STIGQter STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.

DISA Rule

SV-24710r1_rule

Vulnerability Number

V-15144

Group Title

DBMS sensitive data identification

Rule Version

DG0107-ORACLE11

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan.

Include data that appear to be sensitive with a discussion as to why it is not marked as such.

Check Contents

If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is Not a Finding.

Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified.

Review database table column data or descriptions that indicate sensitive data.

For example, a data column labeled "SSN" could indicate social security numbers are stored in the column.

Question the IAO or DBA where any questions arise.

General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified.

If any data is considered sensitive and is not documented in the AISFA, this is a Finding.

Vulnerability Number

V-15144

Documentable

False

Rule Version

DG0107-ORACLE11

Severity Override Guidance

If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is Not a Finding.

Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified.

Review database table column data or descriptions that indicate sensitive data.

For example, a data column labeled "SSN" could indicate social security numbers are stored in the column.

Question the IAO or DBA where any questions arise.

General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified.

If any data is considered sensitive and is not documented in the AISFA, this is a Finding.

Check Content Reference

I

Responsibility

Information Assurance Officer

Target Key

1368

Comments