SQL Server 200x 中 SOX/HIPAA 数据加密标准

发布于 2024-08-05 13:35:41 字数 99 浏览 4 评论 0原文

我想知道数据库中是否有任何符合 SOX 或 HIPAA 标准的敏感数据加密标准。或者SQLServer中的加密功能是否必要?或业务逻辑中的处理。

我们有任何想法或链接。

I was wondering if there are any standards for encrypting sensitive data in Database which are compliant w/ SOX or HIPAA. Or does the Encrypt Function in SQLServer necessary?. or handle in Business logic.

Any ideas or links we have.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

阿楠 2024-08-12 13:35:41

首先,Google 进行 HIPAA 合规性

然后,阅读如下文章: http://www.developer.com/java/ent/article.php/3301011/HIPAA-Security-Rule---What-Software-Developers- Should-Know.htm

还有这个 http://www.hipaa .ihs.gov/index.cfm?module=compliance_packet

最后,请咨询贵公司的法律顾问。当您输掉诉讼时,未能正确保护 PHI 将使您的公司损失数百万美元,因为您的整个 HIPAA 合规策略都是基于 StackOverflow 上的回复。

First, Google for HIPAA Compliance

Then, read articles like this one: http://www.developer.com/java/ent/article.php/3301011/HIPAA-Security-Rule---What-Software-Developers-Should-Know.htm

And this http://www.hipaa.ihs.gov/index.cfm?module=compliance_packet

Finally, talk to your company's legal counsel. Failure to properly safeguard PHI will cost your company millions when you lose a lawsuit because your entire HIPAA compliance strategy was based on responses on StackOverflow.

夏夜暖风 2024-08-12 13:35:41

在我所在的一家公司,为了保护信用卡合规性,他们创建了一把密钥,然后用大锤摧毁了该硬盘,这样就没有人能够获得创建该密钥的信息。

尽管他们使用的是 Oracle DB,但他们创建了自己的密钥来加密信用卡。

对于 HIPAA 合规性,我不会信任数据库所做的任何加密,因为它可能不具备您所需的安全性,并且您的公司将因任何故障而承担责任。

最好的办法是自己控制密钥,而不是在数据库或服务器中拥有密钥。

在应用程序或服务器应用程序启动时需要输入密钥,但是,正如 S.Lott 指出的那样,您的法律顾问将需要参与审查设计,以确保涵盖所有问题。

At one company I was at, compliance in protecting credit cards they created a key and then destroyed that hard drive with a sledgehammer, so that no one could get the information that went into creating that key.

Though they were using the Oracle DB they created their own key to encrypt the credit cards.

For HIPAA compliance I would not trust any encryption done by the database, as it may not have the security that you need, and your company is on the hook for any failures.

Your best bet is to control the key yourself, and not have the key in the database, or server.

Have the key required to be input when the application or server application starts up, but, as S.Lott pointed out, your legal counsel will need to be involved in reviewing the design to make certain that all the issues are covered.

土豪我们做朋友吧 2024-08-12 13:35:41

SQL Server 2008 加密 API 已通过通用标准合规性认证:通用标准认证

SQL Server 2008 cryptographic API is certified for Common Criteria compliance: Common Criteria Certification.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文