STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.

DISA Rule

SV-24710r1_rule

Vulnerability Number

V-15144

Group Title

DBMS sensitive data identification

Rule Version

DG0107-ORACLE11

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan.

Include data that appear to be sensitive with a discussion as to why it is not marked as such.

Check Contents

If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is Not a Finding.

Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified.

Review database table column data or descriptions that indicate sensitive data.

For example, a data column labeled "SSN" could indicate social security numbers are stored in the column.

Question the IAO or DBA where any questions arise.

General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified.

If any data is considered sensitive and is not documented in the AISFA, this is a Finding.

Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments