STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Production database exports must have database administration credentials and sensitive data removed before releasing the export.

DISA Rule

SV-222666r508029_rule

Vulnerability Number

V-222666

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003310

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove sensitive data from production database exports.

Check Contents

Review the application documentation and identify the existence of databases within the application architecture.

Ask the application admin to identify when data exports from this database are imported to test or development databases.

If no data is exported to test or development databases, this check is not applicable.

If there are such data exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

If any database exports include sensitive data and that data is not sanitized or removed prior to or immediately after import to the development database, this is a finding.

Vulnerability Number

V-222666

Documentable

False

Rule Version

APSC-DV-003310

Severity Override Guidance

Review the application documentation and identify the existence of databases within the application architecture.

Ask the application admin to identify when data exports from this database are imported to test or development databases.

If no data is exported to test or development databases, this check is not applicable.

If there are such data exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

If any database exports include sensitive data and that data is not sanitized or removed prior to or immediately after import to the development database, this is a finding.

Check Content Reference

M

Target Key

4093

Comments