October 1, 2010 at 2:44 am
Hello,
Can someone share a list of events which needs to be monitored using SQL Server Audit to fulfil SOX requirements ?
Thanks a lot in advance,
Best regards,
Jerome
October 1, 2010 at 3:05 am
Good question, and I eagerly await the answer... got asked the same thing yesterday.
October 1, 2010 at 2:04 pm
From my experience we were required to keep track of a few thing
1. who was given access to the which DB
2. what they were given access to
3. kept track of any changes to the data or structure and who requested it
4. all of the above had to be approved by the their direct supervisor and depending on the request it might or might not move up the management ladder in order to make a change...
5. a lot of times they worked with us as to what was acceptable and not....it did not seem like there was a one to many model....or company was constantly making changes..then when sox came in we would have to explain who what why...from there we may or may not have left it....it seemed to be a constant struggle......
6. all approval and script changes would be stored according to a ticket number....then Sox would come in and do an audit... They would as at random for a ticket number, we would pull of the ticket and there we would have a chain of emails from the requester to the approver, and the script that was ran along with the results
again I am no expert in SOX I am only giving my experience
hope it helps
October 5, 2010 at 12:12 pm
Truthfully, this is determined by your auditor(s). You typically want to track:
- Who has access to the SQL Server
- What has access to the database being monitored for SOX compliance
- What rights they have within that database
You may have additional requirements, such as what actions they are performing, etc., but it's all about the controls your auditor deems necessary.
K. Brian Kelley
@kbriankelley
October 5, 2010 at 3:34 pm
Thank you all for sharing your experiences. It confirms what I read on the web.
My hope was to find a kind of SQL Server 2008 audit SOX template script - Apparently it is different for every company depending on the auditors.
I'll dig more in detail all audit categories and try to find some common ones which can be reused in different contexts.
I'll be happy to share and get comments back.
October 5, 2010 at 3:42 pm
The reason for the highly variable results is the industry your in can, and will, change the auditing level and specific controls you might run into.
Example: One place I was at and dealing with HIPAA and SOX simultaneously had about 2/3's of our data out in the wild... with nothing more then a GUID available to identify a patient. The GUID identification information was locked down to about 5 people who could see it in bulk, the rest were single item request, mostly for doctors and the like.
Talk to the auditor and the legal departments, they're usually the only ones with the answer for any specific location.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
October 7, 2010 at 1:11 pm
Here is a link to Microsoft's SQL Server 2008 Compliance site. It includes whitepapers and other useful information.
http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx
October 13, 2010 at 1:58 am
Thanks Jerry - I had already seen this page and go throught.
Based on your post I revisited it and found a nice starter kit as sample 🙂
Still tightly linked to this topic how to set up a database audit specification which moniors activity (select, insert, delete, update, exec) executed by the members of an AD group which is a SQL Server login member of the sysadmin server role and therefore not mapped to a database user.
SQL Server database audit specification requiring a BY principalName clause, if I use the [Domain\ADGroup] as principal - it doesn't audit [Domain\ADGroup] member actions.
How is it possible to let SQL Server know we want to audit kind of [Domain\ADGroup] .members() actions ?
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply