Enterprise data are subject to various regulations depending
on their geographical location and type of business. An increased effort is
expected and mandated to respect those rules, typically meant to better secure
and protect the accuracy and privacy of enterprise data. In various
regulations, it is also expected to actually demonstrate Compliance, which is
not a piece of cake.
In addition, most people think
that external threats (such as an external hacker trying to access corporate
data) are the most common data security issues. In reality, various studies
have shown that internal threats comprise 80% of all security threats. In other
words, companies should make sure to protect their corporate data against their
own employees.
Examples of
regulations
Sarbanes-Oxley Act (SOX)
: The goal of SOX is to regulate corporations in order to reduce fraud and
conflicts of interest, to improve disclosure and financial reporting, and to
strengthen confidence in public accounting. Specifically, the section 404 of
this act, the one giving IT shops fits, specifies that the CFO must do more
than simply vow that the company’s finances are accurate; he or she must
guarantee the processes used to add up the numbers. Those processes are
typically computer programs that access data in a database, and DBAs create and
manage that data as well as many of those processes.
Health Insurance Portability
and Accountability Act (HIPAA) : This legislation contains language
specifying that health care providers must protect individual’s health care
information even going so far as to state that the provider must be able to
document everyone who even so much as looked at their information. Aka. can a
DBA produce a list of everyone who looked at a specific row or set of rows in
any database ?
Payment Card Industry &
Data Security Standard (PCI DSS) : This well-known standard was developed
by the major credit card companies to help prevent credit card fraud, hacking
and other security issues. A company processing, storing, or transmitting
credit card numbers must be PCI DSS compliant or they risk losing the ability
to process credit card payments. Given the availability and volume concerns of
payment card transactions this information is typically stored in an enterprise
database.
General Data Protection
Regulation (GDPR) : This new regulation applies to organizations that do
business in the European Union, and will be effective in May 2018. It is meant
to strengthen and unify data protection for individuals within the European
Union, but it also focuses on the export of data (or even accessing the data)
outside the EU. The stated objective of GDPR is to return control of personal
data back to the individual. This includes data retention requirements, data
privacy rules and huge penalties for being out of compliance.
Personal Information
Protection and Electronic Documents Act (PIPEDA) : This Canadian regulation
specifies the rules to govern collection, use, or disclosure of the personal
information in the course of recognizing the right of privacy of individuals
with respect to their personal information. It also specifies the rules for the
organizations to collect, use, and disclose personal information.
Demonstrate
Compliance!
It’s (almost) as simple as a 1-2-3 process!
Step 1 to Data Compliance : Define Data Compliance
for your business
Depending on the type of corporate data you own, the type of
business you are in, and the geography you do business with, the regulations
you want to comply with will be different. And the definition of Personal
Information to protect will be different!
As a typical example, the format of social security numbers
is different from one country to another. If you do business in Czech Republic
(for example), the social security numbers (Rodné číslo) have a specific format
[0-9]{2}[0,1,5][0-9][0-9]{2}/?[0-9]{4}
Step 2 to Data Compliance : Locate the sensitive
personal data
While most companies understand the need to comply to
regulation(s), a typical challenge is to determine where all the sensible
personal data are actually located within the corporate data.
When you have defined what kind of data you are going after
(Step 1), the challenge is to make sure you know where those are stored : where
are those “Rodné číslo” in the corporate data ?
You may think you know where all these are stored, but … are
you sure? Remember: the goal is to demonstrate compliance, so you better be
sure you know exactly where all those “Rodné číslo” are stored.
Step 3 to Data Compliance : Secure, protect, and
demonstrate compliance
When you know what personal data you are going after, and
you know where they are located, the game is to make sure the authorizations
and security settings are defined properly, so that only the individuals that
must have access to it… have access to it.
In other words, you need to produce a report that clearly
states what personal data are where, and who has access to it.
Find and control regulated mainframe data and classify for
compliance with CA Data Content Discovery (DCD)
Compliance and adherence to regulations is critical to help
prevent data breaches.
CA Data Content Discovery helps you identify data exposure
risks on z Systems™ by scanning through the mainframe data infrastructure.
By discovering where the data is located, classifying the
data to determine sensitivity level and providing comprehensive reporting on
the scan results, mission essential data can be protected and exposure risks
can be mitigated.
CA Data Content Discovery (DCD) comes with a number of pre-defined
classifiers out-of-the-box, to comply with various well-known regulations.
In addition, CA Data Content Discovery (DCD) can be
configured to look for sensible industry-specific or country-specific data in
your corporate data, aka. you can create custom classifiers such as a
“Rodné číslo” (as discussed above) :
[0-9]{2}[0,1,5][0-9][0-9]{2}/?[0-9]{4}
