AM-15 Access Management
Database Access Controls
Direct DB access is minimised, named and logged.
- Domain
- Access Management
- Control type
- Preventive/Detective
- Automated / manual
- Hybrid
- Frequency
- Continuous
- Framework reference
- MAS TRM – Access/Data
What good looks like
Direct DB access restricted to named DBAs; standing access minimised; privileged DB activity logged.
Risk if it fails
Data manipulation bypassing application controls.
How Tess tests it
4 tests — each concludes only on cited evidence.
DB-access restriction policy defined
Design- Procedure
- Inspect the policy.
- Expected
- Defined and approved.
- Sample
- 1 (design inspection)
- Evidence
- DB user listing, audit-log config.
DBA list matches authorised personnel
Operating- Procedure
- Reconcile DBA list.
- Expected
- No unauthorised DB access.
- Sample
- 25 (or full config inspection)
- Evidence
- DB user listing, audit-log config.
Named accounts (no shared) used
Operating- Procedure
- Inspect DB accounts.
- Expected
- Activity is attributable.
- Sample
- 25 (or full config inspection)
- Evidence
- DB user listing, audit-log config.
Privileged DB activity logged
Operating- Procedure
- Inspect log configuration.
- Expected
- Enabled and retained.
- Sample
- 25 (or full config inspection)
- Evidence
- DB user listing, audit-log config.
Evidence Tess looks for
DB user listing, audit-log config.
More in Access Management
Want Tess to test AM-15 against your evidence?
Book a demo