cisa-d4-operations-resilience-database-management

Database Management

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Database Management

Database Management, in the ISACA-CISA context, is the operational discipline of ensuring that databases—the structured repositories underlying virtually all business applications—function reliably, securely, and in compliance with defined service levels and regulatory requirements. It encompasses four interdependent control domains: (1) Availability Management—maintaining uptime, failover, and replication to meet SLA targets; (2) Security Controls—enforcing access restrictions, encryption at rest and in transit, privileged access management (PAM), and audit logging; (3) Backup and Recovery—executing and testing backup schedules aligned to negotiated RPO and RTO, and validating restoration procedures; and (4) Performance Monitoring—tracking query throughput, capacity utilization, and response times to prevent degradation-driven outages. From an auditor's perspective, Database Management is the set of controls and procedures an organization has implemented to ensure its databases remain available, protected, and recoverable under both normal and adverse conditions. It is NOT: database design or schema architecture, SQL development or query optimization, data science or analytics engineering, or vendor-specific product administration.

Where it stops · what it isn't

—IN SCOPE: Operational controls over databases—availability, backup/recovery, security access controls, performance monitoring, change management for database objects, and compliance evidence generation
—IN SCOPE: Audit verification of database operational procedures, SLA compliance, disaster recovery testing, and regulatory control mapping (GDPR, HIPAA, PCI-DSS, SOC 2)
—IN SCOPE: Governance across deployment models—on-premises, cloud-managed (RDS, Azure SQL, Cloud SQL), hybrid, and containerized databases
—OUT OF SCOPE: Database design, normalization, or entity-relationship modeling (distinct architectural competency)
—OUT OF SCOPE: SQL, DDL, or stored procedure development (developer/DBA technical skill)
—OUT OF SCOPE: Specific database product feature comparisons (PostgreSQL vs. Oracle internals)
—OUT OF SCOPE: Data science, machine learning pipelines, or analytics workload engineering
—NOT the same as: Data Governance (which addresses ownership, quality policies, and stewardship at the enterprise level) or Storage Management (which addresses physical/logical media)

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Systems Operations and Business Resilience (CISA Domain 4)

REQUIRES

IT Service Level ManagementData Backup, Storage, and Restoration

ENABLES

Business Continuity and Disaster Recovery PlanningRegulatory Compliance (GDPR, HIPAA, PCI-DSS, SOC 2)

RELATED TO

System Availability and Capacity ManagementIncident and Problem Management

CONSTRAINS

Application Development and Deployment (schema change governance)

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.