While not related directly to SQL, security standards define the infrastructure within which it is employed, and are therefore of interest to SQL users. Usually, RDBMS software complies with these standards to a certain degree — either voluntarily, or under pressure from the government agencies that mandate requirements for the software's acceptance.
The first nationwide attempt to standardize security procedures for computer systems was undertaken in 1985 by the U.S. National Computer Security Center (NCSC). To be considered for a government contract, the vendors had to achieve a certain level of security for their products through proctored testing. Dozens of vendors went through years (the process has taken three years, on average) of testing procedures just to be able to sell their products to government agencies. The vendors, like Sun, Oracle, and Novell, received their certifications (either C1 or B2) in early 1990s, following a directive that all computer systems storing sensitive information must be C2 certified.
BS7799 and its international equivalent ISO 17799 are the most widely recognized security standards in the world. Their closest equivalent in the United States is the level B1 security.
ISO 17799 provides a detailed roadmap in several areas, and every company that seeks this standard's endorsement for its product must address all of these areas:
Business Continuity Planning. Mandates procedures for continuing business activities in spite major failures or disasters.
System Access Control. Focuses on controlling access to information, ensures protection of the networked services, detects and counteracts unauthorized activity, ensures information security for distributed mobile applications.
System Development and Maintenance. Mandates that security be built-in (as opposed to external); deals with data loss prevention and data misuse, as well as with confidentiality, authenticity, and integrity of information
Physical and Environmental Security. Deals with preventing unauthorized access, damage, and interference to top business premises and information, preventing loss, compromise, or theft of information and information processing facilities.
Compliance. Avoids breaches of any criminal or civil law, statutory, regulatory, or contractual obligations; ensures compliance of every system in the organization with established organizational security policies and standards; minimizes interference of the audit process with business practices.
Personnel Security. Reduces risks resulting from human error, theft, fraud, or misuse of facilities, minimizing damage in case such incidents occur; educates users about proper policy procedures.
Security Organization. Manages information security within an organization; maintains security for the organization's facilities accessed by third parties, for example, when the responsibility for information protection has been outsourced to a third party.
Computer and Operation Management. Deals with facility's operational policies, ensures safety of information in the networks and the supporting infrastructure, prevents loss, misuse, or unauthorized modification of data exchanged between organizations.
Assets Classification and Control. Maintains protection of the corporate assets.
Policy. Establishes and manages a viable security policy within an organization.
In spite of the detailed standards, the actual implementations of them might widely differ across the board. One reason for the differences is that there are so many standards; and, since the certification process can be very expensive, it is not a viable option for many businesses. Most banks in the United States, for example, do not use ISO standards, relying instead on SAS 70 auditing standards, while other companies prefer using use ISO 9000/2000 standards.
More information on information systems security can be accessed on one of these sites: www.infosyssec.com, www.firstgov.gov, www.sas70.com, and http://csrc.nist.gov/.
There are also emerging standards like the Common Criteria (CC) program. This program was started in 1996, initially by the United Kingdom, Germany, France, and the Netherlands with strong support from the National Information Assurance Partnership (NIAP). Since then 11 more countries have joined the program: Australia, New Zealand, Canada, Finland, Greece, Israel, Italy, Norway, Spain, and Sweden.
The National Security Agency (NSA) instituted — beginning July 2002 — that all new national security systems (and that includes RDBMS software) must pass a rigorous test as mandated in CC; there are also indications that this might spread to every government organization.
Usually database vendors are certified on a C2 level. As for the Common Criteria program, only Oracle has certified its products at the EAL4 CC certification level. The Microsoft SQL Server 2000 received the C2 Level of security certification from NSA, and IBM DB2 UDB has yet to be certified.