Governance (OLTP)---a Technical Reference Guide for Designing Mission-Critical OLTP Solutions
Want more guides like this one? Go to Technical Reference Guides for Designing Mission-Critical Solutions.
While governance is not an easily pointed to set of IT features, understanding and deconstructing governance is important because the policies set by standards boards impact which features are required (for example, cell-based encryption, and data auditing). As an example, in the U.S.A, regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Level Seven International (HL7), Sarbanes-Oxley (SOX), and the payment card industry (PCI) impact a wide variety of organizations. The regulatory requirements and organizational policies can drive the decision to include or remove Microsoft SQL Server from tier-one enterprise consideration because enterprises must follow these standards as part of the cost of doing business.
The following resources provide some general information about governance and compliance. Since regulatory organizations provide very few best practices for governance, Microsoft and enterprise customers rely on partner vendors to define how to implement systems that are in compliance. (Note that the full URLs for the hyperlinked text are provided in the Appendix at the end of this document.)
The web site SQL Server 2008: Compliance1 is the main site for information about SQL Server compliance, including an overview of governance. Within this site, the following sections are of particular interest:
"The Securing the platform" section of the site provides guidance and references to secure the entire server environment end-to-end, rather than just securing the database.
The "Controlling identity and separation of duties" section provides guidance and references about the basics of identity and access control in addition to the policies surrounding the separation of duties.
- "The Securing the platform" section of the site provides guidance and references to secure the entire server environment end-to-end, rather than just securing the database.
The white paper Reaching Compliance: SQL Server 2008 Compliance Guide2 includes a deep dive into understanding compliance and its impact through regulatory requirements and organization policies.
The Security Standards Compliance3 section of the SQL Server 2008 R2 Books Online provides description and configuration procedures for common security criteria certifications.
Case Studies and References
The following white papers provide additional information and implementation guidelines:
The white paper Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 20084 provides guidance on specific SQL Server 2008 features, and how they may be implemented to support the goals and technical safeguard requirements of HIPAA.
The white paper ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS)5 provides developers and senior technology leaders with technical solutions on how to proactively achieve PCI compliance when deploying SQL Server 2008 to support and protect key business processes within an organization and avoid security and fraud risks.
Questions and Considerations
This section provides questions and issues to consider when working with your customers.
Microsoft does not have the deep domain and regulatory expertise in the various industries where its products are used. When working with customers understand their regulatory requirements and work with them and the partners to tailor solutions leveraging the security oriented features to meet the necessary regulatory governance.
As you work with the customers and partners, consider how Microsoft as an organization work more closely with them in meeting their governance needs. Specifically how to better:
Receive input on necessary features and technologies, particularly in relation to local regulations.
Provide guidance to the community on how to use Microsoft technologies for governance and compliance.
Provide end-to-end governance solutions for customers.
- Receive input on necessary features and technologies, particularly in relation to local regulations.
1 SQL Server 2008: Compliancehttp://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx
2 Reaching Compliance: SQL Server 2008 Compliance Guidehttp://sqlcat.com/whitepapers/archive/2008/11/15/reaching-compliance-sql-server-2008-compliance-guide.aspx
3 SQL Server 2008 R2 Books Online: Security Standards Compliancehttp://msdn.microsoft.com/library/bb326717.aspx
4 Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 2008http://www.jeffersonwells.com/mssql2008hipaa
5 ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS). Note: if the link does not open when clicked, copy the URL into a browser.http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF