SQL Server compliance requirements

To be in compliance means to be conforming to a specific set of regulations, standards, policies or laws. Many countries worldwide have specific laws or regulations which are imposed to companies and organizations which they have to follow in order to satisfy specific standards or rules – to be and remain in compliance. Organizations that use SQL Server databases to store customer data and other information abide to the compliance requirements. Additionally, even those organizations that are not subject to compliance regulations or laws need to fulfill their own organization policies, hence they tend to introduce their own compliance regulative.

With this in mind, we can differentiate between two basic types of compliance regulations – internal and external.

Internal compliance regulations are not subject to any state laws or regulations. They are introduced by the organization itself in order to impose specific standards or to allow internal control of information transition. With this, organization can monitor information transitions, who made some changes, or checked some records.

External compliance regulations are imposed by the state/country where the organization resides as well as other states/countries where the business branches to. These often include annual reports and on-demand insight into the audited data.

Compliance in SQL Server is met by auditing SQL Server on both server and database levels. This means that all or specific changes and traffic on the SQL Server needs to be audited, and audited data stored in its original state.

Compliance regulations involve most of the organization departments, starting from DBAs and developers all over to the financial departments and other users. Compliance auditors usually require insight into the compliance data which accounts for all database changes with fully detailed information on why it was done, who made the changes and when, what was changed etc. This means that DBAs need to be able to provide following auditing information on demand:

  • Schema and data changes – who, when, what and how was it changed

  • Security changes (server and database wise)

  • SQL Server logins (successful or failed attempts)

  • Annual or on-demand auditing reports

In order to be able to provide all these requirements, SQL Server DBAs are faced with the not insignificant task of providing original auditing trial, to ensure audited data is safe and any potential tampering is foiled or caught and fixed. Unfortunately, this task usually requires months of development followed by long implementation of custom solutions which can be hard to maintain and would require a lot of DBA attention which can be very expensive.

Compliance regulative standards

Depending on the sphere of organization’s business area, organizations can be subjected to a specific regulatory standard they’ll need to fulfill in order to achieve compliance:

  • HIPAA – The Health Insurance Portability and Accountability Act is a regulatory standard enacted by the US Congress which ensures that healthcare information is safeguarded and protected. HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs and requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers

  • PCI compliance relates to companies that process purchase transactions that include credit, debit or prepaid cards over the internet, phone

  • SOX – The Sarbanes-Oxley Act is mandatory compliance regulative to all organizations regardless of their size and all must comply and it serves to protect shareholders and the general public from accounting errors and fraudulent practices by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

  • GDPR – General Data Protection Regulation – a standard on the protection of natural persons with regard to the processing of personal data and on the free movement of such data which introduces numerous security and compliance regulations and obligations to all organizations worldwide, that handle, process, collect or store personal information of EU citizens

  • FDA – Food and Drug Administration – established by the United States as regulation on electronic records and electronic signatures (ERES). Part 11 defines the criteria under which electronic signatures and electronic records are trustworthy, reliable and comparable to paper records. All SQL Server systems that store data which are used in process of making quality decisions or any data to be reported to the FDA must be compliant with Title 21 CFR Part 11

  • FISMA – The Federal Information Security Management Act regulates the information security significance of the United States economic and national security interests. This regulation affects all federal agencies, subcontractors and service providers including organizations which utilize IT systems on behalf of the any federal agency, to implement a system to ensure security for the information and information system that are related in any way to the operations and assets of the agency, as well as the means to document the process.

  • GLBA – The Gramm – Leach – Bliley Act compliance is mandatory for all financial institutions – insurance companies, banks, credit unions, and companies that offer financial products or services like loans, financial or investment advice, etc. GLBA is created to protect consumer financial privacy and ensure confidentiality, integrity, and availability of sensitive customer financial information. financial organizations must inform their customers about the company’s information sharing and privacy practices and customers must be given and explained their right to say “no” if they don’t want their financial information shared with certain third parties

  • Basel II – The Basel Capital Accord is a set of international banking standards based on three mutually reinforcing pillars, issued by the Basel Committee on Banking Supervision. The goals of Basel II are providing stabile, safe and sound financial systems, based on accurate data, consistency and control.

Meeting such regulations can be a tough job, especially when a DBA has to create a custom solution for their organization. Luckily, in order to achieve SQL Server compliance, a third-party tool ApexSQL Audit can be used as a powerful integral part of the compliance solution. As its name implies, ApexSQL Audit is auditing and compliance tool for SQL Servers on an enterprise level.

ApexSQL Audit allows users to setup specific SQL Server auditing jobs to audit all operations performed on SQL instances including DML and DDL changes, select statements as well as login, user, and permission related activities. Audited data is then stored in the tamper-evident central repository database for safe keeping, from where it can be extracted in form of various pre-made or custom auditing reports based on the user’s needs.

Depending on the enforced compliance regulation, ApexSQL Audit can be used to cover major auditing requirements imposed by the standard, which may differ in range between regulative. ApexSQL Audit is a very powerful solution which a DBA can use in order to ensure/provide the following:

  • Audit all SQL Server and database changes – all events, activities, SQL Server or database changes are audited (DML, DDL, Security changes, login activities…). Full information on who made the change, when, how and with what tool or application is captured. Learn more

  • Capturing Who Saw What in SQL Server – capture activities per user and display them in comprehensive reports. Learn more

  • Before and after auditing – reconstructing an audit history and full history of data changes to provide meaningful forensic. Learn more

  • Centralized, tamper-evident repository database – all audited data is stored in the centralized repository, and ApexSQL Audit will detect any changes to the stored data and report it to users. Learn more

  • Reporting mechanisms – allows creation of various auditing reports which can be fully customized to meet specific reports requirements. Learn more

Below is a compiled list of links of how ApexSQL Audit can help SQL Server DBAs achieve compliance with the various, aforementioned auditing requirements

HIPAA – The Health Insurance Portability and Accountability Act

HIPAA Compliance for SQL Server DBAs
How to meet requirements of HIPAA compliance as a part of a SQL Server audit
How to implement HIPAA regulatory standard for SQL Server – Part 1
How to implement HIPAA regulatory standard for SQL Server – Part 2
How to implement HIPAA regulatory standard for SQL Server – Part 3

PCI compliance

Meeting PCI compliance requirements with SQL Server
PCI Compliance for SQL Server DBAs
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 1
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 2
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 3
How to implement compliance with the PCI DSS regulatory standard for SQL Server – Part 4

SOX – The Sarbanes-Oxley Act

Meet SQL Server auditing requirements of Sarbanes-Oxley (SOX)
SOX survival kit for the SQL Server DBA
How to implement SOX compliance requirements for SQL Server – Part 1
How to implement SOX compliance requirements for SQL Server – Part 2

GDPR

General Data Protection Regulation (GDPR) compliance for SQL Server

FDA – Food and Drug Administration

Title 21 CFR Part 11 (FDA) compliance checklist for ApexSQL Audit

FISMA – The Federal Information Security Management Act

FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit

GLBA – The Gramm – Leach – Bliley Act

Meet GLBA compliance requirements for SQL Server
GLBA Compliance for SQL Server DBAs

Basel II – The Basel Capital Accord

Basel II Compliance for SQL Server DBAs
How to audit SQL Server to comply with Basel II

May 12, 2016