There are several regulations out there that tell you how you should be handling your data. Some organizations are held accountable to multiple different regulations at the same time. Some of these regulations may be in conflict with another. However, at the base of all of the regulations they look towards many of the same things in order to ensure that your data remains protected and processed correctly.
In the regulations, the data standards define "what" you should be doing with your data. They outline what information needs to be protected/audited. They talk about what you should in the case of a data breach. Many of the regulations also define security standards or "how" to process your data. They might cover how you should configure your network or your systems.
In this blog post, we'll take a look at what these regulations state about handling your data:
- CIS (Center for Internet Security) – Global Internet Security Standards
- DISA/STIG (Defense Information Systems Agency) – Anyone with Government Contracts
- FISMA/NIST (Federal Information Security Management Act) – All Federal Agencies
- FERPA (Family Education Rights and Privacy Act) – Educational Institutions
- GDPR (General Data Protection Regulation) – Anyone collecting data on EU Members
- HIPAA (Health Insurance Portability and Accountability Act) – Healthcare Institutions
- NERC-CIP (North American Electricity Reliability Corporation) – Electricity Providers
- PCI DSS (Payment Card Industry Data Security Standard) – Anyone capturing credit card data
- SOX (Sarbanes Oxley) – Publicly Traded Companies and management and accounting firms
In a nutshell, the regulatory guidelines look for 5 key elements in how you should handle your data:
- Reporting (and maintaining) audit data
- Tracking user access
- Protecting the data from the bad guys (and watching for data breaches)
- Planning and having good processes and response plans
- Assessing your risks
In many cases, the regulations will identify very clearly what they expect in regards to these elements.
CIS
Tracking
- Capture your Logins and Failed Logins
DISA STIG
Reporting
- Generate audit records for DoD defined auditable events
- Generate audit records when privileges and permissions are retrieved
- Initiate session auditing upon startup
- Audit records for events identified by type, location and subject
- Capture the audit information in a centralized place
Tracking
- Capture record and log all content related to a user session
- Protect audit information from unauthorized read access, modification or deletion
Planning
- Alert support staff in real time for any failure events
FISMA/NIST
Tracking
- Audit access
Protecting
- Monitor, report and respond to incidents
Planning
- Create an audit process and certification
- Plan for contingency
- Manage your configurations
Assessing
- Assess your risks
- Confirm system and information integrity
FERPA
Tracking
- Document who has access to student information
- Confirm that the instructors or officials only access records for legitimate purposes
- Authorized representatives may have access to education records in connection with an audit
Planning
- Student transfers must be handled appropriately
GDPR
Reporting
- Provide audit details about how that data is processed and who interacted with it
Tracking
- Know who has access to PII data
Protecting
- Notify the supervising authority of a breach within 72 hours
Planning
- Identify PII Data
- Process data lawfully, fairly and in a way that users understand
- Limit the collection of data to only what is necessary
Assessing
- Conduct impact assessments for higher risk areas
HIPAA
Tracking
- Monitor log-in attempts
Protecting
- Protect, detect, contain and correct security violations
- Detect breaches and notify impacted individuals
Planning
- Implement security measures to reduce risks and vulnerabilities
- Implement procedures to regularly review audit logs, access reports and security incidents
- Implement procedures to terminate access
NERC – CIP
Reporting
- Log events for identification of and after-the-fact investigations of Cyber Security Incidents
Tracking
- Log failed and successful logins
PCI DSS
Reporting
- Implement automated audit trails for all database events
- Retain audit trail history for at least a year
Tracking
- Assign a unique identifier for each person who has access
- Actions taken on critical data must be traced to known authorized users
- Track and monitor all access to the network
- Immediately revoke access for terminated users
Protecting
- Change vendor supplied defaults and disable unnecessary default accounts
- Encrypt the data
- Secure audit trails so they can not be altered
Planning
- Develop configuration standards
SOX
Reporting
- Report on effectiveness of company’s internal controls and procedures
- Report on who changed permissions
- Report on who changed the financial data
Tracking
- Report on who accessed the financial data
To help you out, SQL Server does have some native capabilities that can address some compliance needs.
SQL Server
Reporting
- SQL Server Audit
- Temporal Tables
Tracking
- Object Level Permissions
- Role-Based Security
Protecting
- Authentication Protocols
- Firewalls
- Dynamic Data Masking
- Transport Level Security (TLS)
- Encryption Protocols (TDE, Always Encrypted, Always On)
Of course, the real gem, is using Compliance Manager to track all of your data related activity on your database server
SQL Compliance Manager
Reporting
- Capture Activity On Database (DDL And DML)
- Track The Behavior Of Privileged Users
- Track Who Is Accessing Your Sensitive Data
- Track Who Has Changed Your Data And What Has It Changed To
- Track Security And Administrative Changes
- Track User-Defined Events
- Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.
Tracking
- Capture Logins, Logouts, Failed Logins
Protecting
- Determine How Much Data Was Accessed In A Breach
IDERA Products can help you with:
Reporting (And Maintaining) Audit Data
- SQL Compliance Manager
Tracking User Access
- SQL Compliance Manager
Protecting The Data From The Bad Guys (And Watch for Data Breaches)
- SQL Compliance Manager
- SQL Secure
Planning And Having Good Processes And Response Plans
- SQL Compliance Manager
- SQL Secure
- ER/Studio Business Architect
Assessing Your Risks
- SQL Compliance Manager
- SQL Secure
For more information about SQL Security Suite, SQL Compliance Manager or SQL Secure, click on these links or contact your Sales Representative.