× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



All true and that is how we are setup but security today needs to be multi-layered and not rely on any one method. This would just be another method to monitor that the other one is working. We do lock down ODBC and JDBC and only allow access when needed but what if that userid/password get compromised and someone make their own connection or if one the allobj IT employees is the one poking around where they don't belong. And even with all of the standard security features in place how do you prove to a 3rd party that no one did read the data?

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DeLong, Eric
Sent: Thursday, August 21, 2008 10:26 AM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access

Mike,

Why would your users be allowed to access data thorough any means other than your applications? For something like this, just secure the he!! out of the database, so that the default rule for access is "DENIED"! Adopt authority in your apps to get access to the data. If the users absolutely *HAVE* to download a file from the production database, then use an exit point security product to "ALLOW" this user to acquire the authority needed to access the file.

Now that your database is secure (from everyone EXCEPT *ALLOBJ users) you have a much better chance of proving your access audit data, without needing the read-trigger overhead.

JMO,
Eric DeLong

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Mike Cunningham
Sent: Wednesday, August 20, 2008 9:01 PM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access


True on HIPPA rules but the only way to do that would be at an application level and if someone were to access all the same records using DFU and construct up the patients record with cut and paste operations you would not get that access recorded.

Since we are not covered by HIPPA I was actually thinking of enhancing the protection of some data elements like SSN and credit card numbers which I encrypt but would still like to be able to tell who read any file that has any of this type of data. I was thinking of moving this data to a file with only this data and journaling everything that accesses it so even if someone were to gain access (odbc, jdbc, dfu, etc, etc, etc) I know the db is recording everything. A trigger might work fine for this since the file is not accessed often and the overhead of the trigger processing would not be that great. I could also do some scans against the journals looking for activity I do not expect (ignore anything logged from one of our applications that are allowed to use the data) and send myself an alert

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich
Sent: Wednesday, August 20, 2008 6:32 PM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access

We are not covered by HIPPA regulations but if we were would
be adding this to our own applications be the only way to
record record level access?

There are also read-triggers. Just like other update triggers, these are
database-level things that you can't get around. However, they're a
performance PIG!

Also, there's nothing in the HIPPA regs that require you to record read
access to every single record. You need to record access to
medical-records, not database-records. For example, if reviewing a
single "medical-record" results in 1 read to the patient table, 2 reads
to the address table (home/office), 5 reads to the phone table
(office/cell/home/emergency/other), 22 reads to the procedure table, 19
reads to the sub-procedure table, and 211 reads to the charges table,
you only have to record 1 access, not 261.

-Walden

--
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.