29.4 Policya) All modification to t

29.4 Policy
a) All modification to the database such as installation of the current version of software with various bug fixes and patches must be tracked and follow proper Change Management Procedure
b) Hardening requirements must be apply to all database systems.
c) All Head of Department is responsible to ensure the database is sufficiently backup and protected. Example of such databases are (MS Access, Excel) databases sitting on individual desktop and department type server.
d) All local databases located at branch are owned by the branches and branches are responsible for the daily backup and protection of the database.
e) The data is divided into systems typed data and customer typed data. The ownership of the integrity of the systems typed data primarily lies with IT.
f) No staff is allowed to change/alter the Production Database unless required with formal approvals
g) Staff is not allowed to transfer uploading and downloading of database without formal approvals.
h) Any transfer of database via the network must be carried in a secured manner.
i) Information and related systems must be classified in accordance with ‘need-to-know’ or ‘need-to-use’ basis and strictly confined only to those who are authorized to receive such information, in order for them to discharge their duties effectively.
j) Third party and outsourcing partners are not allowed to access production database.
k) Database audit logging must be enable and audit checks should be conducted at regular intervals to verify the logical and physical consistency of database and identify discrepancies such as lost records, open chains and incomplete sets. All requests to link databases should formally be approved and database maintenance utilities that bypass controls should be adequately restricted and monitored.