For DBAs, satisfying compliance requirements is critical. Implementing security guidelines and required audit procedures at the start of a new and upgraded system prevent the DBA from scrambling for answers when auditors ask the tough questions. In addition, it will ensure that production, deployment, and test databases are protected from breaches and unwanted changes, saving time, money, and reputation.
Database security plays a crucial part in a company’s ‘corporate health’, especially since its reputation is compromised after a breach. Database breaches creates a challenging situation for sales and business development, as the company now must deal with negative publicity and fines for non-compliance.
For the CIO, who heads the IT department, the message of compliance they relay to their IT managers — which include the DBA — is clear: keep data protected and controlled.
The DBA does this by streamlining development processes, which have built in compliance tools and comprehensive audit trail history that provides answers to virtually any question the auditor may ask, including:
- Do you have well-defined Roles and Responsibilities? Are these definitions enforced (and if so, how)?
- What changes were made to the database?
- Who made these changes
- Why were these changes made?
- When were these changes made?
According to McAfee, the world’s largest security technology company, following compliance regulations creates an almost fail-safe documentation process, resulting in the tracking of all changes made to the database and a record of who did what, when, and why, streamlining regulatory compliance and easing reporting.
Craig S. Mullens, in his article Regulatory Compliance and Database Administration, says that DBAs need to pay close attention to the following regulations:
- Sarbanes-Oxley Act (SOX), officially known as the U.S. Public Accounting Reform and Investor Protection Act of 2002, regulates corporations to reduce fraud and to improve disclosure and financial reporting. It specifies that the CFO must guarantee the processes used to produce financial reports. Those processes are typically computer programs that access data in a database, and DBAs create and manage that data as well as many of those processes.”
- Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, mandates that health care providers protect individual’s health care information to the point that the provider must be able to document everyone who even so much as looked at their information.
- Gramm-Leach-Bliley (GLB) Act (also known as the Financial Modernization Act of 1999) and the E-Government Act, passed in 2002 as a response to terrorist threats, which states that federal agencies, contractors, and any entity that supports them, must maintain security commensurate with potential risk.
- Payment Card Industry (PCI) and Data Security Standard (DSS), which was developed by the major credit card companies to help prevent credit card fraud, hacking, and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI-DSS compliant or they risk losing the ability to process credit card payments.
At the end of the day, for the DBA to take the appropriate measures to ensure security and regulatory compliance, systemization and automation must be implemented. When operations take place across multiple environments, manual processes are error prone and less efficient. With automation, fewer resources are required to run and monitor the database, which will automatically be more compliant, efficient, and consistent.
While it is not the job of the DBA to develop and enforce compliance regulation, the DBA is responsible for investigating, installing, and managing the technology that supports and ensures database compliance.