Domain 4- DB MGT and Patches Flashcards
Concepts
denormalizing
Loss of Data Integrity: Normalization is a design or optimization process for a relational database that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy, which is usually considered positive when it is a question of resource availability, is negative in a database environment because it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons.
Encapsulation
Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.
Atomicity
Atomicity guarantees that either the entire transaction is processed or none of it is.
Durability
guarantees that a successful transaction will persist, and cannot be undone.
Isolation
while in an intermediate state, the transaction data are invisible to external operations. This prevents two transactions from attempting to access the same data at the same time.
Consistency
ensures that the database is in a proper state when the transaction begins and ends and that the transaction has not violated integrity rules.
Types of Testings Part 1
Stress testing relates to capacity and availability and does not apply in these circumstances.
Black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed.
Interface testing would test the interaction with external systems but would not validate the performance of the changed system.
Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules
Types of Penetration Testing
A. Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.
B.Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.
C. Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are “blind” to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.
D.External testing refers to a test where an external penetration tester launches attacks on the target’s network perimeter from outside the target network (typically from the Internet).
Types of Testing Part 2
A.Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users.
B.White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users.
C.Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the “fix” for one problem did not “break” another part of the program. Regression testing is not the last stage of testing and does not typically involve external users.
D. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort.
Online transaction processing system’s database
- Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will be completed entirely or not at all, (i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pretransaction state).
- Atomocity
Integrity Constraints
Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, preventing any undefined data from being entered.
Referential Integrity
When the foreign key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. Normally, this will cause the system to undertake a sequential search and slow down the processing. If the concerned files are big, this slowdown will be unacceptable. This is a violation of referential integrity.
Patches Do’s and Dont’s
A. Rewriting the patches and applying them would require skilled resources and time to rewrite the patches.
B. Code review could be possible, but tests need to be performed before applying the patches.
C. Because the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches.
D. Suitable patches from the existing developers should be selected and tested before applying them.
Steps for Applying Patches
- Approval and risk documented
- Change Management Process(MOST IMPORTANT FOR IS AUDITOR-An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly
- Testing- MOST IMPORTANT BEFORE APPLYING!!!
- System Administrators Apply
concurrency control in a database system
Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time.
