STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.

DISA Rule

SV-24645r1_rule

Vulnerability Number

V-15140

Group Title

Production data import to development DBMS

Rule Version

DG0069-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop, document and implement policy and procedures that provide restrictions for production data export.

Require users and administrators assigned privileges that allow the export of production data from a production database to acknowledge understanding of export restrictions.

Restrict permissions allowing use or access to database export procedures or functions to authorized users.

Ensure sensitive data from production is sanitized prior to import to a development database (See check DG0076).

Grant access and need-to-know to developers where allowed by policy.

Check Contents

If the database being reviewed is not a production database or does not contain sensitive data, this check is Not a Finding.

Review documented policy, procedures and proof of implementation for restrictions placed on data exports from the production database.

Policy and procedures should include that only authorized users have access to DBMS export utilities and that export data is properly sanitized prior to import to a development database.

Policy and procedures may also include that developers be granted the necessary clearance and need-to-know prior to import of production data.

If documented policy, procedures and proof of implementation are not present or complete, this is a Finding.

If methods to sanitize sensitive data are required and not documented or followed, this is a Finding.

Vulnerability Number

V-15140

Documentable

False

Rule Version

DG0069-ORACLE11

Severity Override Guidance

If the database being reviewed is not a production database or does not contain sensitive data, this check is Not a Finding.

Review documented policy, procedures and proof of implementation for restrictions placed on data exports from the production database.

Policy and procedures should include that only authorized users have access to DBMS export utilities and that export data is properly sanitized prior to import to a development database.

Policy and procedures may also include that developers be granted the necessary clearance and need-to-know prior to import of production data.

If documented policy, procedures and proof of implementation are not present or complete, this is a Finding.

If methods to sanitize sensitive data are required and not documented or followed, this is a Finding.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1368

Comments