TOP 3 THINGS TO CONSIDER WHEN TRYING TO FIGURE OUT HOW TO PROTECT YOUR DATA AT THE DATA LEVEL

  1. BACKUP EVERYTHING
    1. That means the database
    1. The application code
    1. The people with the DR and Restore capabilities
    1. DOCUMENTATION OF HOW

You need to make certain your IT leaders know everything about your data and not one person is not expendable. When bad things happen to good companies they tend to happen on the exact wrong day. Make certain to cross train where the backups are stored, create restore testing environments, where is the application code and how do you restore it all from the ground up. Create documentation test the documentation during your DR tests. CROSS TRAIN

  • Roles and Rules
    • Only allow highly trusted highly experience people access to production
    • Make certain more than one person owns everything, any report, any account, any database, backup system access.
    • Make certain no one makes changes in the environment without q/a policies followed
    • Turn on audit controls, buy auditing software, make certain a TEAM of people get those alerts and reports

It is incredibly important that no single person has the ultimate authority to do anything without being tracked and have a second set of eyes reviewing their work effort, especially if it affects data changes. Data corruptions most often happen within the company a non-malicious attack just a tired over worked person. You never want a person that has controls in your environment that is the only one that can run reports or run backups etc. This can be an HR IT nightmare. The employee can literally hold you for ransom.

  • Encryption is your friend
    • Use encryption at the hardware level
    • Use encryption at rest, encrypt columns example column the password column not even your DBA should be able to see anyone’s password, resets work fine
    • Use encryption during transport
    • Store the encryption key outside of the environment
    • Make certain at least two people know where they are kept and how to use them all

Encryption is a friend it is not hard to set up and it usually does not affect performance. Review the audited data types that you have and encrypt those columns. There is not a lot to say except do this

In summary review your backup and DR procedures with your team. Make certain that the restores and DR procedures are tested. Make certain EVERYTHING is documented and test the documents. Cross train your personnel for every task. The day they are on vacation in the middle of nowhere without a phone is the day you will need them. Give that person some work-life balance set up work partnerships. Lastly ENCRYPT important data, access data, audited data and anything that may have sophisticated knowledge about your environment. Back up even your key documents. Silo key items so only need to know has access. Audit everything everyone does on your system even if that means having a watcher and when changes are made in your environment.

For more information about how to optimize queries ask about our Advance SQL Class. Call 813 641 3434 to talk to one of our sales consultants or email sales@soaringeagle.guru. www.soaringeagle.biz.
On My way to a SOC 2 author Penny Garbus

Comments