STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.

DISA Rule

SV-24821r1_rule

Vulnerability Number

V-15104

Group Title

Encryption of DBMS sensitive data in transit

Rule Version

DG0167-ORACLE11

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan and AIS Functional Architecture documentation.

Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.

Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.

Check Contents

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.

If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification.

It may be necessary to review network device configuration evidence or host communications configuration evidence.

If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.

Vulnerability Number

V-15104

Documentable

False

Rule Version

DG0167-ORACLE11

Severity Override Guidance

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.

If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification.

It may be necessary to review network device configuration evidence or host communications configuration evidence.

If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.

Check Content Reference

M

Responsibility

Database Administrator

Target Key

1368

Comments