STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Sensitive information from production database exports must be modified before import to a development database.

DISA Rule

SV-24654r3_rule

Vulnerability Number

V-3819

Group Title

Sensitive data import to development DBMS

Rule Version

DG0076-ORACLE11

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Develop, document, and implement policy, procedures, and restrictions for production data import.

Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of import policies, procedures, and restrictions.

Restrict permissions of development personnel requiring use or access to production data imported into development databases containing sensitive information to authorized users.

Implement policy and procedures to modify or remove sensitive information in production exports prior to import into development databases.

Check Contents

If the database being reviewed is a production database, this check is not a finding.

Review policy, procedures, and restrictions for data imports of production data containing sensitive information into development databases.

If data imports of production data are allowed, review procedures for protecting any sensitive data included in production exports.

If sensitive data is included in the exports and no procedures are in place to remove or modify the data to render it not sensitive prior to import into a development database or policy and procedures are not in place to ensure authorization of development personnel to access sensitive information contained in production data, this is a finding.

Vulnerability Number

V-3819

Documentable

False

Rule Version

DG0076-ORACLE11

Severity Override Guidance

If the database being reviewed is a production database, this check is not a finding.

Review policy, procedures, and restrictions for data imports of production data containing sensitive information into development databases.

If data imports of production data are allowed, review procedures for protecting any sensitive data included in production exports.

If sensitive data is included in the exports and no procedures are in place to remove or modify the data to render it not sensitive prior to import into a development database or policy and procedures are not in place to ensure authorization of development personnel to access sensitive information contained in production data, this is a finding.

Check Content Reference

I

Responsibility

Database Administrator

Target Key

1367

Comments