Regulatory Compliance and Database Administration
by Craig S. Mullins
(This column was adapted from Craig’s soon-
It is impossible to have missed the sweeping changes being thrust upon the data world due to regulatory compliance. But even if you’ve noticed, chances are that the sheer volume of regulations were too mind-
There are many industry and governmental regulations driving the need to improve data protection, management, and administration. One of the more visible governmental regulations is the Sarbanes-
Consider also the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. This legislation mandates that health care providers protect individual’s health care information, going so far as to state that the provider must be able to document everyone who even so much as looked at their information. HIPAA audits frequently require the examination of the processes used to create, document and review exception reports and logs. When confronted with a HIPAA audit, organizations can be required to produce a list of exceptions to policy, such as, “When were patient records accessed during off hours and by whom?” Without database auditing software, it is impossible to produce a list of users who looked at a specific row or set of rows in any database.
Other compliance related legislation includes the Gramm-
SOX, HIPAA, GLB, and FISMA are examples of governmental regulations. But there are industry regulations that can be just as daunting in terms of compliance. The most visible industry regulation is certainly PCI-
Regulatory compliance holds an important sway over upper level management at most medium-
Ensuring compliance requires a collaborative effort between business users, IT, and your legal department. This can prove to be a challenge because these three disparate groups are quite distinct and rarely communicate collectively. IT talks to legal only when they have to – and that is usually just to get approval on contract language for software purchase. IT and business communicate regularly (at least they should), but perhaps not as effectively as they might. But all three are required:
Organizations need to map and categorize their business data in accordance with how each data element is impacted by regulations. We need to be able to answer questions like: Which data elements are under the control of which regulation? And what does the regulation require in the way we manage that data?
Once mapped, controls and policies need to be enacted that enforce compliance with the pertinent regulations. This can require better protection and security, enforce longer data retention periods, impose stricter privacy sanctions, mandate improved data quality practices, and so on.
Why Should DBAs Care About Compliance?
Compliance starts with the CEO, but it works its way down into the trenches, and impacts database administration. The CEO relies on the CIO to ensure that IT processes are compliant; the CIO relies on the IT managers, one of whom (the DBA Manager) controls the database systems; and the DBA Manager relies on DBAs to ensure that data is protected and controlled.
The impact of regulatory compliance upon database administration is various. The DBA is not responsible for developing and enforcing compliance, but his job is impacted based upon compliance-
Indeed, as regulatory compliance better protects citizen’s data, it creates more work for DBAs.
From Database Trends and Applications, August 2012.
© 2012 Craig S. Mullins,