Unfortunately (or as you pointed out, fortunately for all of us DBA's), the day is drawing very near, when we will be required to track every piece of information that is viewed from our database(s). I have been given those precise requirements. The auditors want to be able to know at what time did what person view what information, and how it was viewed, ie printed, internal application, Query Analyzer.....

Now, I understand why they would want this info, to help track down or rule out potential suspects in Data theft (a very broad definition) incidents. But, in order to store these requests in a useable form, I will have to have a completely separate database, preferably a separate machine, to compile and store this info. The audit database will be a factor of times larger than the actual database being monitored, that factor will depend upon how many selects are run against the database. Depending upon how the code was written and how the data is used, this could be monolithic!! You have to log the info as it is at the time of the viewing, so no pointers to make this smaller.

If you want to follow this way of thinking, then who is monitoring the views of Audit tables, albiet these views would be much smaller, but important none the less as it is still SPII data. Or how can I track if a user gets the SPII data on his screen via an audited software, but then gets a screen print? Where does this madness end?

Stephen