As a database administrator, do you know what legal obligations you should be following regarding your company's data? Do you know if you have different guidelines for different types of data? Is this documented somewhere for the next DBA?
The laws that govern your data protection, storage, and management can vary from state to state, be subordinate of supersede federal guidelines, and perhaps even cross national borders as is the case with some European laws. The article linked above talks about the legal obligations and it makes my head spin just imagining the possibilities. I keep a minimum of data here at SQLServerCentral about people, but I'm sure that I have any number of US, UK, European Union, and other regulations that I should be in compliance with.
And if that isn't a big enough list of places to look, you could even have agreements with clients or business partners that apply as well!
The problem for most DBAs is that there isn't an easy way to determine what you must be responsible for. And even if you had a central place to look for determining the legal responsibilities of your company, do you know which apply to which instances? You may have widely varying needs for data retention, auditing, and more across the servers in your organization. Credit card information might be held to widely differing standards than something like medical data, which might be very different from something like GPS tracking of your rental car. What's worse is that in today's litigious society in the US, you might get (un-) lucky and get to set the precedent for some of these new types of data.
I'd like to think that taking reasonable security measures would be enough, but what's reasonable? I'm not sure that any 10 or 20 of us could agree on what a set of reasonable guidelines would be. Any number of us would probably argue that an idea is not secure enough or that it's more security than what is generally needed.
Most security measures, in my mind, must be built industry by industry. Each company developing its own guidelines seems to be overkill, but most industries have some type of organization that could build reasonable guidelines for securing different types of data. Or perhaps we need someone line ANSI developing guidelines for data security just like they do for physical objects.
This is a new and potentially very scary area for database administrators, especially as more and more data is being stored in systems we are responsible for. And I think it's an area where we need to develop a lot of maturity as well.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.mevio.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
or now on iTunes!
- Windows Media Podcast - 36.9MB WMV
- iPod Video Podcast - 28.8MB MP4
- MP3 Audio Podcast - 5.8MB
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.