Getting Started on Database Security.

Our security manager takes a look at the agency's informational assets and realizes the application layer is the weak link. 'Asset-centric security' seems to be becoming a familiar phrase in the security world. However, identifying assets can be complicated. For many organizations, assets are pieces of information stored in numerous places: on local hard drives, on file servers, within databases, in various physical and geographical locations, as well as in transit. The information could include customer or client data, protected health data, proprietary information or financial data, among other things. Thinking through the layers of security in our environment, I realized that the weakest link in the chain is at the application layer, which is where I see database security fitting in. Much attention has been given to auditing firewall rules, turning off unneeded services on servers and patching operating systems, internetwork operating systems and various applications, such as Internet Explorer. But it seems that not much attention has been given to database security and auditing. I know for a fact that no attention has been paid to it here, and I need to do something about that, though I don't have much experience in the subject.