
If authentication to the DB is not given through a standard username/password mechanism, then upload appropriate evidence showing how the authentication mechanism (connection string, SSH etc.) works. Ideal evidence for this item is a series of screenshots showing how authentication works, pasted into a document with accompanying captions or written descriptions explaining the process.
When can I scope out database controls? How do I know if they apply to my organization?
If your product or service truly does not have a database layer, then these evidence items can be deactivated. This is most often the case if your organization provides consulting services. If this layer is not applicable to your organization, send a brief note to your CSM explaining the reason you don’t think these evidence items apply to your organization, your CSM will guide you through the process of re-wording your controls and deactivating not applicable evidence items.