Database Compliance: A 5-Minute Guide
For DBAs, adhering to database compliance requirements is critical, as implementing security guidelines and required audit procedures at the start of a new and upgraded system prevent the DBA from scrambling for answers when auditors ask the tough questions.
In addition, it will ensure that production, deployment, and test databases are protected from breaches and unwanted changes, saving time, money, and reputation.
How To Prevent Breaches
Database compliance and security play a crucial role in a company’s ‘corporate health’, especially since its reputation is compromised after a breach. Database breaches create a challenging situation for sales and business development, as the company now must deal with negative publicity and fines for non-compliance.
For the CIO, who heads the IT department, the message of compliance they relay to their IT managers - which include the Database Administrator - is clear: keep data protected and controlled.
The DBA does this by streamlining development processes, which have built in compliance tools and comprehensive audit trail history that provides answers to virtually any question the auditor may ask, including:
- Do you have well-defined Roles and Responsibilities? Are these definitions enforced (and if so, how)?
- What changes were made to the database?
- Who made these changes
- Why were these changes made?
- When were these changes made
Regulations To Watch
According to McAfee, the world’s largest security technology company, following compliance regulations creates an almost fail-safe documentation process. The tracking of all changes made to the database and a record of who did what, when, and why, streamlines regulatory compliance and eases reporting.
Craig S. Mullens, in his article Regulatory Compliance and Database Administration, says that DBAs need to pay close attention to the following regulations:
- Sarbanes-Oxley Act (SOX), officially known as the U.S. Public Accounting Reform and Investor Protection Act of 2002, regulates corporations to reduce fraud and to improve disclosure and financial reporting. It specifies that the CFO must guarantee the processes used to produce financial reports. Those processes are typically computer programs that access data in a database, and DBAs create and manage that data as well as many of those processes.”
- Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, mandates that health care providers protect individual’s health care information to the point that the provider must be able to document everyone who even so much as looked at their information.
- Gramm-Leach-Bliley (GLB) Act (also known as the Financial Modernization Act of 1999) and the E-Government Act, passed in 2002 as a response to terrorist threats, which states that federal agencies, contractors, and any entity that supports them, must maintain security commensurate with potential risk.
- Payment Card Industry (PCI) and Data Security Standard (DSS), which was developed by the major credit card companies to help prevent credit card fraud, hacking and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI-DSS compliant or they risk losing the ability to process credit card payments.
At the end of the day, for the DBA to take the appropriate measures to ensure security and regulatory compliance, systemization and automation must be implemented.
When operations take place across multiple environments, manual processes are error prone and less efficient. With automation, fewer resources are required to run and monitor database activity, which will automatically be more compliant, efficient, and consistent.
How to Follow Database Compliance Regulations
While it is not the job of the DBA to develop and enforce compliance regulation, the DBA is responsible for investigating, installing, and managing the technology that supports and ensures database compliance.
DBmaestro TeamWork’s enhanced security mechanism controls changes to database objects and enforces change policies with a complete audit trail and segregation of duties. This eases the pressures on the DBA by enforcing the roles and responsibilities of all involved and preventing potentially disastrous unauthorized database changes.