Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Double Compliance

By Steve Jones,

   vs.         

I haven't ever been bound by HIPAA or PCI regulations with the data I've managed. Those laws hadn't been enacted when I worked in those industries, and so I've never had to go through an audit. I have been through ISO 9000 and SOX audits, and I found those audits to be both a pain and also a good idea. Various inconsistencies and exceptions in our policies were found, often strengthening our security or bringing more consistency (and stability) to our organization. Those two audits were also very close in scope and requirements. If we could pass one, we typically could pass the other.

However PCI and HIPAA are not the same, and you shouldn't expect that passing one would mean you could pass the other. For most of us, we wouldn't be bound by both of these, since they are applied to the financial and medical fields respectively. However as we look to move forward and use new partners in business, including cloud services, we should be aware that just because a company has one certification doesn't mean they have the other. If your business partner is PCI complaint in some way, I wouldn't assume that this means they are in any way HIPAA compliant, and vice versa.

Should we have standards for data protection that matter to a variety of industries? I'm not sure we should, despite the hassles that may mean for those of us bound by these regulations. Each industry and type of business has it's own requirements, some of which are not applicable to other fields. Trying to build one standard for privacy, security, or any other requirement is likely to mean a watered-down, ill-fitting regulation that doesn't protect any data well. Instead we should have specific requirements we need to meet to provide security (or any other need), without specifics on the technology or implementation used.

Most of you probably don't like the idea of any regulation, and I'd like to agree with you. However I've seen too many people ignore good practices, engage in morally debatable activities, and in general treat other people, and data, in a way they wouldn't want to be treated themselves. A little regulation, that limits abuses and gross malpractices is a good thing. Too much regulation, specifying details that are often obsolete before they can be enforced, is a bad idea.

Steve Jones


The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

You can also follow Steve Jones on Twitter:

Total article views: 77 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Regulators, Mount Up

If you are bound by HIPAA regulations, you may have more auditing in your future. If you're not, per...

ARTICLE

More Regulation Coming?

With no end to company hack attacks in sight, will we get new regulation instead?

ARTICLE

Security Regulations

There have been calls for governmental security regulations for IT. Is that a good thing? Steve Jone...

ARTICLE

Data Freedom and Regulation

There are a lot of regulations around data in the medical field. Most of the exceed HIPAA, but end u...

ARTICLE

Podcast Announcements

Podcast Feeds

Tags
auditing    
editorial    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones