Tutorial: Generating PCI, SOX, and HIPAA compliance reports
You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards:
- Sarbanes-Oxley Act (SOX)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability & Accountability Act (HIPAA)
This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see Microsoft SQL Server target database pre-configuration.
Create a target
A target specifies a database for FortiDB to monitor.
- Log in to FortiDB using the following credentials (the default values):
- In the navigation menu, go to Target Database Server > Targets.
- On the Targets page, click Add.
- On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:
- To verify that the connection parameters are correct, click Test Connection.
- Click Save.
| User Name | admin
|
| Password | fortidb1!$
|
| Name | dam_pci_sox
|
| Type | Microsoft SQL Server |
| DB Host Name/IP | The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112) |
| Port | The number of the port the database uses; the default port is 1433 |
| Connect At | Server Level (default) |
| DB Name | The name of the database. Because this target connects at the server level, the database name is master and you cannot change it. |
| User Name | The database user name |
| Password | The password for the database user |
| DB Activity Monitoring | Select Allow. |
The message “Success” is displayed at the top of the page.
The dam_pci_sox item is displayed in the list of targets.
Add the PCI, SOX, and HIPAA policy groups to the target
- In the navigation menu, click DB Activity Monitoring > Monitoring Management.
- Click
dam_pci_sox(the name of the target you created). - On the General tab, confirm that the following default Audit Configuration values are selected:
- To test the collection method, click Test.
- Click the Alert Policy Groups tab.
- Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
- Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
- Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
- Click Save.
| Collection Method | SQL Trace |
| Trace Folder | Enter the full path of the existing trace folder (for example, C:\SQLTrace) |
| Polling Frequency | 60 (default) |
The message "Success" is displayed the top of the page.
Start monitoring
To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
Configure and export PCI and SOX reports
- Using a database client-side application, execute several SQL statements that generate data.
- To create a PCI compliance report, click Report > PCI Reports.
- For this example, select PCI - Successful/Unsucessful Database Logins.
- On the Generate Audit PCI Report page, configure the report using the following values:
- Confirm that the target database is displayed in the Targets list.
- In the bottom-right corner of the page, select Export.
- Repeat the compliance report steps to generate the following report types:
Sox Report: History of Privilege Changes.
HIPAA Report: Privilege Changes
For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges.
| Export as | PDF (default) |
| W/P Reference |
Enter the work paper reference value, if required. This value is a tracking mechanism customers can use to identify and place controls around reports. |
| Date Range | Enter start and end dates for report (click the calendar icons to select dates using the date picking tool) |
If there is no data, the database name does not appear in the box.
Your browser downloads the report file.