RE: SQL data integrity
My first recommendation would be to log all database changes to a WORM drive: Thanks Dave and everyone else who responded to my question. It's given me some places to look for more information. -Justin Scott ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333131 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
Hi all, not a CF-specific question but I'm hoping someone can point me in the right direction. We're building an application where some information stored in our database could potentially be subpoenaed to court as evidence. One of the issues brought up by the attorneys is the integrity of the data stored in the database and how it could be proven in court that the data has not been altered since it was entered into the database. Any ideas on where to start looking for a solution to that? The front-end is ColdFusion with a MS-SQL back-end. This is a new area for me, so it's interesting, but I don't have any points of reference to work from either. Any insight is appreciated. Thanks! My first recommendation would be to log all database changes to a WORM drive: http://en.wikipedia.org/wiki/Write_Once_Read_Many That's pretty much an ironclad solution, from an e-discovery perspective. But it may be fairly expensive to implement. My second recommendation would be to ask your company's counsel to determine your due diligence requirements, and implement whatever they recommend. Then, of course, once this has been implemented, get a piece of paper saying so, with their signoff. Oddly, it's not so much the technical aspects of this that seem to matter as it is the fact that other people have reviewed it and are satisfied with the implementation. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or o ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333104 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
There must be some sort of technical standards that are used commonly in law to prove the validity of data. One would think so. But in my own experience as an expert witness, this has come up several times as an issue in my cases, and surprisingly this hasn't been as clear-cut an issue as I'd have expected. While I'm an expert on a fairly narrow set of specific technical issues, I'm a layman when it comes to evidentiary procedure, and I'm certainly not a lawyer. And, basically, the way this has worked out on several cases is that each side has made conflicting claims about the specific evidentiary value of some asset, a codebase for example, and the judge simply sorts it out (or, more often, the case goes to settlement without it even getting that far). It's very rare that there's actual proof that the facts are as stated. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
This is what I follow to ensure my data is clean. http://en.wikipedia.org/wiki/Title_21_CFR_Part_11 ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333108 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
Look up validation process. On Thu, Apr 22, 2010 at 3:30 PM, Justin Scott jscott-li...@gravityfree.comwrote: Hi all, not a CF-specific question but I'm hoping someone can point me in the right direction. We're building an application where some information stored in our database could potentially be subpoenaed to court as evidence. One of the issues brought up by the attorneys is the integrity of the data stored in the database and how it could be proven in court that the data has not been altered since it was entered into the database. Any ideas on where to start looking for a solution to that? The front-end is ColdFusion with a MS-SQL back-end. This is a new area for me, so it's interesting, but I don't have any points of reference to work from either. Any insight is appreciated. Thanks! -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333094 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: SQL data integrity
I'm no attorney or law professor but I would look into being PCI compliant. I don't know if this is exactly what you need, but it definitely couldn't hurt and it is a very high level of security. Keep in mind though, that it's not easy. Good luck. Regards, Paul Alkema http://paulalkema.com -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Thursday, April 22, 2010 3:31 PM To: cf-talk Subject: SQL data integrity Hi all, not a CF-specific question but I'm hoping someone can point me in the right direction. We're building an application where some information stored in our database could potentially be subpoenaed to court as evidence. One of the issues brought up by the attorneys is the integrity of the data stored in the database and how it could be proven in court that the data has not been altered since it was entered into the database. Any ideas on where to start looking for a solution to that? The front-end is ColdFusion with a MS-SQL back-end. This is a new area for me, so it's interesting, but I don't have any points of reference to work from either. Any insight is appreciated. Thanks! -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333095 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
Your MS SQL Transaction logs COULD be used... But again, this becomes more of a legal issue than a technical one... We all know given time, we could manipulate log files... There must be some sort of technical standards that are used commonly in law to prove the validity of data. You may need to seek out legal counsel that specializes in tech law. =] On Thu, Apr 22, 2010 at 2:11 PM, Paul Alkema paulalkemadesi...@gmail.comwrote: I'm no attorney or law professor but I would look into being PCI compliant. I don't know if this is exactly what you need, but it definitely couldn't hurt and it is a very high level of security. Keep in mind though, that it's not easy. Good luck. Regards, Paul Alkema http://paulalkema.com -Original Message- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Thursday, April 22, 2010 3:31 PM To: cf-talk Subject: SQL data integrity Hi all, not a CF-specific question but I'm hoping someone can point me in the right direction. We're building an application where some information stored in our database could potentially be subpoenaed to court as evidence. One of the issues brought up by the attorneys is the integrity of the data stored in the database and how it could be proven in court that the data has not been altered since it was entered into the database. Any ideas on where to start looking for a solution to that? The front-end is ColdFusion with a MS-SQL back-end. This is a new area for me, so it's interesting, but I don't have any points of reference to work from either. Any insight is appreciated. Thanks! -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333096 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: SQL data integrity
I'm no attorney or law professor but I would look into being PCI compliant. I don't know if this is exactly what you need, but it definitely couldn't hurt and it is a very high level of security. Hi Paul, we're pretty familiar with the PCI requirements (we work with a lot of e-commerce clients). Unfortunately PCI is more about the security of the network and the source code, but on this project we're looking at being able to verify that data hasn't been altered since it was entered into the database. For example, someone puts in a message on January 1, 2011 and in 2015 the message gets subpoenaed to court. An attorney could argue that the contents of that message could have been altered and is therefore inadmissible as evidence, so we'd need a way to show definitively that the record is accurate and has not been changed (and to be able to detect if it had been changed). Not the usual web development fare, unfortunately. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333097 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
Firstly I have absolutely no experience here and you should probably consult with an attorney with experience in this kind of thing. My best idea would be to institute a process to automatically ship all your nightly backups and or transaction logs to a third party to hold on to. If your data was ever brought into question that third party could independently verify that the data really was there on that date. That would be a heck of a lot of data- but I guess you have to ask yourself how much you are willing to pay for this kind of thing. ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333098 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL data integrity
First off, definitely talk to a lawyer with expertise in that area. That being said, here are some things that I know can help you out: 1. If the data should not be updated, don't let the user account that connects to the database have access to the UPDATE or DELETE verbs. Then you don't have to worry so much about someone accidentally putting in code that would update or delete data. 2. Do daily offsite backups to a secure location. When I'm dealing with electronic signatures, one of the concepts that is important to keep in mind is the chain of custody. Once a person has done something, who has access to it up til the point that a reviewer looks at it? If you back it up and put it in a place that people don't generally have access to, you can show that multiple generations of the data (multiple backups) all have the same information, unchanged. 3. Sql Server has audit abilities. I haven't gotten deeply into them and if it is something you really want to nail down, I'd get a db security consultant that has experience with sql server audit logging, but here is a decent place to start: http://msdn.microsoft.com/en-us/library/cc280386.aspx Hope that helps, Judah On Thu, Apr 22, 2010 at 12:30 PM, Justin Scott jscott-li...@gravityfree.com wrote: Hi all, not a CF-specific question but I'm hoping someone can point me in the right direction. We're building an application where some information stored in our database could potentially be subpoenaed to court as evidence. One of the issues brought up by the attorneys is the integrity of the data stored in the database and how it could be proven in court that the data has not been altered since it was entered into the database. Any ideas on where to start looking for a solution to that? The front-end is ColdFusion with a MS-SQL back-end. This is a new area for me, so it's interesting, but I don't have any points of reference to work from either. Any insight is appreciated. Thanks! -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333099 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
