Overview of the Most Commonly Used Database Standards
An Introduction to Database Standards
What standards must my database meet? Information security standards for databases can originate with the ISO, ANSI or state and federal laws.
Additional laws will apply if your database holds medical information, financial records or personally identifiable information. What are the most commonly used database standards?
Database Security Standards
ISO/IEC 17799, later incorporated into ISO 27002, outlines the practices for information security management.
ISO 17799 includes best practices such as access control, asset management of IT assets like computers and Blackberries, business continuity planning, information security incident management and physical security. Access control standards include minimum password length requirements, forcing users to change them periodically and policies to remove user accounts immediately after someone’s employment contract is terminated.
Physical security means that employees or security contractors monitor the premises for unauthorized individuals and escort them to a controlled area when they are encountered. Asset security involves the tracking of all IT assets and periodically auditing their locations to quickly identify when items are missing, lost or stolen. Information security incident management requires users to quickly report any suspected breach of IT security while they seek to minimize the damage, generally by disconnecting the system from the network.
All security incidents are promptly investigated and contained. With business continuity planning, businesses plan redundancies in their IT infrastructure like back up servers and ways for the entire work group to work offsite or in another, fallback location if the main work site is unusable.
ISO 17799 / ISO 27002 requires companies to perform a risk assessment to determine security risks and then implement proactive measures to protect their network, their databases and the information contained therein.
The ISO 27000 standard series affect IT security management. ISO 27001 is the standard for creating and maintaining an information security management system. An information security management system or ISMS allows third parties to audit and certify the information security level of an organization. ISO 27002 gives specific security techniques for managing IT security.
IT Standards Applicable to Databases
ISO 13335-1 gives the ISO standard for managing IT, communication and information security. ISO 13335-1 outlines several models for relating IT security to IT management but does not mandate which one must be used.
ISO 15443-1 gives the framework for ensuring IT security assurance. How will you verify a database's information security? How will you measure its performance against unauthorized access or attempts to modify data? When you have measured the security of the system, this
how to compare the current level of security assurance against the level ISO recommends that you have for that type of system.
ISO 18044 gives the recommended practices for handling information security incidents such as reports of unauthorized access to a database. ISO 18044 essentially describes the different classifications and expected responses to information security incidents that must be documented and handled according to ISO/IEC 17799.
ISO 18028 applies to network security. For users on a local area network, corporate intranet or accessing a database through the internet, this standard will apply to the network used to connect users to the database.
ISO 15408 gives the common criteria for IT security product evaluations. How secure is the server on which your data resides? How good is the firewall built into the ports and routers used to connect your database to the internet?
ISO 20000 is the ISO standard for IT service management. While ISO 20000 is a framework for IT help desks, this standard also describes how to set service level agreements and document procedures for tasks like restarting databases and handling database outage tickets.
ISO 38500 is the IT governance standard and was first published in 2008. This standard gives guidance on how companies can issue standards and frameworks across a whole organization, whether it is a decision to meet ISO/IEC 27001 IT security standards or Information Technology Infrastructure Library or ITIL.
Laws That Set Standards for Databases
Database security standards for systems in the United States are also set by laws like the Sarbanes-Oxley Act of 2002 and Health Insurance Portability and Accountability Act of 1996 or HIPAA. HIPAA applies to databases containing medical records. Sarbanes-Oxley applies to financial institutions. These financial records must be retained, even if they are digital, and made available for auditing when required.
The Children's Online Privacy Protection Act or COPPA requires additional security measures to be taken to protect the security of minors. This law limits the information that can be collected about children under the age of 13. This is one reason why children below this age are often barred from signing up on social networking sites, since these sites require personal contact information like phone numbers and addresses while recording the activities of members.
Databases containing membership information for websites and accounts may be required to limit content based on the age of the user or prevent those under the age of 18 from making purchases. The Federal Trade Commission has more information on how to comply with the Children's Online Privacy Protection Act.
Security breach notification laws have been passed in a number of states like California. These laws require companies to inform consumers when there has been a major security breach, such as when hackers gain access to customers' personally identifiable information that could be used for identity theft or credit card numbers. This is in addition to ISO 13569, an information security guidelines standard that applies to financial services.
Federal Information Security Management Act or FISMA outlines a framework for information security controls. However, Federal Information Security Management Act only applies to federal agencies. There are additional information security requirements set by a number of federal agencies, the National Institute of Standards and Technology or NIST being one of the most prominent. Companies that contract with the federal government will be bound by federal regulations and rules not discussed in this article.
When database standards such as those for IT security or data collection are violated, companies face fines or loss of government contracts.
ISO SQL Standards
ISO 9075-1 is the ISO SQL or standard query language standard. ISO 9075-1 is shared with the American National Standards Institute (ANSI) International. ANSI/ISO SQL1 is the standard that divided the SQL Data Manipulation Language and Data Definition Language into two separate software languages. ISO SQL standards require data definition statements to be executed by users or an SQL program like Oracle.
ISO 9075-2 describes the requirements for querying, accessing and protecting data.
ISO standards say that each catalog must have a unique name. When the user or a software program contacts the SQL environment, a default catalog must be identified and presented to the user.
These database SQL standards are periodically revised by the ISO Information Technology Subcommittee SC 32.
ISO SQL Standard Terminology
The SQL database structure is called the SQL-environment. The database access code is contained within the SQL environment. The standard requires that the environment be built from database management software that conforms to ISO standards but does not specific what software applications must be used. The SQL standards call unique users authorization-IDs. The data itself is contained within a schema in the catalog, while the catalog outlines the structure of the database.
ISO SQL Standards
The ISO standard SQL language is not Turin-complete. However, you can embed SQL statements in a language that is Turing complete or use database software that offers extensions that make it Turing complete.
ISO Std 9075-14 describes how SQL can be used with Extensible Markup Language or XML. ISO/IEC 9075-10 outlines the semantics and structures to be used when SQL is embedded in Java applications, such as when it is used on database connectivity programs and application programming interfaces.
Internal Database Standards
Database standards are not limited to industry standards and standards set by international standards organizations. Project managers and database administrators should define standards for their databases at the onset.
Database system standards define the hardware and software to be used to create the database. What hardware is permitted? What software should be installed? Then outline the process for recommending, testing and approving changes to the system configuration. Who can request an Oracle version upgrade? What is the process for testing and approving compatibility of a new server before it is put in place?
A standard decision making process for these hardware and software configuration changes should be set within a company even if it does not follow ISO standards for IT management. This is necessary if only to prevent untested software upgrades that corrupt a database or cause other problems for users.
Standards for Data Formatting
Data format standards describe the accepted format for data entered into the database. When entering shop floor control numbers, how many digits will be allowed in the manufacturing serial number? Will you allow shop floor control numbers to have letters in them?
Data format standards also cause problems even when all of the information is textual. How long is the name field? Will you allow dashes in someone's name, an increasingly common issue in an era of hyphenated names? I have personally seen problems with databases refused to accept someone's name because it had an apostrophe in it. La'Shawn was rejected as a name, while LaShawn was rejected during data verification because that did not match the name in the Human Resources database. Similar issues can occur with French names when they enter the accent mark. Very long Polish names caused problems when the database had a twenty character limit for the last name field, causing the name to be cut off and then fail to match with full user name in Directory Services SSO and LDAP. The opposite problem has occurred when someone with a single letter for a first name as occurs in some Asian cultures was rejected for being too short due to controls put in place to ensure that someone enters the entire first name instead of trying to limit it to the first initial.
Database standards must extend to any systems that interface with the database if you do not want to spend time correcting the information or its format. If your database will have strict limits on the data format, any web interfaces that send data to the database must adhere to the same data formats or convert data to an acceptable format. Incoming data needs to match the field length in your database; truncating digits off of incoming part numbers or serial numbers will result in incorrect data or falsely flagged duplicate serial numbers.
If you accept manual data entry, you will need to apply "masks" to limit the data to an acceptable format so that users do not add extra characters, spaces or illegal characters to free form fields. You may want to build in checks that review all data entered for uniqueness to prevent problems. For example, if one part has a serial number of 0010, you can design scripts that will also check this entry against the database for serial numbers like 10, 010, 000010 and 10a. This will improve your data quality and prevent redundant entries that end up referencing the same item.