Home > SQL Server Tips > SQL Server Management > Sarbanes-Oxley compliance checklist: IT security and SQL audits
SQL Server Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

SQL SERVER MANAGEMENT

Sarbanes-Oxley compliance checklist: IT security and SQL audits


Michelle Gutzait, Contributor
05.07.2008
Rating: -4.60- (out of 5)


Expert advice on database administration
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


Problem:

My company needs to meet Sarbanes-Oxley compliance for all its Information Technology (IT) department layers and products, including SQL Server. We're running SQL Server 2000 and SQL Server 2005 with no security standards. What is the process for meeting SOX compliance? What else should I do in order to secure my SQL Server environment and prepare for security audits? Where should I start looking?

About SOX and security

Sarbanes-Oxley Act compliance has become a major course of action within organizations. Enacted in 2002, the law was a response to a number of major corporate and accounting scandals and it set new and enhanced security standards. Its intention is to close every possible security crack, mainly in financial and accounting data and the database and application layers. SOX also allows an outside audit and security analysis of any data manipulation.

It's been proven that most security problems come from within the organization. That said, it is essential to first implement internal security and to make sure the right people have access to the right data. SOX compliance and security best practices impose these three rules, also applied when it comes to securing the data:

Confidentiality-Integrity-Availability

  • Confidentiality -- Protecting sensitive information from unauthorized disclosure or intelligible interception.
  • Integrity -- Safeguarding the accuracy and completeness of information and software.
  • Availability -- Ensuring that information solutions are available when required.

    • SQL Server 2005 inclusively addresses thos


    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


    RELATED CONTENT
    SQL Server Database Compliance
    Understanding transparent data encryption in SQL Server 2008
    The fine line between not encrypting your databases and breach notification
    SQL Server 2008 security and compliance features reduce security risks
    Security testing for compliance – just how much do you need?
    Meet compliance with improved database security practices
    Logging for security compliance in SQL Server
    Wrangling the data behemoth
    Expert: Lengthy logs not always a good thing
    Licensing concerns when upgrading SQL Server
    Are you ready for a compliance audit?

    SQL Server Security
    The keys to database backup protection for SQL Server
    Understanding transparent data encryption in SQL Server 2008
    The fine line between not encrypting your databases and breach notification
    Securing SQL Server with access control, login monitoring and DDL triggers
    SQL Server security: Controlling access via database roles
    Implementing security audit in SQL Server 2008
    New security features in SQL Server 2008 leave some work for you
    Can I encrypt and restore a database backup in SQL Server 2005?
    FAQ: How to troubleshoot and grant SQL Server permissions
    Secure SQL Server from SQL injection attacks

    SQL Server Management
    A first look at Microsoft SQL Server 2008 R2
    Maintaining high availability of SQL Server virtual machines
    Creating fault-tolerant SQL Server installations
    Using Microsoft Hyper-V for SQL Server consolidation
    Scaling up vs. scaling out with SQL Server 2008
    Migrating to SQL Server 2008 and leveraging new features
    Testing a SQL Server environment before an upgrade
    Does upgrading to SQL Server 2008 fit your business?
    Meeting business needs with SQL Server full-text search
    Using dynamic management views to improve SQL Server index effectiveness

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    data corruption  (SearchSQLServer.com)
    data hiding  (SearchSQLServer.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary


    e three database security concepts.

    Security practices for a database environment

    Securing the SQL database server and databases includes maintaining the following:

    Security analysis and monitoring – possible solutions

    To attain SOX compliance, here are the two main solutions: (1) Use Microsoft tools or third-party tools and (2) perform manual analysis and monitoring.

    Description

    Procedures and documentation

    SOX compliance with security procedures and documentation for the SQL Server should include the following:

    Here is an example of a manual analysis report (partial list):

    Administrator checklist

    [TABLE]

    Developer checklist

    [TABLE]

    Related SQL Server database security and SOX compliance links

  • SQL Server 2005 – Security and Protection

  • SQL Server 2005 Security White Papers

  • SQL Server 2005 Security Best Practices - Operational and Administrative Tasks

  • Security Guidance for SQL Server

  • Microsoft SQL Server 2005 Assessment Configuration Pack for Sarbanes-Oxley Act (SOX)

    • Note: Only if you have System Center Configuration Manager

    Conclusion

    Keeping your SQL Server environment secured is one of the most important, if not the most important rule in a database environment. Even though you don't have an official SOX compliance inspection, you should always make sure your data and databases are secured.

    [TABLE]

    Rate this Tip
    To rate tips, you must be a member of SearchSQLServer.com.
    Register now to start rating these tips. Log in if you are already a member.




    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



    SQL Server Development - .NET, C#, T-SQL, Visual Basic
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts