As new laws change how we collect, manage and store data, business executives are increasingly worried about meeting new industry and corporate regulatory compliance mandates. Directly related to these concerns is the fact that your DBA must have an understanding of how these requirements impact their job to ensure compliance.
Your DBA is the part of your IT team responsible for ensuring that company data is ready for your next compliance audit. Depending on your industry, there are potentially four dozen state breach notification laws and other standard regulations such as the PCI Data Security Standard, HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley Act and more.
Database compliance rules entail more than just having a firewall, encryption, and strong password in place. Your DBA needs to be responsible for:
- Setting data privacy – to ensure only authorized individuals have access to certain data sets
- Data security – to protect data against external and internal threats
- Data integrity – ensure the data is accurate and up-to-date for the task at hand
- Backup data – ensure backup data is updated and readily accessible in the event of a system crash or breach
- Support – provide guidelines and instructional support to end users
- Controlling identity – create unique logins for each user and setting roles for each authorized personnel.
Compliance Ensures Protection from Internal Threats
In a 2015 study from Intel Security, 43% of company data leaks occurred internally. In roughly half of these instances, the leaks were due to user negligence, such as sending data to the wrong recipient or not timely reporting a lost mobile that was used to access company data. The other half comprise of rogue administrators using simple password crackers and database reconnaissance tools to steal information for nefarious purposes. Ponemon Institute’s 2016 Cost of Data Breach Study, reported that out of 874 incidents, 568 were caused by employee or contractor negligence, 85 by outsiders using stolen credentials, and 191 by malicious employees or criminals.
To safeguard information from inside actors. DBAs should also address the following:
- Restricting privileged access to data using least privilege principles
- Implementing a clean desk policy to ensure sensitive data isn’t left out in the open
- Implementing automatic logouts on tech devices
An Example: Compliance Under the Sarbanes-Oxley Act (SOX)
SOX was enacted in 2002 to address the growing number of financial and corporate scandals, many of which occurred internally. SOX addresses security vulnerabilities in the financial sector, including vulnerabilities in the database and application layers.
Following SOX guidelines means adhering to these three rules:
· Availability – ensuring information is readily accessible when needed
· Integrity – ensuring the safety, accuracy, and completeness of all data and software
· Confidentiality – safeguarding sensitive data from unauthorized access
To remain within SOX compliance, experts recommend using Microsoft’s Security Baseline Analyzer, or a similar third-party tool to provide basic security analysis. The tool is also recommended for DBAs to perform a manual analysis in accordance with SQL Server 2000 SP3 Security Features and Best Practices.
Ntirety SQL Server Compliance and Audit Services
Whether you already have best practices and need to determine if you meet database compliance standards or need to establish rules to meet regulations, Ntirety provides a high level of expertise to ensure you are meeting the standards for SQL Server compliance and security mandates.
Ntirety’s has developed a Database Audit & Compliance Pack that provides a combination of software, tools, and customized services to measure, collect, and report on key audit points across your enterprise SQL Server® environment. Using your existing database infrastructure, Ntirety installs and configures a centralized audit system to create a secure environment for compliance monitoring that includes custom reports, data change tracking, alerts and more. Contact us to learn more.