Demystifying Regulatory Guidelines

Kim Brushaber
9 May 2019

There are several regulations out there that tell you how you should be handling your data.  Some organizations are held accountable to multiple different regulations at the same time. Some of these regulations may be in conflict with another. However, at the base of all of the regulations they look towards many of the same things in order to ensure that your data remains protected and processed correctly. 

In the regulations, the data standards define "what" you should be doing with your data.  They outline what information needs to be protected/audited. They talk about what you should in the case of a data breach.  Many of the regulations also define security standards or "how" to process your data. They might cover how you should configure your network or your systems. 

In this blog post, we'll take a look at what these regulations state about handling your data:

  • CIS (Center for Internet Security) – Global Internet Security Standards
  • DISA/STIG (Defense Information Systems Agency) – Anyone with Government Contracts
  • FISMA/NIST (Federal Information Security Management Act) – All Federal Agencies
  • FERPA (Family Education Rights and Privacy Act) – Educational Institutions
  • GDPR (General Data Protection Regulation) – Anyone collecting data on EU Members
  • HIPAA (Health Insurance Portability and Accountability Act) – Healthcare Institutions
  • NERC-CIP (North American Electricity Reliability Corporation) – Electricity Providers
  • PCI DSS (Payment Card Industry Data Security Standard) – Anyone capturing credit card data
  • SOX (Sarbanes Oxley) – Publicly Traded Companies and management and accounting firms

In a nutshell, the regulatory guidelines look for 5 key elements in how you should handle your data:

  • Reporting (and maintaining) audit data
  • Tracking user access
  • Protecting the data from the bad guys (and watching for data breaches)
  • Planning and having good processes and response plans
  • Assessing your risks

In many cases, the regulations will identify very clearly what they expect in regards to these elements. 

CIS

Tracking

  • Capture your Logins and Failed Logins

DISA STIG

Reporting

  • Generate audit records for DoD defined auditable events
  • Generate audit records when privileges and permissions are retrieved
  • Initiate session auditing upon startup
  • Audit records for events identified by type, location and subject
  • Capture the audit information in a centralized place

Tracking

  • Capture record and log all content related to a user session
  • Protect audit information from unauthorized read access, modification or deletion

Planning

  • Alert support staff in real time for any failure events

FISMA/NIST

Tracking

  • Audit access

Protecting

  • Monitor, report and respond to incidents

Planning

  • Create an audit process and certification
  • Plan for contingency
  • Manage your configurations

Assessing

  • Assess your risks
  • Confirm system and information integrity

FERPA

Tracking

  • Document who has access to student information
  • Confirm that the instructors or officials only access records for legitimate purposes
  • Authorized representatives may have access to education records in connection with an audit

Planning

  • Student transfers must be handled appropriately

GDPR

Reporting

  • Provide audit details about how that data is processed and who interacted with it

Tracking

  • Know who has access to PII data

Protecting

  • Notify the supervising authority of a breach within 72 hours

Planning

  • Identify PII Data
  • Process data lawfully, fairly and in a way that users understand
  • Limit the collection of data to only what is necessary

Assessing

  • Conduct impact assessments for higher risk areas

HIPAA

Tracking

  • Monitor log-in attempts

Protecting

  • Protect, detect, contain and correct security violations
  • Detect breaches and notify impacted individuals

Planning

  • Implement security measures to reduce risks and vulnerabilities
  • Implement procedures to regularly review audit logs, access reports and security incidents
  • Implement procedures to terminate access

NERC - CIP

Reporting

  • Log events for identification of and after-the-fact investigations of Cyber Security Incidents

Tracking

  • Log failed and successful logins

PCI DSS

Reporting

  • Implement automated audit trails for all database events
  • Retain audit trail history for at least a year

Tracking

  • Assign a unique identifier for each person who has access
  • Actions taken on critical data must be traced to known authorized users
  • Track and monitor all access to the network
  • Immediately revoke access for terminated users

Protecting

  • Change vendor supplied defaults and disable unnecessary default accounts
  • Encrypt the data
  • Secure audit trails so they can not be altered

Planning

  • Develop configuration standards

SOX

Reporting

  • Report on effectiveness of company’s internal controls and procedures
  • Report on who changed permissions
  • Report on who changed the financial data


Tracking

  • Report on who accessed the financial data

To help you out, SQL Server does have some native capabilities that can address some compliance needs. 

SQL Server

Reporting

  • SQL Server Audit
  • Temporal Tables


Tracking

  • Object Level Permissions
  • Role-Based Security

Protecting

  • Authentication Protocols
  • Firewalls
  • Dynamic Data Masking
  • Transport Level Security (TLS)
  • Encryption Protocols (TDE, Always Encrypted, Always On)

Of course, the real gem, is using Compliance Manager to track all of your data related activity on your database server

SQL Compliance Manager

Reporting

  • Capture Activity On Database (DDL And DML)
  • Track The Behavior Of Privileged Users
  • Track Who Is Accessing Your Sensitive Data
  • Track Who Has Changed Your Data And What Has It Changed To
  • Track Security And Administrative Changes
  • Track User-Defined Events
  • Audit Systems Tables, Stored Procedures, Views, Indexes, Etc.

Tracking

  • Capture Logins, Logouts, Failed Logins


Protecting

  • Determine How Much Data Was Accessed In A Breach


IDERA Products can help you with:

Reporting (And Maintaining) Audit Data

  • SQL Compliance Manager


Tracking User Access

  • SQL Compliance Manager


Protecting The Data From The Bad Guys (And Watch for Data Breaches)

  • SQL Compliance Manager
  • SQL Secure


Planning And Having Good Processes And Response Plans

  • SQL Compliance Manager
  • SQL Secure
  • ER/Studio Business Architect


Assessing Your Risks

  • SQL Compliance Manager
  • SQL Secure

For more information about SQL Security SuiteSQL Compliance Manager or SQL Secure, click on these links or contact your Sales Representative.

Anonymous