41 lines
2.6 KiB
Markdown
41 lines
2.6 KiB
Markdown
# Compliance Mapping
|
|
|
|
Use this language to map technical controls to audit objectives. Do not claim that a product alone makes an environment compliant.
|
|
|
|
## GDPR and LGPD
|
|
|
|
- Data minimization: Data Masking and Subsetting reduces personal data exposure in non-production and analytics environments.
|
|
- Security of processing: TDE, OKV, Database Vault, AVDF, Data Safe, and least privilege support confidentiality, integrity, monitoring, and accountability.
|
|
- Access governance: Database Vault separation of duties, user assessment, privilege review, and audit evidence support accountability.
|
|
- Breach investigation: AVDF/Data Safe audit trails, alerting, and SQL activity records support forensic review.
|
|
|
|
## PCI-DSS
|
|
|
|
- Protect stored cardholder data: TDE plus strong key management with OKV supports encryption at rest and key lifecycle requirements.
|
|
- Restrict access by need to know: Database Vault, least privilege, and optional Label Security or VPD patterns support access restriction.
|
|
- Track and monitor access: Unified Audit, AVDF, Data Safe auditing, Database Firewall, reports, and SIEM forwarding support monitoring requirements.
|
|
- Test security systems: PoC acceptance tests, firewall policy validation, key rotation tests, and audit report review provide evidence.
|
|
|
|
## HIPAA
|
|
|
|
- Access control: least privilege, Database Vault, and user assessment support access control safeguards.
|
|
- Audit controls: AVDF, Data Safe activity auditing, and unified audit policies support auditability.
|
|
- Integrity and transmission controls: pair database controls with application, network, and platform controls; database security does not replace TLS or application safeguards.
|
|
- Encryption: TDE and OKV support addressable encryption safeguards for data at rest.
|
|
|
|
## SOX
|
|
|
|
- Change and privileged access controls: Database Vault command rules, realms, AVDF monitoring, and audit reports support segregation of duties and privileged activity oversight.
|
|
- Evidence: scheduled reports, immutable audit storage practices, SIEM forwarding, and documented review workflows support control attestation.
|
|
- Data integrity: use database auditing, access controls, and controlled administrative procedures around financial reporting systems.
|
|
|
|
## Evidence Artifacts
|
|
|
|
- Architecture diagram with control ownership.
|
|
- List of protected schemas/tables/columns and data classification.
|
|
- TDE wallet or OKV key management policy.
|
|
- Database Vault realm, rule set, command rule, and factor inventory.
|
|
- Audit policies, retention settings, reports, and sample alerts.
|
|
- Masking definitions, subsetting criteria, and refresh procedure.
|
|
- Exceptions, residual risks, and compensating controls.
|