Skip to main content

3.10B Data and Database Management

3.10B Data and Database Management


Data Input Validation


  • Risk practitioners should ensure that appropriate protection is available for confidentiality, integrity and availability of the data. Protection should be ensured during input, processing and output stages. Validation check should be built in during the data input stage so that only permitted data gets inputted in the system. To ensure that input data do not contain embedded commands or other content that might adversely affect automated processing systems, such as structured query language (SQL) code. Input validation includes:


  • Range check to allow only predefined range of data value

  • Format check to allow only specified data format

  • Special character check to prevent script commands

  • Size check to prevent buffer overflows [too many data] or incomplete data [not enough data])

  • Likelihood and reasonableness check to prevent unlikely data


  • Validation can be built either whitelisting or blacklisting of data. In the whitelist approach, only specific data is allowed and rest others are prevented. In the blacklist approach, except for blacklisted data, everything is allowed. Whitelisting is more preferable when data is static or infrequently changing values. It is advisable to use a common library for whitelisting as it ensures a consistent approach though the organization with multiple applications.


  • Blacklisting is more preferable when the range of input data values is much broader and only few known data elements are to be restricted.



Data Authorization


  • Risk practitioners should ensure that there is adequate control over user authorization and authentication for access to sensitive data.


  • Access to be granted on the basis of need to know basis only and principle of least privilege is followed. Authorization from the data owner should be mandatory to provide access to the users.



Periodic User Access Review


User access review should be conducted at frequent intervals and there should be a defined process of immediate deactivation of access for terminated or transferred employees.


Storage of Sensitive Data


Sensitive data should be stored in isolation i.e. on separate network and server by way network segmentation. Firewall should be installed to ensure role based access control.


Sensitive data should be encrypted during storage as well as transmission. Encapsulated data packets with authentication headers helps to safeguard the confidentiality against man-in-the-middle attack or interception of the data by other means. Encapsulation of the data packet helps to protect the data from unauthorised access in the network. Encapsulation is used to hide the values or state of a structured data by creating successive layers of control.


Data Encryption


Most effective method for protecting the data stored on a USB or a mobile device is to encrypt the data.


In case an organization plans to implement a data leak prevention (DLP), it is most important to first analyze the business case. Business case would help to determine the overall cost and benefit of the DLP solution and indicate feasibility of the solution.


Data Retention


Data should be retained in a hygienic condition as long as required by business or regulation requirements.


Database Security


Risk practitioners should ensure that appropriate safeguards are available for database security. Following are some of the important requirements:


  • Sensitive data in the database should be encrypted

  • Restricted access rights for the user

  • Communication protocols for the database should be secured

  • Administrator access should be restricted and monitored

  • Effective and efficient database index for quick retrieval

  • Database backup

  • Referential integrity

  • Input validation

  • Effective data schema designs



Data Redundancy and Data Normalization


Data redundancy arises when the same data is stored at different places in a database. This causes problems in data updation or data deletion or data modification or otherwise managing the data.


Data normalization is the process of reducing redundant data and thereby making databases more structured. Data normalization reduces the risk of redundancy. 


Acceptable Usage Policy (AUP)


Employees and contract staff should be made aware of acceptable usage policy. Written acknowledgement should be obtained from them with respect to adherence to AUP. If users are allowed to use their personal device, organizations should have approved BYOD policy. BYOD can be effective only if users are aware about the acceptable and unacceptable practices related to BYOD. Proper training of the users is of utmost important.

Key aspects from CRISC exam perspective


CRISC Questions

Possible Answer

Most effective method for protecting the data stored on a USB   

To encrypt the data

Most effective method for protecting the data stored in a mobile device   

To encrypt the data


Who should provide authorization for access to the data?   

Data owner

Most important requirement before implementing a DLP solution   

To analyze business case and consider cost and benefit of the DLP solution


Best method to protect the confidentiality of data being transmitted over a network   

  • Encapsulating the data packets

  • Encryption

On what basis data retention period is defined?   

Business or regulation requirements


BYOD policy can be effective only if   

User are aware about acceptable and unacceptable practices

Data normalization process addresses the risk of   

Data redundancy

Process to determine whether unauthorized modifications were made to production programs   

Compliance testing helps to verify that the change management process is being followed and there are no unauthorized changes


Flashcards -3.10B Data and Database Management




Practice Questions - 3.10B Data and Database Management




Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more