An IS auditor reviewing database controls discovered that changes to the database during normal
working hours were handled through a standard set of procedures. However, changes made after
normal hours required only an abbreviated number of steps. Inthis situation, which of the following
would be considered an adequate set of compensating controls?
A.
Allow changes to be made only with the DBA user account.
B.
Make changes to the database after granting access to a normal user account.
C.
Use the DBA user account to make changes, log the changes and review the change log the
following day.
D.
Use the normal user account to make changes, log the changes and review the change log the
following day.
Explanation:
The use of a database administrator (DBA) user account is normally set up to log all changes made
and is most appropriate for changes made outside of normal hours. The use of a log, which records
the changes, allows changes to be reviewed. The use ofthe DBA user account without logging would
permit uncontrolled changes to be made to databases once access to the account was obtained. The
use of a normal user account with no restrictions would allow uncontrolled changes to any of the
databases. Logging would only provide information on changes made, but would not limit changes
to only those that were authorized. Hence, logging coupled with review form an appropriate set of
compensating controls.