Database security policies to think about

Technically, in order to determine exactly which security policies are needed, you need to perform an information risk assessment. However, I understand that reality often dictates otherwise. That said, I can think of few, if any, circumstances that wouldn't require the following database-related security policies at the very least:

• Acceptable usage – what can/cannot be done on database servers such as web browsing and installing/disabling malware and personal firewall protection as well as installation of MSDE, SQL Server Express 2005, and other database software on non-server systems.
• Authentication controls – for databases as well as related applications and operating systems including password requirements, multi-factor usage, etc..
• Business associates – dealing with external contractors, auditors, hosting providers, etc. including contract provisions and service level agreements where applicable.
• Business continuity – disaster recovery and/or business continuity plan requirements to help keep your databases up and accessible.
• Change management – documenting the who, why, when, how, and any related backout procedures, etc..
• Data backup – what, when, and methods used.
• Data retention and destruction – what, why, methods used and timelines.
• Encryption – covering both data at rest such as encrypting specific rows, and data in transit such as TLS between the database server and Web application. Data backups would also be included.
• Information classification – labeling requirements for public, internal, confidential, etc..
• Physical security – building, data center, and server security.
• Removal of property – servers, drives, tapes, and other property.
• Security testing and audits – what, how, when, and who will perform testing along with what tools will be used.
• Separation of duties – the roles/responsibilities of users, DBAs, security auditors and others involved with database management..
• System maintenance – patching, system purging/cleanups and malware updates.
• System monitoring and incident response – the who, why, when and how of real-time monitoring and audit logging, as well as specific requirements for maintaining a formal incident response plan.
• User authorization – adding/removing users and granting admin rights for whom, why, when and for how long.

There are several critical points I want to make related to database-centric security policies. First, if management hasn't declared their support (i.e. they're going to embrace and enforce the policies), you might as well forgo this exercise

Get more on database security compliance here: Logging for security compliance in SQL Server Meet compliance with improved database security practices

altogether. So get them on board first. Second, scope your policies at the highest level possible so you can maximize the number of departments and systems covered. Maximize the number of regulations you can actually be in compliance with. In other words, if you can help it, don't generate all of the above policies for your databases and have another set for wireless networks, storage systems and so on. Likewise, understand your organization's regulatory requirements at least to the point where one set of policies addresses PCI, GLBA, HIPAA, SOX, etc. This will be best served if you have a compliance or IT governance committee that oversees and implements security policies. You don't want your own set of policies to manage if you can help it.

Finally, make sure you document your policies in a way that'll make comprehension and administration as straightforward as possible. The following policy elements are essential for keeping policies simple and manageable long term.

• Introduction – a brief overview of the topic such as encryption.
• Purpose – briefly outlines the high-level goal(s) and strategy of the policy.
• Scope – States which employees, departments and database systems are covered.
• Roles and responsibilities – outlines who's involved and what they're expected to do to support the policy.
• Policy statement – your actual policy statement/statements. You should have one policy statement per subject. In other words, create a separate template for each of the policies listed above that you choose to use.
• Exceptions – underscores the people, departments, databases, etc. that are not covered by the policy.
• Procedures – detailed steps on how the policy is being implemented and enforced in your environment. You may want to reference this information and place it in a separate document.
• Compliance – outlines procedures on how compliance with this policy will be measured including any metrics involved.
• Sanctions – outlines what happens when the policy is violated. This may include X happens on the first offense, Y happens on the second offense, and Z happens on the third offense.
• Review and evaluation – states when the policy must be reviewed for accuracy, applicability, and compliance purposes (i.e. SOX, HIPAA, GLBA, PCI, etc.).
• References – Points to regulatory code sections and information security standards (ISO/IEC 17799, ITIL, COBIT, etc.).
• Related documents – points to other policies, guidelines, standards, and related documents.
• Revisions – section for documenting ongoing changes made to this policy document.
• Notes – highlights notes, tips, etc. that can help with future policy management and enforcement.

If you do all of this to build out your policies the right way, it'll save you a lot of time and headaches over the long haul and make your auditors happy to boot. Not a bad payoff for a few days worth of work.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver ~at~ principlelogic.com. Copyright 2007 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks Get your SQL Server security goals in order How secure is your SQL Server network design? Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed How to set SQL Server password for SA login SQL Server database design and modeling SQL Server tempdb best practices increase performance FAQ: SQL Server databases how-to How to maintain SQL Server indexes for query optimization How to retrieve SQL Server database disk space in use Maintain large SQL Server database and resolve website 'Timeout Error' How to construct and use SQL OUTER JOINs optimally How to use the LEFT vs. RIGHT OUTER JOIN in SQL SQL OUTER JOIN sample uses Using the FULL OUTER JOIN in SQL SQL OUTER JOIN sample statements for queries Database Administrator Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server 2005 log shipping setup using the wizard Track changes to SQL Server 2000 and 2005 with one simple utility Tips for scheduling and testing SQL Server backups Ten common SQL Server security vulnerabilities you may be overlooking How to maintain SQL Server indexes for query optimization Five sqlcmd features to automate SQL Server database tasks Configuring SQL Server memory settings Tricking SQL Server into making full database backups Determining SQL Server database storage requirements RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.