Compliance

Many organizations must comply with rules from government, industry consortiums, and other organizations, and often some rules exist regarding the protection of sensitive data.

In addition, many businesses elect to adopt a set of rules to follow to protect sensitive data, and these rules are often monitored by internal audit deparments.

Some of the compliance rules are the same for every set of rules. For example, “Change the default password” is a rule common to most standards. Unfortunately, some of the laws are very broad and open to interpretation.

Showing to auditors that your software and processes comply with guidelines is necessary. Therefore most organizations that need to comply acquire third party software to assist with compliance, monitoring, and reporting.

It is not enough to run a query at a single point in time to show that the ‘sa’ account is disabled. You also need to show that you have processes in place to ensure that it is always disabled, or that if it gets re-enabled the processes will detect this and let appropriate personnel know. From an auditors perspective, documentation of the processes you follow to follow compliance guidelines is as important as following the guidelines.