Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Navigating the Complex World of Compliance Guidelines

298 views

Published on

Regulatory guidelines include many mandates for organizations to interpret and implement to protect their data. You know that you’re supposed to be monitoring and auditing certain data elements to demonstrate compliance, but how can you be sure you’re auditing the right things and translating the requirements correctly? IDERA’s Kim Brushaber will help to simplify and address some of the compliance concerns for complex data environments.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Navigating the Complex World of Compliance Guidelines

  1. 1. © 2019 IDERA, Inc. All rights reserved. 1 NAVIGATING THE COMPLEX WORLD OF COMPLIANCE GUIDELINES Presented by Kim Brushaber, Senior Product Manager, IDERA
  2. 2. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 2 DISCLAIMER ▪ Please note that any information provided about my interpretation of the regulations indicated is only that – my interpretation and my summary ▪ I cannot cover all of the regulations and their details in an hour ▪ Obtain your own legal, accounting or audit counsel to determine what is needed for your business practices to be in compliance with those laws FULL DISCLOSURE ▪ I am the Senior Product Manager for IDERA’s SQL COMPLIANCE MANAGER – Details in this presentation will have a focus on what is offered in that product and what I have observed while managing it
  3. 3. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 3 WHY WE HAVE REGULATIONS ▪ Improved Security • Establishing a baseline keeps security levels relatively consistent across companies and industries ▪ Minimize Loss • Good practices in place prevents data breaches ▪ Increase Internal Control • Reduce employee mistakes and insider theft ▪ Maintain Trust • Customers trust people who follow set standards ▪ Reporting Consistency • Consistent reports allow audits to go more smoothly
  4. 4. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 4 SOME OF THE DATA/SECURITY REGULATIONS ▪ CIS (Center for Internet Security) – Global Internet Security Standards ▪ DISA/STIG (Defense Information Systems Agency) – Anyone with Government Contracts ▪ FISMA/NIST (Federal Information Security Management Act) – All Federal Agencies ▪ FERPA (Family Education Rights and Privacy Act) – Educational Institutions ▪ GDPR (General Data Protection Regulation) – Anyone collecting data on EU Members ▪ HIPAA (Health Insurance Portability and Accountability Act) – Healthcare Institutions ▪ NERC-CIP (North American Electricity Reliability Corporation) – Electricity Providers ▪ PCI DSS (Payment Card Industry Data Security Standard) – Anyone capturing credit card data ▪ SOX (Sarbanes Oxley) – Publicly Traded Companies and management and accounting firms
  5. 5. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 5 PERSONALLY IDENTIFIABLE INFORMATION (PII) COVERED BY GDPR Any information that can be classified as personal details – or that can be used to determine your identity ▪ Name ▪ Identification number ▪ Email address ▪ Online user identifier ▪ Social media posts ▪ Physical, physiological or genetic information ▪ Medical information ▪ Location ▪ Bank details ▪ IP address ▪ Cookies
  6. 6. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 6 2018 VIOLATIONS AND FINES
  7. 7. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 77 GDPR OVER THE LAST 9 MONTHS Google recently made the news with a $57 million fine due to vague privacy policies and covert advertising programs. This is the largest GDPR fine to date.
  8. 8. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 88 GDPR OVER THE LAST 9 MONTHS In September, Facebook had a data breach affecting nearly 50 million users. If Facebook is found to be in violation of GDPR they could face a fine of $1.63 Billion.
  9. 9. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 99 GDPR OVER THE LAST 9 MONTHS There have been over 59,000 cases of data breach reported and 95,000 complaints raised against GDPR violations.
  10. 10. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 1010 HIPAA – VIOLATIONS 2018 In October, Anthem, Inc. (a licensee of BCBS) agreed to pay a record breaking $16 million after the largest health data breach in US history affected almost 79 million people. https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement- following-largest-health-data-breach-history.html
  11. 11. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 1111 In September, three healthcare institutions were collectively fined $999,000 after allowing ABC to film a medical documentary TV series without first obtaining authorization from the patients. https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health- information-during-abc-filming.html HIPAA – VIOLATIONS 2018
  12. 12. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 1212 In June, UT’s MD Anderson Cancer Center was fined $4.3 million due to the theft of an unencrypted laptop and the loss of two unencrypted USB drives. The hardware contained details on 33,500 individuals. https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer- center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html HIPAA – VIOLATIONS 2018
  13. 13. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 1313 In February, FMCNA who provided products and services to 170,000 patients with chronic kidney disease agreed to pay a $3.5 million fine for a settlement that covered 5 different data breaches. https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity- failed-heed-hipaa-s-risk-analysis-and-risk.html HIPAA – VIOLATIONS 2018
  14. 14. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 1414 PCI fines are levied on the credit card companies that work with the non- compliant business, not the business itself. Those fees range from $5,000 - $100,000 a month and are recouped with added penalties and transaction fees. PCI FINES
  15. 15. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 15 COMPANY COMPLIANCE ▪ While it varies by regulation, most large surveys of companies find around half to be compliant with the standards that apply to them ▪ Billions of dollars are fined every year for non-compliance ▪ The Average Cost of a Data Breach globally is $3.86 million (in the US the average is $7.91 million)
  16. 16. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 16 DATA AND PRIVACY WATCHDOG GROUPS ▪ Change to Win (HIPAA) ▪ None of Your Business ▪ Privacy International ▪ Digital Freedom Fund ▪ Center for Digital Democracy ▪ Irish Data Protection Commission
  17. 17. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 17 LET’S TALK A LITTLE ABOUT DATA BREACH
  18. 18. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. “ 18© 2018 IDERA, Inc. All rights reserved. Almost 15 Billion Records have been lost or stolen since 2013. Only 4% were secure breaches where encryption was used and the stolen data was useless. BreachLevelIndex.com
  19. 19. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. “ 19© 2018 IDERA, Inc. All rights reserved. Over 6.5 million data records are lost or stolen every day. http://breachlevelindex.com/
  20. 20. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 20 BREACHES BY INDUSTRY 1ST HALF OF 2018 (BREACHLEVELINDEX.COM – INFOGRAPHIC)
  21. 21. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 21 BREACHES BY REGION 1ST HALF OF 2018 (BREACHLEVELINDEX.COM – INFOGRAPHIC)
  22. 22. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 22 BREACHES BY TYPE 1ST HALF OF 2018 (BREACHLEVELINDEX.COM – INFOGRAPHIC)
  23. 23. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 23 BREACHES BY SOURCE 1ST HALF OF 2018 (BREACHLEVELINDEX.COM – INFOGRAPHIC)
  24. 24. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 24 RECORDS AFFECTED BY BREACHES BY INDUSTRY 2018 BreachLevelIndex.com
  25. 25. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 25 RECORDS AFFECTED BY BREACHES BY INDUSTRY SINCE 2013 BreachLevelIndex.com
  26. 26. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 26 WHAT ARE THE ODDS? ▪ 1 in 960,000 – odds of being struck by lightning ▪ 1 in 220 – odds of dating a millionaire ▪ 1 in 4 – odds of experiencing a data breach https://securityintelligence.com/know-the-odds-the-cost-of-a-data-breach-in-2017/
  27. 27. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 27 2018 COST PER DATA BREACH ▪ The average cost for each lost or stolen record containing sensitive and confidential information was $148 (a 4.8% increase from the year before) ▪ The average size of a data breach was 26,000 records ▪ $148 x 26,000 ~ $3.86 M (increased 6.4% over 2017) https://www.ibm.com/security/data-breach
  28. 28. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. “ 28© 2018 IDERA, Inc. All rights reserved. In the first 60 days of 2019, there have already been 29 major data breaches with over 1.2 billion records affected – averaging a breach every other day and 20 million records a day. https://www.identityforce.com/blog/2019-data-breaches
  29. 29. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 29 SHOCKING, RIGHT??
  30. 30. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 30 FOCUSING IN ON THE DATA ASPECTS OF REGULATIONS
  31. 31. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 31 DATA STANDARDS VS SECURITY STANDARDS ▪ Data Standards “WHAT” • What information needs to be protected/audited • What you should do if your data is breached ▪ Security Standards “HOW” • How you should configure your network • How you should configure your systems (i.e. SQL Server, Oracle)
  32. 32. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 32 WHAT THE REGULATIONS LOOK FOR ▪ Reporting (And Maintaining) Audit Data ▪ Tracking User Access ▪ Protecting The Data From The Bad Guys (And Watch for Data Breaches) ▪ Planning And Having Good Processes And Response Plans ▪ Assessing Your Risks
  33. 33. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 33 CIS ▪ Tracking • Capture Logins and Failed Logins
  34. 34. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 34 DISA STIG ▪ Reporting • Generate audit records for DoD-defined auditable events • Generate audit records when privileges and permissions retrieved • Initiate session auditing upon startup • Audit records for events identified by type, location and subject • Capture the audit information in a centralized place ▪ Tracking • Capture, record and log all content related to a user session • Protect audit information from unauthorized read access, modification or deletion ▪ Planning • Alert support staff in real time for any failure events
  35. 35. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 35 FISMA/NIST ▪ Tracking • Audit access ▪ Protecting • Monitor, report and respond to incidents ▪ Planning • Create an audit process and certification • Plan for contingency • Manage your configurations ▪ Assessing • Assess your risks • Confirm system and information integrity
  36. 36. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 36 FERPA ▪ Tracking • Document who has access to student information • Confirm that the instructors or officials only access records for legitimate purposes • Authorized representatives may have access to education records in connection with an audit ▪ Planning • Student transfers must be handled appropriately
  37. 37. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 37 GDPR ▪ Reporting • Provide audit details about how that data is processed and who interacted with it ▪ Tracking • Know who has access to PII data ▪ Protecting • Notify the supervising authority of a breach within 72 hours ▪ Planning • Identify PII Data • Process data lawfully, fairly and in a way that users understand • Limit the collection of data to only what is necessary ▪ Assessing • Conduct impact assessments for higher risk areas
  38. 38. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 38 HIPAA ▪ Tracking • Monitor log-in attempts ▪ Protecting • Protect, detect, contain and correct security violations • Detect breaches and notify impacted individuals ▪ Planning • Implement security measures to reduce risks and vulnerabilities • Implement procedures to regularly review audit logs, access reports and security incidents • Implement procedures to terminate access
  39. 39. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 39 NERC - CIP ▪ Reporting • Log events for identification of and after-the-fact investigations of Cyber Security Incidents ▪ Tracking • Log failed and successful logins
  40. 40. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 40 PCI DSS ▪ Reporting • Implement automated audit trails for all database events • Retain audit trail history for at least a year ▪ Tracking • Assign a unique identifier for each person who has access • Actions taken on critical data must be traced to known authorized users • Track and monitor all access to the network • Immediately revoke access for terminated users ▪ Protecting • Change vendor supplied defaults and disable unnecessary default accounts • Encrypt the data • Secure audit trails so they can not be altered ▪ Planning • Develop configuration standards
  41. 41. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 41 SOX ▪ Reporting • Report on effectiveness of company’s internal controls and procedures • Report on who changed permissions • Report on who changed the financial data ▪ Tracking • Report on who accessed the financial data
  42. 42. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 42 HOW CAN YOU MEET THE REQUIREMENTS ▪ Reporting (And Maintaining) Audit Data ▪ Tracking User Access ▪ Protecting The Data From The Bad Guys (And Watch for Data Breaches) ▪ Planning And Having Good Processes And Response Plans ▪ Assessing Your Risks
  43. 43. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 43 SQL SERVER FEATURES FOR COMPLIANCE ▪ Reporting • SQL Server Audit • Temporal Tables ▪ Tracking • Object Level Permissions • Role-Based Security ▪ Protection • Authentication Protocols • Firewalls • Dynamic Data Masking • Transport Level Security (TLS) • Encryption Protocols (TDE, Always Encrypted, Always On)
  44. 44. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 44 ORACLE FEATURES FOR COMPLIANCE ▪ Reporting • Auditing ▪ Tracking • Access Control • Separation of Duties ▪ Protection • Encryption • Security Monitoring and Alerting • Data Masking and Data Redaction ▪ Assessing • Risk Assessments
  45. 45. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 45 WHAT CAN TOOLS LIKE SQL COMPLIANCE MANAGER DO? ▪ Reporting • Capture Activity On Database (DDL And DML) • Track The Behavior Of Privileged Users • Track Who Is Accessing Your Sensitive Data • Track Who Has Changed Your Data And What Has It Changed To • Track Security And Administrative Changes • Track User-Defined Events • Audit Systems Tables, Stored Procedures, Views, Indexes, Etc. ▪ Tracking • Capture Logins, Logouts, Failed Logins ▪ Protecting • Determine How Much Data Was Accessed In A Breach
  46. 46. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 46 SQL COMPLIANCE MANAGER - REGULATION GUIDELINE WIZARD
  47. 47. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 47 SQL COMPLIANCE MANAGER - CONFIGURATION
  48. 48. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 48 SQL COMPLIANCE MANAGER – PRIVILEGED USER SETUP
  49. 49. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 49 SQL COMPLIANCE MANAGER – SENSITIVE COLUMNS
  50. 50. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 50 SQL COMPLIANCE MANAGER – BEFORE AFTER DATA (BAD) TRACKING
  51. 51. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 51 SQL COMPLIANCE MANAGER – USER ACTIVITY HISTORY REPORT
  52. 52. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 52 SQL COMPLIANCE MANAGER – USER LOGIN HISTORY
  53. 53. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 53 SQL COMPLIANCE MANAGER – REGULATORY COMPLIANCE CHECK REPORT
  54. 54. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 54 IDERA PRODUCTS CAN HELP YOU WITH: ▪ Reporting (And Maintaining) Audit Data • SQL Compliance Manager ▪ Tracking User Access • SQL Compliance Manager ▪ Protecting The Data From The Bad Guys (And Watch for Data Breaches) • SQL Compliance Manager • SQL Secure ▪ Planning And Having Good Processes And Response Plans • SQL Compliance Manager • SQL Secure • ER/Studio Business Architect ▪ Assessing Your Risks • SQL Compliance Manager • SQL Secure
  55. 55. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 55 IN CONCLUSION ▪ There are a ton of regulations to comply with ▪ Data breach continues to be a growing problem ▪ Regulations require organizations to: • Report audit data • Track user access • Protect data from the bad guys • Have good processes and response plans • Understand what your risks are ▪ The right tools can help to simplify and automate the auditing process
  56. 56. © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 5656 THANKS! Any questions? You can find me at: @Brushaber_IDERA on Twitter

×