Enterprise data are subject to various regulations depending on their geographical location and type of business. An increased effort is expected and mandated to respect those rules, typically meant to better secure and protect the accuracy and privacy of enterprise data. In various regulations, it is also expected to actually demonstrate Compliance, which is not a piece of cake.
In addition, most people think that external threats (such as an external hacker trying to access corporate data) are the most common data security issues. In reality, various studies have shown that internal threats comprise 80% of all security threats. In other words, companies should make sure to protect their corporate data against their own employees.
Examples of regulations
Sarbanes-Oxley Act (SOX) : The goal of SOX is to regulate corporations in order to reduce fraud and conflicts of interest, to improve disclosure and financial reporting, and to strengthen confidence in public accounting. Specifically, the section 404 of this act, the one giving IT shops fits, specifies that the CFO must do more than simply vow that the company’s finances are accurate; he or she must guarantee the processes used to add up the numbers. Those processes are typically computer programs that access data in a database, and DBAs create and manage that data as well as many of those processes.
Health Insurance Portability and Accountability Act (HIPAA) : This legislation contains language specifying that health care providers must protect individual’s health care information even going so far as to state that the provider must be able to document everyone who even so much as looked at their information. Aka. can a DBA produce a list of everyone who looked at a specific row or set of rows in any database ?
Payment Card Industry & Data Security Standard (PCI DSS) : This well-known standard was developed by the major credit card companies to help prevent credit card fraud, hacking and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Given the availability and volume concerns of payment card transactions this information is typically stored in an enterprise database.
General Data Protection Regulation (GDPR) : This new regulation applies to organizations that do business in the European Union, and will be effective in May 2018. It is meant to strengthen and unify data protection for individuals within the European Union, but it also focuses on the export of data (or even accessing the data) outside the EU. The stated objective of GDPR is to return control of personal data back to the individual. This includes data retention requirements, data privacy rules and huge penalties for being out of compliance.
Personal Information Protection and Electronic Documents Act (PIPEDA) : This Canadian regulation specifies the rules to govern collection, use, or disclosure of the personal information in the course of recognizing the right of privacy of individuals with respect to their personal information. It also specifies the rules for the organizations to collect, use, and disclose personal information.
It’s (almost) as simple as a 1-2-3 process!
Step 1 to Data Compliance : Define Data Compliance for your business
Depending on the type of corporate data you own, the type of business you are in, and the geography you do business with, the regulations you want to comply with will be different. And the definition of Personal Information to protect will be different!
As a typical example, the format of social security numbers is different from one country to another. If you do business in Czech Republic (for example), the social security numbers (Rodné číslo) have a specific format
Step 2 to Data Compliance : Locate the sensitive personal data
While most companies understand the need to comply to regulation(s), a typical challenge is to determine where all the sensible personal data are actually located within the corporate data.
When you have defined what kind of data you are going after (Step 1), the challenge is to make sure you know where those are stored : where are those “Rodné číslo” in the corporate data ?
You may think you know where all these are stored, but … are you sure? Remember: the goal is to demonstrate compliance, so you better be sure you know exactly where all those “Rodné číslo” are stored.
Step 3 to Data Compliance : Secure, protect, and demonstrate compliance
When you know what personal data you are going after, and you know where they are located, the game is to make sure the authorizations and security settings are defined properly, so that only the individuals that must have access to it… have access to it.
In other words, you need to produce a report that clearly states what personal data are where, and who has access to it.
Find and control regulated mainframe data and classify for compliance with CA Data Content Discovery (DCD)
Compliance and adherence to regulations is critical to help prevent data breaches.
CA Data Content Discovery helps you identify data exposure risks on z Systems™ by scanning through the mainframe data infrastructure.
By discovering where the data is located, classifying the data to determine sensitivity level and providing comprehensive reporting on the scan results, mission essential data can be protected and exposure risks can be mitigated.
CA Data Content Discovery (DCD) comes with a number of pre-defined classifiers out-of-the-box, to comply with various well-known regulations.
In addition, CA Data Content Discovery (DCD) can be configured to look for sensible industry-specific or country-specific data in your corporate data, aka. you can create custom classifiers such as a “Rodné číslo” (as discussed above) :