审计跟踪和实施SOX / HIPAA /等，敏感数据的最佳做法 [英] Audit trails and implementing SOX/HIPAA/etc, best practices for sensitive data

问题描述

我认为自己在应用程序设计方面相对精通，但我从来没有必要处理敏感数据。我一直在想知道审计跟踪的最佳实践以及如何实现它们。我现在不必这样做，但如果他们要求我为他们做一些工作，那么能够自信地与一家医疗公司交谈是很好的。

假设我们有一个学校数据库，老师，班级，学生都在多对多的成绩表中标准化。你会记录什么？每个插入/更新在成绩表？只有更新（比如，一个孩子打破了，想改变成绩，这应该发送红旗）？这完全基于偏执的人想要是什么？是否有最佳实践？

这是否应该在数据库中完成？ （在每个敏感的SELECT上插入一行记录每个查询的audit表的触发器）应该记录什么？是否有自动内置到Oracle / DB2中的功能为您做？这应该是应用程序端逻辑吗？

如果任何人有任何正式的文档/书如何处理敏感数据（不是很多DoD可信计算规范，行的：P），我很感激。对不起，如果这个问题是非常模糊。我意识到，这从应用程序到应用程序不同。我只想听听你处理敏感数据的详细经验。

解决方案

首先要了解的是本地审计功能您选择的DBMS。这些细节不同，但通常提供一种方法来配置哪些操作被审计，并为它们生成的审计记录提供安全存储。

接下来要理解的是你想要审计什么。例如，在HIPAA和SOX的情况下，您可能正在查看PII - 个人识别信息。记住，人们访问奥巴马的电话记录或各种名人的医疗记录，或...这些被抓住是因为系统审计谁读这些记录，审计分析官（AAO）发现，名人记录被人访问谁没有特别授权这样做。所以，这些系统必须记录谁访问每个记录，并发现当这样做的用户没有真正的业务理由这样做。在这些情况下，用户似乎已经读取了记录的权限，因此如果他们的普通职责要求他们查看记录，他们可以这样做。但是，当他们不需要这样做，那么他们滥用他们的权力和适当的制裁（直到并包括失去了工作）。

这意味着你可能不想跟踪谁访问记录州代码和全名的国家表（并且分类有关状态的其他信息）。没有什么机密的名单 - 无关紧要的是谁读它。当然，几乎没有人应该写;状态列表不会经常更改 - 但这可以通过撤销所有人对表的更新和删除权限来处理。

OTOH，您可能想要记录谁访问医疗记录（HIPAA）中的记录，或谁修改会计系统（SOX）中的数据。您可能需要或不需要担心谁读取会计数据;很多可以通过基本权限来处理（会计人员有权限; IT人员不会）。但是，审计总是一个额外的防线。

请记住，如果审计记录从来没有看过，那么他们就没有任何帮助。一般来说，审计会减慢系统的速度（只是因为它在写入审计记录时正在做更多的工作）;在决定实施审计策略之前，了解其减慢的速度很重要。然而，有些事情比应用程序更重要，其中一个是保持你和其他工作人员的监狱。审计可能是必要的，以确保发生。

I consider myself to be relatively proficient in terms of application design, but I've never had to work with sensitive data. I've been wondering about what the best practices were for audit trails and how exactly one should implement them. I don't have to do it right now, but it'd be nice to be able to confidently talk with a medical company if they ask me to do some work for them.

Let's say we have a "school" database, with 'teachers', 'classes', 'students' all normalized in a many-to-many 'grades' table. What would you log? Every insert/update on the 'grades table'? Only updates (say, a kid breaks in and wants to change grades, this should send up redflags)? Does this vary entirely based on how paranoid one wants to be? Is there a best practice?

Is this something that should be done in the database? (A trigger on each sensitive SELECT which inserts a row to an 'audit' table logging each query?) What should be logged? Is there functionality automatically built into Oracle/DB2 that do it for you? Should this be application side logic?

If anyone has any formal documentation/books on how to deal with sensitive data (not quite DoD "Trusted Computing" spec, but something along the lines of that :P), I'd appreciate it. I'm sorry if this question is terribly vague. I realize that this varies from application to application. I just want to hear your detailed experiences with dealing with sensitive data.

解决方案

The first thing to understand is the native auditing capabilities of your chosen DBMS. These vary in detail, but generally provide a way to configure which operations are audited, and provide secure storage for the audit records that they generate.

The next thing to understand is what you want to audit. In the case of HIPAA and SOX, for example, you are probably looking at PII - Personal Identifying Information. Remember the fuss made about people accessing Obama's phone records, or various celebrities medical records, or ... Those were caught because the system audited who read those records, and the audit analysis officer (AAO) spotted that the celebrity records were accessed by people who were not specifically authorized to do so. So, those systems must be logging who accesses each record, and spotting when the user who does so does not have an authentic business reason to do so. In these cases, it appears that the users had read authority for the records, so if their ordinary duties required them to look at the records, they could do so. But, when they were not required to do so, then they were abusing their power and appropriately sanctioned (up to and including losing jobs over it).

What this means is that you probably don't want to track who accesses the table of States which records the state code and full name (and assorted other bits of information about the state). There is nothing confidential about that list - it doesn't matter who reads it. Of course, almost no-one should write to it; the list of states does not change very often - but that can probably be handled by revoking update and delete permission on the table from everyone.

OTOH, you probably do want to record who accesses the records in medical histories (HIPAA), or who modifies the data in the accounting systems (SOX). You might or might not need to worry about who reads the accounting data; a lot of that can be dealt with by basic permissions (accounting staff have permission; IT staff do not). However, auditing is always an extra line of defense.

Bear in mind that audit records are no help whatsoever if they are never looked at. In general, auditing slows a system down (simply because it is doing more work when it writes audit records); it is important to understand how much it slows down before deciding to implement your auditing strategy. However, there are some things that are more important than application speeed, and one of those is keeping yourself and other staff members out of jail. Auditing can be necessary to ensure that happens.

这篇关于审计跟踪和实施SOX / HIPAA /等，敏感数据的最佳做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！