Database security policies to think about

Technically, in order to determine exactly which security policies are needed, you need to perform an information risk assessment. However, I understand that reality often dictates otherwise. That said, I can think of few, if any, circumstances that wouldn't require the following database-related security policies at the very least:

• Acceptable usage – what can/cannot be done on database servers such as web browsing and installing/disabling malware and personal firewall protection as well as installation of MSDE, SQL Server Express 2005, and other database software on non-server systems.
• Authentication controls – for databases as well as related applications and operating systems including password requirements, multi-factor usage, etc..
• Business associates – dealing with external contractors, auditors, hosting providers, etc. including contract provisions and service level agreements where applicable.
• Business continuity – disaster recovery and/or business continuity plan requirements to help keep your databases up and accessible.
• Change management – documenting the who, why, when, how, and any related backout procedures, etc..
• Data backup – what, when, and methods used.
• Data retention and destruction – what, why, methods used and timelines.
• Encryption – covering both data at rest such as encrypting specific rows, and data in transit such as TLS between the database server and Web application. Data backups would also be included.
• Information classification – labeling requirements for public, internal, confidential, etc..
• Physical security – building, data center, and server security.
• Removal of property – servers, drives, tapes, and other property.
• Security testing and audits – what, how, when, and who will perform testing along with what tools will be used.
• Separation of duties – the roles/responsibilities of users, DBAs, security auditors and others involved with database management..
• System maintenance – patching, system purging/cleanups and malware updates.
• System monitoring and incident response – the who, why, when and how of real-time monitoring and audit logging, as well as specific requirements for maintaining a formal incident response plan.
• User authorization – adding/removing users and ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchSQLServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchSQLServer.com

  As an existing member of the TechTarget network please activate your SearchSQLServer.com account 

  By joining SearchSQLServer.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Database Management and Administration Password cracking tools for SQL Server Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  granting admin rights for whom, why, when and for how long.

There are several critical points I want to make related to database-centric security policies. First, if management hasn't declared their support (i.e. they're going to embrace and enforce the policies), you might as well forgo this exercise altogether. So get them on board first. Second, scope your policies at the highest level possible so you can maximize the number of departments and systems covered. Maximize the number of regulations you can actually be in compliance with. In other words, if you can help it, don't generate all of the above policies for your databases and have another set for wireless networks, storage systems and so on. Likewise, understand your organization's regulatory requirements at least to the point where one set of policies addresses PCI, GLBA, HIPAA, SOX, etc. This will be best served if you have a compliance or IT governance committee that oversees and implements security policies. You don't want your own set of policies to manage if you can help it.

Finally, make sure you document your policies in a way that'll make comprehension and administration as straightforward as possible. The following policy elements are essential for keeping policies simple and manageable long term.

• Introduction – a brief overview of the topic such as encryption.
• Purpose – briefly outlines the high-level goal(s) and strategy of the policy.
• Scope – States which employees, departments and database systems are covered.
• Roles and responsibilities – outlines who's involved and what they're expected to do to support the policy.
• Policy statement – your actual policy statement/statements. You should have one policy statement per subject. In other words, create a separate template for each of the policies listed above that you choose to use.
• Exceptions – underscores the people, departments, databases, etc. that are not covered by the policy.
• Procedures – detailed steps on how the policy is being implemented and enforced in your environment. You may want to reference this information and place it in a separate document.
• Compliance – outlines procedures on how compliance with this policy will be measured including any metrics involved.
• Sanctions – outlines what happens when the policy is violated. This may include X happens on the first offense, Y happens on the second offense, and Z happens on the third offense.
• Review and evaluation – states when the policy must be reviewed for accuracy, applicability, and compliance purposes (i.e. SOX, HIPAA, GLBA, PCI, etc.).
• References – Points to regulatory code sections and information security standards (ISO/IEC 17799, ITIL, COBIT, etc.).
• Related documents – points to other policies, guidelines, standards, and related documents.
• Revisions – section for documenting ongoing changes made to this policy document.
• Notes – highlights notes, tips, etc. that can help with future policy management and enforcement.

If you do all of this to build out your policies the right way, it'll save you a lot of time and headaches over the long haul and make your auditors happy to boot. Not a bad payoff for a few days worth of work.

ABOUT THE AUTHOR:   

Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com.
Copyright 2007 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.