December 8, 2003 at 6:38 am
------------------------
You are a database administrator of a SQL Server 2000 server. The SQL Server stores confidential financial data on consumers. State law requires that you log every action and change of permission on the server. Policy also requires that if you cannot log the this information that processing against the database must stop. How could you comply with this regulation?
----------------------
I don't see where the explanation of the answer accounts for the second policy requirement of stopping processing against the database should logging fail. As I am unfamiliar with auditing in SQL Server, I would have to assume this is a default behavior of the C2 auditing. If it cannot log the activity, processing stops. Is this correct? or did I misunderstand the policy within the question?
December 8, 2003 at 6:53 am
You are correct, it is part of the c2 auditing. I had to look it up online and in BOL myself because I had never heard of it. Look up "c2 audit mode Option" in BOL for an explanation. Apparently, SQL will stop the instance if it cannot write c2 logs.
========================
Jonathan "J.T." Shyman
Systems Administrator
Internet | Security | Systems
JToddShyman - AIM
========================
-- J.T.
"I may not always know what I'm talking about, and you may not either."
December 8, 2003 at 7:30 am
I had a problem with the 2nd requirement also. Thus, I chose "None of the options...".
December 8, 2003 at 7:30 am
I had a problem with the 2nd requirement also. Thus, I chose "None of the options...".
December 8, 2003 at 7:56 am
------------------------
You are a database administrator of a SQL Server 2000 server. The SQL Server stores confidential financial data on consumers. State law requires that you log every action and change of permission on the server. Policy also requires that if you cannot log the this information that processing against the database must stop. How could you comply with this regulation?
----------------------
If the requirements are to audit all actions on the data, then C2 is only half the answer start. Triggers would need to be used to audit inserts/updates/deletes in the case that a user has somehow elevated his security permissions. In this case, my feeling is that the administrator is assuming that the security matrix that he has defined is infaliable, which is an assumption that he cannot take when the company is liable.
December 8, 2003 at 11:45 am
quote:
------------------------You are a database administrator of a SQL Server 2000 server. The SQL Server stores confidential financial data on consumers. State law requires that you log every action and change of permission on the server. Policy also requires that if you cannot log the this information that processing against the database must stop. How could you comply with this regulation?
----------------------
If the requirements are to audit all actions on the data, then C2 is only half the answer start. Triggers would need to be used to audit inserts/updates/deletes in the case that a user has somehow elevated his security permissions. In this case, my feeling is that the administrator is assuming that the security matrix that he has defined is infaliable, which is an assumption that he cannot take when the company is liable.
I have to agree. Since the statement "State law requires that you log every action" is in place, it would require you to also monitor data changes. Setting C2 security won't meet this requirement. If people are reading this in the hopes of complying with the new laws in California, they may be led to believe that setting C2 security will meet the requirements.
NOTE: I'm not a lawyer, nor do I pretend to be. Please consult appropriate legal counsel to determine actual requirements to comply with Sarbanes-Oakley and other laws regarding computer security and/or data disclosure.
Timothy J. Bruce
Timothy J. Bruce
December 9, 2003 at 6:04 am
You can audit db activities with Lumigent's Entegra, it can log schema, permission, and data changes, even data selections.
December 9, 2003 at 9:54 am
What other States require this kind of auditing?
-Isaiah
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply