FortiDB tutorials : Tutorial: Generating PCI, SOX, and HIPAA compliance reports
 
Tutorial: Generating PCI, SOX, and HIPAA compliance reports
You can configure FortiDB to monitor a database and generate alerts based on the following regulatory compliance standards:
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability & Accountability Act (HIPAA)
This example configures a Microsoft SQL Server database. Before you start the tutorial, ensure that the database has the required configuration. For more information, see “Microsoft SQL Server target database pre-configuration”.
Create a target
A target specifies a database for FortiDB to monitor.
1. Log in to FortiDB using the following credentials (the default values):
User Name
admin
Password
fortidb1!$
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is a Microsoft SQL Server database:
Name
dam_pci_sox
Type
Microsoft SQL Server
DB Host Name/IP
The IP address or name of the machine where the database is located (for example, test_machine or 172.30.12.112)
Port
The number of the port the database uses; the default port is 1433
Connect At
Server Level (default)
DB Name
The name of the database. Because this target connects at the server level, the database name is master and you cannot change it.
User Name
The database user name
Password
The password for the database user
DB Activity Monitoring
Select Allow.
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The dam_pci_sox item is displayed in the list of targets.
Add the PCI, SOX, and HIPAA policy groups to the target
1. In the navigation menu, click DB Activity Monitoring > Monitoring Management.
2. Click dam_pci_sox (the name of the target you created).
3. On the General tab, confirm that the following default Audit Configuration values are selected:
Collection Method
SQL Trace
Trace Folder
Enter the full path of the existing trace folder (for example, C:\SQLTrace)
Polling Frequency
60 (default)
4. To test the collection method, click Test.
The message "Success" is displayed the top of the page.
5. Click the Alert Policy Groups tab.
6. Select PCI Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
7. Select Sox Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
8. Select HIPAA Policies and click >> (right arrows) to move the item to the Selected Policy Groups list.
9. Click Save.
Start monitoring
To start monitoring the database, click the General tab, and then click Start Monitoring.
Monitor Status displays Starting and then Running.
Configure and export PCI and SOX reports
1. Using a database client-side application, execute several SQL statements that generate data.
For example, to generate data that is captured in a History of Privilege Changes report, execute SQL statements that change privileges.
2. To create a PCI compliance report, click Report > PCI Reports.
3. For this example, select PCI - Successful/Unsucessful Database Logins.
4. On the Generate Audit PCI Report page, configure the report using the following values:
Export as
PDF (default)
W/P Reference
Enter the work paper reference value, if required.
This value is a tracking mechanism customers can use to identify and place controls around reports.
Date Range
Enter start and end dates for report (click the calendar icons to select dates using the date picking tool)
5. Confirm that the target database is displayed in the Targets list.
If there is no data, the database name does not appear in the box.
6. In the bottom-right corner of the page, select Export.
Your browser downloads the report file.
7. Repeat the compliance report steps to generate the following report types:
Sox Report: History of Privilege Changes.
HIPAA Report: Privilege Changes
See also
Connecting to target databases
PCI, SOX, and HIPAA alert policies
PCI, SOX, and HIPAA reports