Date: Thu, 28 Mar 2024 09:39:27 +0000 (UTC) Message-ID: <128991111.67823.1711618767968@ip-10-0-1-26.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_67822_686557725.1711618767966" ------=_Part_67822_686557725.1711618767966 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
IDERA SQL Compliance Manager audits and identifies events that a= ffect SQL Server objects and data. By selecting a specific regulation = guideline set, SQL Compliance Manager applies audit settings to your select= ed databases according the corresponding data security rules. This audited = data is collected and securely stored for forensic analysis and reporting. = SQL Compliance Manager also provides tamper-proof data security features as= well as methods for watching events without exposing account information.<= /p>
You can apply a regulation guideline when you register a new SQL Server instance or= audit a da= tabase though the Console or CLI. The following tables list each sectio= n of a regulation and the associated SQL Server events that SQL Compliance = Manager audits, as well as specific audit features.
IDERA, Inc. customers have the sole responsibility to ensure their compl= iance with the laws and standards affecting their business. IDERA, Inc. doe= s not represent that its products or services ensures that customer is in c= ompliance with any law. It is the responsibility of the customer to obtain = legal, accounting, or audit counsel as to the necessary business practices = and actions to comply with such laws.
Section | Summary | Associated Audit Events and Features |
---|---|---|
99.2 | What is the purpose of these regulations=
? The purpose of this part is to set out requirements for the protection of = privacy of parents and students under section 444 of the General Education = Provisions Act, as amended. |
Server Events:
Database Events:
|
99.31(a)(1) | School officials Institutions that allow "school officials, including teachers, within the = agency or institution" to have access to students' education records, witho= ut consent, must first make a determination that the official has "legitima= te educational interests" in the information. The list of officials must be= included in the annual FERPA notification. |
Server Events:
Database Events:
|
99.31(a)(1)(ii) | Controlling access to education records =
by school Institutions are now required to use "reasonable methods" to ensure that i= nstructors and other school officials (including outside service providers)= obtain access to only those education records (paper or electronic) in whi= ch they have legitimate educational interests. Institutions are encouraged = to restrict or track access to education records to ensure that they remain= in compliance with this requirement. The higher the risk, the more stringe= nt the protections should be (e.g., SSNs should be closely guarded). |
Server Events:
Database Events:
|
99.31(a)(2) | Student's new school An institution retains the authority to disclose and transfer education re= cords to a student's new school even after the student has enrolled and suc= h authority continues into the future so long as the disclosure is for purp= oses related to the student's enrollment/transfer. After admission, the Ame= rican Disabilities Act (ADA) does not prohibit institutions from obtaining = information concerning a current student with disabilities from any school = previously attended by the student in connection with an emergency and if n= ecessary to protect the health or safety of a student or other persons unde= r FERPA. A student's previous school may supplement, update, or correct any= records it sent during the student's application or transfer period and ma= y identify any falsified or fraudulent records and/or explain the meaning o= f any records disclosed previously to the new school. |
Server Events:
Database Events:
|
99.32(a)(1) | What record keeping requirements exist c=
oncerning requests and disclosures? An educational agency or institution must maintain a record of each reques= t for access to and each disclosure of personally identifiable information = from the education records of each student, as well as the names of State a= nd local educational authorities and Federal officials and agencies listed = in =C2=A7 99.31(a)(3) that may make further disclosures of personally ident= ifiable information from the student's education records without consent un= der =C2=A7 99.33(b)(2). The agency or institution shall maintain the record= with the education records of the student as long as the records are maint= ained. |
Server Events:
Database Events:
|
Section | Summary | Associated Audit Events and Features |
---|---|---|
164.306 (a, 2) | Security Standards Protect against any reasonably anticipated threats or hazards to the secur= ity or integrity of such information. |
Server Events:
Database Events:
|
164.308 (1, i) | Security Management Process Implement policies and procedures to prevent, detect, contain and correct = security violations. |
Server Events:
Database Events:
|
164.308 (B) | Risk Management Implement security measures sufficient to reduce risks and vulnerabilities= to a reasonable and appropriate level to comply with 164.306(a). |
Server Events:
Database Events:
|
164.308 (D) | Information System Activity Review Implement procedures to regularly review records of information system act= ivity such as audit logs, access reports and security incident tracking rep= orts. |
Server Events:
Database Events:
|
164.308 (3, C) | Termination Procedures Implement procedures for terminating access to electronic protected health= information when the employment of a workforce member ends or as required = by determinations made as specified in paragraph (a) (3) (ii) (B) of this s= ection. |
Server Events:=20
Database Events:
|
164.308 (5, C) | Implementation Specifications <= br> Log-in monitoring (Addressable). Procedures for monitoring log-in attempts= and reporting discrepancies. | Server Events:=20
Database Events:
|
164.312 (b) | Technical Standard = Audit controls. Implement hardware, software, and/or procedural me= chanisms that record and examine activity in information systems that conta= in or use electronic protected health information. |
Server Events:=20
Database Events:
|
164.404 (a) (1) (2) | Security and Privacy Breaches treated as discover= ed. For purposes of paragraph (a)(1) of this section, =C2=A7=C2=A7= 164.406(a), and 164.408(a), a breach shall be treated as discovered by a c= overed entity as of the first day on which such breach is known to the cove= red entity, or, by exercising reasonable diligence would have been known to= the covered entity. A covered entity shall be deemed to have knowledge of = a breach if such breach is known, or by exercising reasonable diligence wou= ld have been known, to any person, other than the person committing the bre= ach, who is a workforce member or agent of the covered entity (determined i= n accordance with the federal common law of agency). |
Server Events:=20
Database Events:
|
164.404 (c) (1) (A), (B) | Security and Privacy (c) Implementation specifications: Content of notification (1) Elements. The notification required by (a) of this section shall inclu= de, to the extent possible: (A) A brief description of what happened, including the date of the breach= and the date of the discovery of the breach, if known; (B) A description of the types of unsecured protected health information t= hat were involved in the breach (such as whether full name, social security= number, date of birth, home address, account number, diagnosis, disability= code, or other types of information. |
Server Events:=20
Database Events:
|
HITECH 13402 (a) (f), (1), (2) | Notification In the Case of Breach (a) In General. A covered entity that accesses, maintains, retains, modifi= es, records, stores, destroys, or otherwise holds, uses, or discloses unsec= ured protected health information (as defined in subsection (h)(1)) shall, = in the case of a breach of such information that is discovered by the cover= ed entity, notify each individual whose unsecured protected health informat= ion has been, or is reasonably believed by the covered entity to have been,= accessed, acquired, or disclosed as a result of such breach. (f) Content of Notification. Regardless of the method by which notice is p= rovided to individuals under this section, notice of a breach shall include= , to the extent possible, the following: (1) A brief description of what happened, including the date of the breach= and the date of the discovery of the breach, if known. (2) A description of the types of unsecured protected health information t= hat were involved in the breach (such as full name, Social Security number,= date of birth, home address, account number, or disability code). |
Server Events:=20
Database Events:
|
Section | Summary | Associated Audit Events and Features |
---|---|---|
8 | Assigning a unique identification (ID) to each p= erson with access ensures that each individual is uniquely accountable for = his or her actions. When such accountability is in place, actions taken on = critical data and systems are performed by, and can be traced to, known and= authorized users. | Server Events:=20
Database Events:
|
8.5.4 | Immediately revoke access for any terminated use= rs. | Server Events:=20
Database Events:
|
10 | Track and monitor all access to network resource= s and cardholder data-logging mechanisms and the ability to track user acti= vities are critical. The presence of logs in all environments allows thorou= gh tracking and analysis if something does go wrong. Determining the cause = of a compromise is very difficult without system activity logs. | See subsections |
10.1 | Establish a process for linking all access to sy= stem components (especially access done with administrative privileges such= as root) to each individual user). | Server Events:=20
Database Events:
|
10.2 | Implement automated audit trails for all system =
components to reconstruct the following events:=20
|
Server Events:=20
Database Events:
|
10.3 | Record at least the following audit trail entrie=
s for all system components for each event:=20
|
Server Events:=20
Database Events:
|
10.5 | Secure audit trails so they cannot be altered.= td> | SQL Compliance Manager Repository |
10.7 | Retain audit trail history for at least one year= , with a minimum of three months online availability. | Enable archive and groom to retain Repository da= ta for a minimum of one year |
Section | Summary | Associated Audit Events and Features |
---|---|---|
404 | A statement of management's responsibility for e=
stablishing and maintaining an adequate internal control structure and proc=
edures for financial reporting; and management's assessment, as of the end =
of the company's most recent fiscal year of the effectiveness of the compan=
y's internal control structure and procedures for financial reporting, Sect=
ion 404 requires the company's auditor to attest to , and report on managem=
ent's assessment of the effectiveness of the company's internal controls an=
d procedures for financial reporting in accordance with standards establish=
ed by the Public Company Accounting Oversight Board. (Source: Securities an=
d Exchange Commission.) What does this mean from an Information= Technology standpoint? The key is reliability of financial reporting. Financial information resides in the database and it is the responsibility= of IT to ensure the right personnel have access to that data at the right = time. Any changes to the permissions must be tracked. Additionally, all acc= ess to that data (select, insert, update, and delete operations, plus befor= e and after changes) must be audited down to the actual user and stored. If= the need arises to determine where an individual has violated the accuracy= of the financial data, an audit trail of activity will help to prove that = the user:=20
|
Server Events:=20
Database Events:
|
IDERA Website | Products | Buy | Support | Community | About Us | Resources | Legal <= /strong>