IDERA SQL Compliance Manager audits and identifies events that affect SQL Server objects and data. By selecting a specific regulation guideline set, SQL Compliance Manager applies audit settings to your selected databases according to the corresponding data security rules. This audited data is collected and securely stored for forensic analysis and reporting. SQL Compliance Manager also provides tamper-proof data security features as well as methods for watching events without exposing account information.
You can apply a regulation guideline when you register a new SQL Server instance or audit a database through the Console or CLI. The following tables list each section of a regulation and the associated SQL Server events that SQL Compliance Manager audits, as well as specific audit features.
IDERA, Inc. customers have the sole responsibility to ensure their compliance with the laws and standards affecting their business. IDERA, Inc. does not represent that its products or services ensure that customer is in compliance with any law. It is the responsibility of the customer to obtain legal, accounting, or audit counsel as to the necessary business practices and actions to comply with such laws.
All Regulation Guidelines are available at both, the server level and the database level, except for the CIS Regulation Guideline.
The CIS Regulation Guideline can be applied only at the server level.
CIS Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
5.4 | Ensure 'SQL Server Audit' is set to capture both 'failed' and 'successful logins'. SQL Server Audit is capable of capturing both failed and successful logins and writing them to one of three places: the application event log, the security event log, or the file system. We will use it to capture any login attempt to SQL Server, as well as any attempts to change audit policy. This will also serve as a second source to record failed login attempts. | Server Events:
Database Events:
|
When selecting CIS regulation, default database level settings automatically apply. Logins and Failed Logins get captured to comply with this regulation and continue auditing the server.
DISA/STIG Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
DISA 2016 Database DISA 2016 Instance SQL6-D0-004300, | SQL Server must be configured to generate audit records for DoD-defined auditable events within all DBSM/database components. SQL Server must generate audit records when privileged/permissions are retrieved. SQL Server must initiate session auditing upon startup. SQL Server must be configured to allow authorized users to capture, record, and log all content related to a user session. SQL Server must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject. The audit information produced by SQL Server must be protected from unauthorized read access. The audit information produced by SQL Server must be protected from unauthorized modification. The audit information produced by SQL Server must be protected from unauthorized deletion. SQL Server must protect its audit features from unauthorized access. SQL Server must protect its audit configuration from unauthorized modification. SQL Server must protect its audit features from unauthorized removal. SQL Server must utilize centralized management of the content captured in audit records generated by all components of SQL Server. SQL Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts. SQL Server must record timestamps in audit records and application data that can be mapped to Coordinate Universal Time (UTC, formerly GMT). | Server Events:
Server-level Audit Groups Supported:
Database Events:
Database-level Audit Groups Supported:
|
DISA 2012 Database SQL2-00-011200 DISA 2014 Database SQL4-00-011200 | SQL Server must generate Trace or audit records for organization-defined auditable events. Audit records can be generated from various components within the information system. | Server Events:
Database Events:
|
DISA 2012 Instance SQL2-00-012400, DISA 2014 Instance SQL4-00-011900, | SQL Server must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location or subject. Audit record content which may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules revoked. All use of privileged accounts must be audited. SQL Server must produce audit records containing sufficient information to establish what type of events occurred. SQL Server must produce audit records containing sufficient information to establish when (date and time) the events occurred. SQL Server must generate audit records for the DoD-selected list of auditable events. SQL Server must produce audit records containing sufficient information to establish where the events occurred. SQL Server must produce audit records containing sufficient information to establish the sources (origins) of events. SQL Server must produce audit records containing sufficient information to establish the outcome (success or failure) of events. SQL Server must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. SQL Server must support the employment of automated mechanisms supporting the auditing of the enforcement actions. SQL Server must enforce access control policies to restrict Alter server state permissions to only authorized roles. SQL Server must generate Trace or audit records when unsuccessful logins or connection attempts occur. SQL Server must generate Trace or audit records when logoffs or disconnections occur. SQL Server must generate Trace or audit records when successful logons or connections occur. SQL Server must generate Trace or audit records when concurrent logins/connections by the same user from different workstations occur. SQL Server must produce Trace or audit records containing sufficient information to establish when the events occurred. SQL Server must produce Trace or audit records of its enforcement of access restrictions associated with changes to the configuration of the DBMS or database. | Server Events:
Database Events:
|
DISA 2014 0 | If SQL Server authentication, using passwords, is employed, SQL Server must enforce the DoD standards for password lifetime. | Server Events:
Database Events:
|
Please make sure you check the following options when you apply the STIG guideline:
- "Administrative Actions"
- "Database Definition"
Keep in mind that adding those 2 additional options mentioned above can result in a large number of audit records created.
Is SQL Compliance Manager compliant with the latest DISA STIG?
No, SQL CM only provides the audit records for each STIG. Reviewing those audit records and determining their actual compliance with DISA standards is the customer's responsibility.
FERPA Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
99.2 | What is the purpose of these regulations? The purpose of this part is to set out requirements for the protection of privacy of parents and students under section 444 of the General Education Provisions Act, as amended. | Server Events:
Database Events:
|
99.31(a)(1) | School officials Institutions that allow "school officials, including teachers, within the agency or institution" to have access to students' education records, without consent, must first make a determination that the official has "legitimate educational interests" in the information. The list of officials must be included in the annual FERPA notification. | Server Events:
Database Events:
|
99.31(a)(1)(ii) | Controlling access to education records by school Institutions are now required to use "reasonable methods" to ensure that instructors and other school officials (including outside service providers) obtain access to only those education records (paper or electronic) in which they have legitimate educational interests. Institutions are encouraged to restrict or track access to education records to ensure that they remain in compliance with this requirement. The higher the risk, the more stringent the protections should be (e.g., SSNs should be closely guarded). | Server Events:
Database Events:
|
99.31(a)(2) | Student's new school An institution retains the authority to disclose and transfer education records to a student's new school even after the student has enrolled and such authority continues into the future so long as the disclosure is for purposes related to the student's enrollment/transfer. After admission, the American Disabilities Act (ADA) does not prohibit institutions from obtaining information concerning a current student with disabilities from any school previously attended by the student in connection with an emergency and if necessary to protect the health or safety of a student or other persons under FERPA. A student's previous school may supplement, update, or correct any records it sent during the student's application or transfer period and may identify any falsified or fraudulent records and/or explain the meaning of any records disclosed previously to the new school. | Server Events:
Database Events:
|
99.32(a)(1) | What record keeping requirements exist concerning requests and disclosures? An educational agency or institution must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student, as well as the names of State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) that may make further disclosures of personally identifiable information from the student's education records without consent under § 99.33(b)(2). The agency or institution shall maintain the record with the education records of the student as long as the records are maintained. | Server Events:
Database Events:
|
99.35 (a)(1)(2), (b)(1) | What conditions apply to disclosure of information for Federal or State program purposes? Authorized representatives of the officials or agencies headed by officials listed in 99.31(a)(3) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. Information that is collected under paragraph (a) of this section must:
| Server Events:
Database Events:
|
GDPR Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
Article 5 | Principles relating to processing of personal data
| Server Events:
Database Events:
|
Article 13 (1,e) | Information to be provided where personal data are collected from the data subject
e. the recipients or categories of recipients of the personal data, if any; | Server Events:
Database Events:
|
Article 24 | Responsibility of the controller
| Server Events:
Database Events:
|
Article 25(2) | Data protection by design and by default 2. ¹The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. ²That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. ³In particular, such measures shall ensure that by default personal data are not made accessible without the individual´s intervention to an indefinite number of natural persons. | Server Events:
Database Events:
|
Article 30 (1) | Records of processing activities
| Server Events:
Database Events:
|
32(2) | Security of processing
| Server Events:
Database Events:
|
Article 33 | Notification of a personal data breach to the supervisory authority
| Server Events:
Database Events:
|
Article 35(7) | Data protection impact assessment 7. The assessment shall contain at least: a. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; b. an assessment of the necessity and proportionality of the processing operations in relation to the purposes; c. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. | Server Events:
Database Events:
|
Recital 39 | Tasks of the data protection officer
| Server Events:
Database Events:
|
HIPAA Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
164.306 (a, 2) | Security Standards Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. | Server Events:
Database Events:
|
164.308 (1, i) | Security Management Process Implement policies and procedures to prevent, detect, contain and correct security violations. | Server Events:
Database Events:
|
164.308 (B) | Risk Management Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). | Server Events:
Database Events:
|
164.308 (D) | Information System Activity Review Implement procedures to regularly review records of information system activity such as audit logs, access reports and security incident tracking reports. | Server Events:
Database Events:
|
164.308 (3, C) | Termination Procedures Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a) (3) (ii) (B) of this section. | Server Events:
Database Events:
|
164.308 (5, C) | Implementation Specifications Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. | Server Events:
Database Events:
|
164.312 (b) | Technical Standard Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Server Events:
Database Events:
|
164.404 (a) (1) (2) | Security and Privacy General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, §§ 164.406(a), and 164.408(a), a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency). | Server Events:
Database Events:
|
164.404 (c) (1) (A), (B) | Security and Privacy (c) Implementation specifications: Content of notification (1) Elements. The notification required by (a) of this section shall include, to the extent possible: | Server Events:
Database Events:
|
HITECH 13402 (a) (f), (1), (2) | Notification In the Case of Breach (f) Content of Notification. Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following: | Server Events:
Database Events:
|
NERC-CIP Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
CIP-007-6 4.1 | Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security Incidents that includes, as a minimum, each of the following types of events: detected successful login attempts, detected failed access attempts and failed login attempts; and detected malicious code. | Server Events:
Database Events:
|
PCI DSS Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
2.1 | Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. | Server Events:
Database Events:
|
2.2 | Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. | |
3.4 | Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
| |
6.2 | Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. | |
8 | Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. | Server Events:
Database Events:
|
8.5.4 | Immediately revoke access for any terminated users. | Server Events:
Database Events:
|
10 | Track and monitor all access to network resources and cardholder data-logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs. | See subsections |
10.1 | Implement audit trails to link all access to system components to each individual user. | Server Events:
Database Events:
|
10.2 | Implement automated audit trails for all system components to reconstruct the following events:
| Server Events:
Database Events:
|
10.3 | Record at least the following audit trail entries for all system components for each event:
| Server Events:
Database Events:
|
10.5 | Secure audit trails so they cannot be altered. | SQL Compliance Manager Repository |
10.7 | Retain audit trail history for at least one year, with a minimum of three months online availability. | Enable archive and groom to retain Repository data for a minimum of one year |
SOX Compliance
Section | Summary | Associated Audit Events and Features |
---|---|---|
404 | A statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and management's assessment, as of the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting, Section 404 requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. (Source: Securities and Exchange Commission.) What does this mean from an Information Technology standpoint? The key is the reliability of financial reporting.
| Server Events:
Database Events:
|
404 CDC | Implement change data capture. | Server Events:
Database Events:
|