are some best practices regarding encryption and security of this type of
info? I know this is a pretty broad question, so links to other sites are
great, but I'd like to hear some personal experiences and opinions.
The reason is I have identified what I consider potential security problems
in our systems. I need to get get a sense of how critical these particular
issues are (I tend to take the position that hyper vigilence is best so for
me everything is critical) and get them in front of management to hopefully
get some action. But I always think it's best to have at least a proposal
for a solution when presenting a problem.
Anyway, any feedback is most appreciated.
Bob Castleman
DBA PoseurHere is a little something from a mind far greater than mine...
http://vyaskn.tripod.com/sql_server...t_practices.htm
Peter
"The length of this document defends it well against the risk of its being
read."
Winston Churchill
"Bob Castleman" wrote:
> In light of SARBOX, ChoicePoint security breaches, identity theft etc, wha
t
> are some best practices regarding encryption and security of this type of
> info? I know this is a pretty broad question, so links to other sites are
> great, but I'd like to hear some personal experiences and opinions.
> The reason is I have identified what I consider potential security problem
s
> in our systems. I need to get get a sense of how critical these particular
> issues are (I tend to take the position that hyper vigilence is best so fo
r
> me everything is critical) and get them in front of management to hopefull
y
> get some action. But I always think it's best to have at least a proposal
> for a solution when presenting a problem.
> Anyway, any feedback is most appreciated.
> Bob Castleman
> DBA Poseur
>
>|||SARBOX is not an area I'm expert in but one thing I know about security
is that it isn't the same as encryption. Encryption is just one tool
for security. So "designing for security" is something different from
"designing for encryption" and I would advise you to focus on the
former rather than the latter. As I understand it SARBOX does NOT
mandate that any data be encrypted it just requires "adequate" internal
controls.
David Portas
SQL Server MVP
--|||I believe that Sarbanes Oxley suggests or recommends all "Sensitive" data be
encrypted in a data store.
SSNs
Account Numbers
Visa Numbers
etc etc etc
I could be wrong (I'm not a SOX Audit expert either)
Greg Jackson
PDX, Oregon|||Not a lawyer or security expert but California law, SB 1386
(http://info.sen.ca.gov/pub/01-02/bi...86_bill_2002092
6_chaptered.html) mentions unencrypted data. It seems that if someone where
to breach your database and personal information was encrypted you would not
need to disclose the breach.
See [url]http://informationw
.com/story/showArticle.jhtml?articleID=10700814[/url]for an overview...
"pdxJaxon" <GregoryAJackson@.Hotmail.com> wrote in message
news:%23Jf3G$8LFHA.576@.TK2MSFTNGP15.phx.gbl...
> I believe that Sarbanes Oxley suggests or recommends all "Sensitive" data
be
> encrypted in a data store.
> SSNs
> Account Numbers
> Visa Numbers
> etc etc etc
> I could be wrong (I'm not a SOX Audit expert either)
> Greg Jackson
> PDX, Oregon
>
No comments:
Post a Comment