SQL Server compliance requirements

To be in compliance means to be conforming to a specific set of regulations, standards, policies or laws. Many countries worldwide have specific laws or regulations which are imposed to companies and organizations which they have to follow in order to satisfy specific standards or rules – to be and remain in compliance. Organizations that use SQL Server databases to store customer data and other information abide to the compliance requirements. Additionally, even those organizations that are not subject to compliance regulations or laws need to fulfill their own organization policies, hence they tend to introduce their own compliance regulative.

With this in mind, we can differentiate between two basic types of compliance regulations – internal and external.

Internal compliance regulations are not subject to any state laws or regulations. They are introduced by the organization itself in order to impose specific standards or to allow internal control of information transition. With this, organization can monitor information transitions, who made some changes, or checked some records.

External compliance regulations are imposed by the state/country where the organization resides as well as other states/countries where the business branches to. These often include annual reports and on-demand insight into the audited data.

Compliance in SQL Server is met by auditing SQL Server on both server and database levels. This means that all or specific changes and traffic on the SQL Server needs to be audited, and audited data stored in its original state.

Compliance regulations involve most of the organization departments, starting from DBAs and developers all over to the financial departments and other users. Compliance auditors usually require insight into the compliance data which accounts for all database changes with fully detailed information on why it was done, who made the changes and when, what was changed etc. This means that DBAs need to be able to provide following auditing information on demand:

  • Schema and data changes – who, when, what and how was it changed

  • Security changes (server and database wise)

  • SQL Server logins (successful or failed attempts)

  • Annual or on-demand auditing reports

In order to be able to provide all these requirements, SQL Server DBAs are faced with the not insignificant task of providing original auditing trial, to ensure audited data is safe and any potential tampering is foiled or caught and fixed. Unfortunately, this task usually requires months of development followed by long implementation of custom solutions which can be hard to maintain and would require a lot of DBA attention which can be very expensive.

Compliance regulative standards

Depending on the sphere of organization’s business area, organizations can be subjected to a specific regulatory standard they’ll need to fulfill in order to achieve compliance:

Meeting such regulations can be a tough job, especially when a DBA has to create a custom solution for their organization. Luckily, in order to achieve SQL Server compliance, a third-party tool ApexSQL Audit can be used as a powerful integral part of the compliance solution. As its name implies, ApexSQL Audit is auditing and compliance tool for SQL Servers on an enterprise level.

ApexSQL Audit allows users to setup specific SQL Server auditing jobs to audit all operations performed on SQL instances including DML and DDL changes, select statements as well as login, user, and permission related activities. Audited data is then stored in the tamper-evident central repository database for safe keeping, from where it can be extracted in form of various pre-made or custom auditing reports based on the user’s needs.

Depending on the enforced compliance regulation, ApexSQL Audit can be used to cover major auditing requirements imposed by the standard, which may differ in range between regulative. ApexSQL Audit is a very powerful solution which a DBA can use in order to ensure/provide the following:

  • Audit all SQL Server and database changes – all events, activities, SQL Server or database changes are audited (DML, DDL, Security changes, login activities…). Full information on who made the change, when, how and with what tool or application is captured. Learn more

  • Capturing Who Saw What in SQL Server – capture activities per user and display them in comprehensive reports. Learn more

  • Before and after auditing – reconstructing an audit history and full history of data changes to provide meaningful forensic. Learn more

  • Centralized, tamper-evident repository database – all audited data is stored in the centralized repository, and ApexSQL Audit will detect any changes to the stored data and report it to users. Learn more

  • Reporting mechanisms – allows creation of various auditing reports which can be fully customized to meet specific reports requirements. Learn more

Below is a compiled list of links of how ApexSQL Audit can help SQL Server DBAs achieve compliance with the various, aforementioned auditing requirements

HIPAA – The Health Insurance Portability and Accountability Act

HIPAA Compliance for SQL Server DBAs
How to meet requirements of HIPAA compliance as a part of a SQL Server audit
How to implement HIPAA regulatory standard for SQL Server – Part 1
How to implement HIPAA regulatory standard for SQL Server – Part 2
How to implement HIPAA regulatory standard for SQL Server – Part 3

PCI compliance

Meeting PCI compliance requirements with SQL Server
PCI Compliance for SQL Server DBAs
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 1
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 2
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 3
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 4

SOX – The Sarbanes-Oxley Act

Meet SQL Server auditing requirements of Sarbanes-Oxley (SOX)
SOX survival kit for the SQL Server DBA
How to implement SOX compliance requirements for SQL Server – Part 1
How to implement SOX compliance requirements for SQL Server – Part 2

FDA – Food and Drug Administration

Title 21 CFR Part 11 (FDA) compliance checklist for ApexSQL Audit

FISMA – The Federal Information Security Management Act

FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit

GLBA – The Gramm – Leach – Bliley Act

Meet GLBA compliance requirements for SQL Server
GLBA Compliance for SQL Server DBAs

Basel II – The Basel Capital Accord

Basel II Compliance for SQL Server DBAs
How to audit SQL Server to comply with Basel II

May 12, 2016