Database-related security policies to consider

In all the government and industry rules that can really affect every industry, there will come a day when you can really apply some information security policies. You may have some basic policies for password and data backup. But there is more to it. So if your business is just putting together its security policy now, or you're aware that it's time to update something, here are a few database security-related issues you need to know about.

Technically, in order to accurately determine which security policy is needed, you need to perform an information risk assessment. However, I understand that reality often leads to other things. That is to say, I can think very little, if any, but there are very few that no longer require me to think about the following database-related security policy environment appears:

• Acceptable utilization-what can/cannot be done on the database server, such as network browsing and installation/uninstall middleware, and Personal firewall protection, as well as MSDE, SQL Server Express 2005, and the installation of database software on other non-server systems.

• Authentication Control-for databases, and for applications and operating systems, including password requirements, the use of multiple components, and so on.

• Business cooperation – consultation with external contractors, auditors, depository providers, etc., including service levels for contractual requirements and applications.

• Business continuity-disaster recovery and/or business continuity planning requirements can help keep your database running and accessible.

• Change management-record who, why, when, how, and all related demolition processes.

• Data Backup--what, when, and how to use it.

• Data retention and destruction--what, why, using the method and timeline.

• Encryption-not only covers static data, such as encrypting a particular row, but also overwriting data that is transmitted, such as TLS between a database server and a network application. Data backups are also part of the coverage.

Information classification-----------------public, internal, confidential labels.

• Physical security-building, data center, and server security.

• Removal of property-servers, drives, tapes, and other property.

• Security testing and auditing--what, how, when, and who performs the tests and what tools are used.

• Segregation of duties-users, database administrators, security auditors, and other roles/responsibilities related to database management.

• System Maintenance-patching, System cleanup/clear and middleware updates.

• System monitoring and incident response--who, why, when, and how to monitor and record audit logs in real time, as well as the special requirements needed to maintain a formal contingency plan.