3. What is Compliance? “Conformity in fulfilling official requirements”* External Regulations HIPAA SOX PCI Internal Standards Naming Conventions http://www.flickr.com/photos/dunechaser/220636504/ *http://www.merriam-webster.com/dictionary/compliance
4. More than 494 million records have been breached since 2005* Unintended Disclosure Payment Card Fraud Physical Loss (Non-Electronic) Insider Hacking or Malware Portable Device Loss Stationary Device Loss Why Does Compliance Matter? 474 million http://www.flickr.com/photos/bheathr/2253526798 *http://www.privacyrights.org/data-breach/
5. What’s The Process? Identify Risks Develop Policies To Mitigate Risks Ensure Policies Are Being Enforced Risk Management Governance Compliance
6. Policy-Based Management Can Help! Gives you the ability to define and enforce standards Auditors Love Policies It is NOT and Enterprise Edition Feature http://www.flickr.com/photos/dunechaser/489467800/
9. PBM L33T Speak Targets are objects such as a Instances, Databases, Tables, etc. Facets expose logical groupings of properties for those objects. Conditions are made up of expressions exposed by the properties from a single Facet. A Policy evaluates a Condition against one or more Targets.
10. Creating Policies Export the Current State of an Object Import Predefined Policies Create Custom Policies Based on Facets Create Custom Policies using Advanced Conditions
11. Evaluating Policies On Demand Can “Auto Fix” Certain Violations OnSchedule Uses SQL Agent Job On Change – Log Only Writes Violations to SQL and Windows Log On Change – Prevent Uses DDL Triggers to Rollback Changes
13. Alerts Error Number by Evaluation Mode On change: prevent (automatic), 34050 On change: prevent (on demand), 34051 On schedule, 34052 On change, 34053 Prerequisites Configure Database Mail Create Operator Configure SQL Agent
14.
15. SAC for Database Engine 2008 FeaturesService Account Server Facet: Service Account != 'LocalSystem' Log Retention Server Facet: NumberOfLogFiles = 99
19. SELECT COUNT(*)FROM sysloginsWHERE name = 'sa' ANDis_disabled = 0Note: Using syslogins instead of sys.server_principals allows you to evaluate SQL 2000 Instances
20. Encryption Predefined Best Practice Policies Asymmetric Key Encryption Algorithm Symmetric Key Encryption for User Databases Symmetric Key for master Database Symmetric Key for System Databases Transparent Data Encryption Database Facet: EncryptionEnabled = True Extensible Key Management Server Configuration Facet: ExtensibleKeyManagementEnabled = True
21. Audit Predefined Best Practice Policies SQL Server Default Trace Login Auditing Server Audit Facet: LoginAuditLevel = All SQL Server Audit Server Facet: AuditLevel = All Audit Facet: Enabled = True & OnFailure = Shutdown Database Audit Specification Facet: Enabled = True Server Audit Specification Facet: Enabled = True
22. Resources Pro SQL Server 2008 Policy-Based Management http://www.apress.com/book/view/9781430229100 MSDN Policy-Based Management Blog http://blogs.msdn.com/sqlpbm/ SQL Server 2008 Compliance Guide http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en Deploying SQL Server 2008 Based on PCI DSS http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF