Enterprise data are subject to various regulations depending on their geographical location and type of business. An increased effort is expected and mandated to respect those rules, typically meant to better secure and protect the accuracy and privacy of enterprise data. In various regulations, it is also expected to actually demonstrate Compliance, which is not a piece of cake.
In addition, most people think that external threats (such as an external hacker trying to access corporate data) are the most common data security issues. In reality, various studies have shown that internal threats comprise 80% of all security threats. In other words, companies should make sure to protect their corporate data against their own employees.
Examples of regulations
Sarbanes-Oxley Act (SOX) : The goal of SOX is to regulate corporations in order to reduce fraud and conflicts of interest, to improve disclosure and financial reporting, and to strengthen confidence in public accounting. Specifically, the section 404 of this act, the one giving IT shops fits, specifies that the CFO must do more than simply vow that the company’s finances are accurate; he or she must guarantee the processes used to add up the numbers. Those processes are typically computer programs that access data in a database, and DBAs create and manage that data as well as many of those processes.
Health Insurance Portability and Accountability Act (HIPAA) : This legislation contains language specifying that health care providers must protect individual’s health care information even going so far as to state that the provider must be able to document everyone who even so much as looked at their information. Aka. can a DBA produce a list of everyone who looked at a specific row or set of rows in any database?
General Data Protection Regulation (GDPR) : This new regulation applies to organizations that do business in the European Union, and will be effective in May 2018. It is meant to strengthen and unify data protection for individuals within the European Union, but it also focuses on the export of data (or even accessing the data) outside the EU. The stated objective of GDPR is to return control of personal data back to the individual. This includes data retention requirements, data privacy rules and huge penalties for being out of compliance.
Personal Information Protection and Electronic Documents Act (PIPEDA) : This Canadian regulation specifies the rules to govern collection, use, or disclosure of the personal information in the course of recognizing the right of privacy of individuals with respect to their personal information. It also specifies the rules for the organizations to collect, use, and disclose personal information.