I know you guys are probably pretty busy day to day and I've had countless times that I've been hung-up or laughed at.

My teacher has assigned me a project that is almost impossible to find out how to answer. Basically, I am supposed to get a DBA's time for a good 30 minutes?

To sum it up, if you help me out, I'll paypal you 5.00



Contact a large organization, such as a bank, an insurance company, or a hospital. Interview the database administrator about the database he or she maintains on customers (or patients). What are the measures that the DBA has taken to protect the privacy of the subjects whose records are kept in the databases? Consider accuracy, timeliness, and appropriate access to personal records. Write a 2- to 3-page report on your findings. If you found loopholes in the procedures, list them and explain why they are loopholes and how they can be remedied

So, as you see, this is actually pretty hard to do in the fact that its hard enough to contact a DBA at a company, and after that, being able to get one to sit there and speak with you.

My aim is finistheman and I'm honestly serious about this assignment.

Thanks for your time

I hope this isn't too crazy of a first post.

nope.. not too far out in left field for a first time post. i have seen some more bizare requests actually...

and i have seen other people with similar assignments from schools. is this a high school or college assignment ? i have young friends in high schools that their teachers assign projects and asked for all kinds of details about something, some of THOSE resquests are a bit over the edge... asking for proprietary information even... like the teachers are not taking into consideration that people are not even permitted to discuss some of it.... as you may have experienced, hang ups... and even laughter... here is why.

you should tell your teacher and include as part of your report, an overview of how rediculous the assignment is to begin with of trying to contact a DBA on the phone and ask them about the securtiy of their database and how it works (and you may include this post as a reference). first, if they get past the initial thought that you are some hacker digging for information, they are probably not permitted to tell you anyway as that is compromising security. its the equivelant of you calling up and asking "how do i get in ?"


as far as security and privacy... there are some things that are industry standards, depending on the industry. if your talking about medical records, then look into HIPPA compliance and regulations.

there is another item to look at which is "21 CFR Part 11" which deals with auditing and maintaing an audit trail of when a medical record is altered and who altered it. so if something changes, you know who, when and why. like if they were assigned to take asprin and all of a sudden their records show they are assigned to take Aleggra. big change... why ?

in medical research we also do what is know and blinding, double blind and triple blinding when dealing with a medical record of a patient that is participating in research project. for instance, a (CRO - clinical research organization) clinical trials project will be testing the effectiveness of a drug. we have to keep track of test results to make sure there are no side effects, bad interactions, or other anomolies like discovering the patient has developed a complication outside of the testing of the project that might alter, impact or skew the test resilts (like becoming pregnant). all of that has to be done without actually knowing WHO the patient is. that is a point of privacy. we the researchers are not permitted to know personal details about a patient, but instead report back to a doctor in charge of that patient... that "patient Z32-4er5" tests show that she has become pregnant since her last visit to the doctor and last time she participated in the tests. please run a normal pregnancy screening to confirm, and if she is pregnant then she is to be eliminated (dropped) from the test project.

(edited.. forgot to put in my qualifications)
i have 25 years in the IT industry. i have worked in the medical field as a programmer and database designer for more than 5 years. spent almost 4 years in clinical trials, and currently work for the VA/DoD as a systems engineer.
(on a seperate note/ plug - yes i take privacy seriously - that's why my clients know they can trust me for providing quality hosting services.)


anyway.... for now that is a bit of things to look into. when is this project due ?

hopefully some others will put in their 2 cents worth to help you out too.

As Kropes pointed out, the way that your assignment is constructed makes it practically impossible for you to complete it. Your teacher has asked you to go talk to a stranger about what is almost certainly the most sensitive subject in their business life. This is comparable to waking into a bank or a government office and asking them to discuss their security (NOTE: do NOT even consider doing that!). My guess is that you'd have a much better chance of getting your teacher to give you a copy of their tax return, and a detailed discussion of their recent sex life... At least those topics shouldn't offer any direct threat to their employement!

In order to get permission to participate in public forums like this, I had to make some concessions regarding work. One thing that I am NOT allowed to do is discuss where I work... Not the company, not the clients, nothing at all. I have to report all of the forums/mailing lists/newsgroups that I post to (just the first time I post, and on demand for review).

Even when auditors come into my "home" location (which is pretty much the corporate nerve center), I'm not allowed to even talk to them about security until I'm introduced by someone I recognize that has that authority in our security department.

While I'd like to help, I can't. I'd love to see your assignment though if you could scan it and post it here! Some of our security folks would get a real kick out of seeing it (although they'll have a fit that I even responded).

I've been programming professionally since 1977, a programming team lead since 1980, and a DBA since 1993. I've got piles of credentials and certifications of various forms, administer multiple secure (C2 or better) servers, and am probably one of the most "security paranoid" people that I know. That's probably the most personal information I can give you without getting myself into trouble, but it should convince your teacher that I have some basis for offering my comments.

-PatP

one of my techniques for getting A's on papers in college (I was poly sci and not comp sci major) was to turn the assignment or question on it's ear. These guys have given you a good start on how to do that. I would take this assignment and the answers you have gotten so far and write a paper about how the pros said this assignment makes no sense. include a link to this thread.

HIPPA. Yep. We build software for that here.

Or better yet... write how completing the assignment and being completely thorough could actually end you and your teacher up in jail on federal charges of conspiracy.

yea... just for giggles... do exactly that.
walk into a bank and tell the manager that you need to talk to them about their system security and that you intend to publish a paper on loopholes in their procedures and then hand that paper over to a 3rd party that requested the information. tell them that you have been gathering information for weeks and you just need a final 30 minutes to discuss in person the final sections of "What the measures are that the DBA has taken to protect the Data"

i bet that :
1) the manager will tell you "please hold on a minute"
2) the manager WILL pick up the phone and make a call.
3) the manger will say something strange like "Did Nancy get my suit from the cleaners ?"
4) later that evening while sitting at the FBI's office behind a one way mirror you will be discussing your relationship with your teacher and if this is the first time he/she has asked for secured or sensitive information.


it amazes me that people can actually assign something like this without some type of sanity check being done on it before it is approved.

I KNEW that bank manager had something up his sleeve. Nancy wasn't even scheduled to work that day!

But seriously, have a look at this:
http://www.computerworld.com/securit...109067,00.html

[homer]

mmmmmmm...sex life....

[/homer]

I'll echo what most everyone else has said. About the only thing I can tell you is that I'm a senior systems analyst/programmer (database jockey) for a defense contractor. The FBI and the representatives from the Department of Alcohol, Tobacco and Firearms make regular visits. There is absolutely no way in the world that I could possibly talk about any of the specific security measures that we have in place. And, even though I COULD discuss generally accepted industry practices, that, in and of itself itself, could (and probably would) raise flags.

The first rule of Database Security is - you do not talk about Database Security.
The second rule of Database Security is - you DO NOT talk about Database Security.
Third rule of Database Security, someone yells Stop!, goes limp, taps out, the fight is over....

I agree that it will be difficult/impossible to get any of us to discuss details about our organizations.

However, I'm sure we wouldn't mind talking in generalities. For example, if you were to propose (for example) setting up a database for the Acme Widget Corporation, and that database needed to encompass accounting, manufacturing and personnel, I imagine that we would certainly offer suggestions on security on that database.

For example, if I had to set that up, assuming that I have done my preliminary design work and I know what needs to be tracked and how, right off the top of my head, I would:

1. Establish a login for the database seperate from the system login, and not allow the users to use the same password for both.
2. Assign levels of access to users depending on their jobs, then design the database to allow access to certain things based on that level.
3. Make sure that my database is being backed up on schedule: full backup no less than once a week, incremental backup no less than once a day, translog backup no less than every three hours. All dependant on how critical and volitile the data is, of course.
4. Train the users thoroughly. There is a strong argument to be made that this is one of the most sensitive and critical items in any DBA's job, and it doesn't get done anywhere near enough.

There's a start.

Uhmm...since the original post is more than a month old, I'd assume that he is past this assignment now, one war or another...

i never knew the first two rules of database security. those rules seem to be based on the "security by obscurity" principle.