There are a lot of laws and standards that apply to data and managing data. I’ve put together a list of some of them, along with links to additional information.
Obviously, this is just meant as a quick overview, the links will go into more detail on each as well as give some direction on complying.
Denny Cherry’s book Securing SQL Server covers some of these in detail, focusing on auditing.
* HIPPA – Health Insurance Portability and Accountability Act
Security of patient medical data, preventing unauthorized viewing
Auditing reads and updates to data, encryption of transmitted data
HIPAA and Database Administration: By Robert Sheldon – Part of a series from Redgate
* SOX – Sarbanes-Oxley
Ensuring accuracy of accounting and financial data
section 404 – assessment of internal control
A yearly internal control report has to be produced
Disaster recovery plan, no shared logins, auditing access and changes to financial data, restricting access to financial data
SOX for SQL Server DBAs: Article from MS SQL Tips
* PCI DSS – Payment Card Industry Data Security Standard
Standard for security around credit cards
Restricting and auditing access to data, maintaining and updating security systems, and encrypting transmitted information
What does PCI DSS mean for your SQL Server environment?: Article from MS SQL Tips
* FERPA – Family Educational Rights and Privacy Act
Privacy around student records
Microsoft
SQL Server auditing and compliance for FERPA
* GDPR – General Data Protection Regulation
Deals with storing personal data for citizens of the European Union
* FIPS – Federal Information Processing Standard
When applying FIPS to databases, generally we’re referring to the FIPS 140 series, which sets encryption standards for non-military government agencies.
How to use SQL Server 2016 in FIPS 140-2-compliant mode
* C2 Auditing
When enabled, this feature will audit login attempts, as well as attempts to access or alter database objects.
This feature has been deprecated, Common Criteria Compliance should be used instead.
c2 audit mode Server Configuration Option: Microsoft
* Common Criteria Compliance
Auditing standard, This can be enabled (along with C2) in SSMS under server properties, or by using sp_configure.
This standard addresses:
– Residual Information Protection – Overwriting memory before reallocating
– Login statistics – Tracking last login attempt date/time (successful or not) as well as the number of login attempts
– A column level GRANT permission shouldn’t override a table level DENY permission
Common Criteria Compliance Enabled Server Configuration: From Microsoft
* SOC
System and Organization Controls – Reports from American Institute of Certified Public Accountants – Reports on internal controls around security and risk.
Tools:
SQL Rob 