ECCD-2

ECCD-2 Changes to Data

Overview

Access control mechanisms exist to ensure that data is accessed and changed only by authorized personnel. Access and changes to the data are recorded in transaction logs that are reviewed periodically or immediately upon system security events. Users are notified of time and date of the last change in data content.

MAC / CONF	Impact	Subject Area
CLASSIFIED MACI MACII	High	Enclave Computing Environment

Details

Threat
Lack of proper access controls would allow unauthorized users to gain access to the system. This would impact the integrity, confidentiality, and availability of the system and its data. This implementation guide is aimed to help system administrators implement proper access controls through user privileges, file permissions, auditing, and user notification.

Guidance
1. The system, database, and/or application administrators shall create user accounts only upon approval of System Access Request by authorized personnel (e.g., user manager/supervisor/IAM/IAO). 2. The system, database, and/or application administrators shall determine user privileges required to perform their job functions. 3. The system, database, and/or application administrators shall configure the system software (e.g., operating system, database, and application) to which users have access to read or modify data to perform job functions in accordance with DISA STIGs applicable to the software based on the least privileges and need to know. 4. The administrators shall configure the audit trails and transaction logs to capture user access to the software/application. 5. The administrators shall configure the system to display and generate audit reports for regular reviews or immediate reviews upon system security events. 6. The system administrator shall research and determine if the system software provides the capability of notifying users of time and date of the last change in data content and perform the following: a. If the system provides the capability, the system administrator shall enable the capability. b. If the system does not provide the capability, the administrators shall implement other means (e.g., scripts) into the system to notify users of time and date of the last change in data content. 7. The system administrator shall generate and review the audit trails and the transaction logs on a regular basis or immediately upon system security events.

Guidance

1. The system, database, and/or application administrators shall create user accounts only upon approval of System Access Request by authorized personnel (e.g., user manager/supervisor/IAM/IAO).
2. The system, database, and/or application administrators shall determine user privileges required to perform their job functions.
3. The system, database, and/or application administrators shall configure the system software (e.g., operating system, database, and application) to which users have access to read or modify data to perform job functions in accordance with DISA STIGs applicable to the software based on the least privileges and need to know.
4. The administrators shall configure the audit trails and transaction logs to capture user access to the software/application.
5. The administrators shall configure the system to display and generate audit reports for regular reviews or immediate reviews upon system security events.
6. The system administrator shall research and determine if the system software provides the capability of notifying users of time and date of the last change in data content and perform the following:
a. If the system provides the capability, the system administrator shall enable the capability.
b. If the system does not provide the capability, the administrators shall implement other means (e.g., scripts) into the system to notify users of time and date of the last change in data content.
7. The system administrator shall generate and review the audit trails and the transaction logs on a regular basis or immediately upon system security events.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Windows NT Security Checklist, 10 December 2004
DISA Windows 2003 Security Checklist (draft), 10 December 2004
DISA Unix STIG, 15 September 2003
DISA UNISYS STIG, 22 July 2003
DISA Solaris Security Checklist, 20 January 2004
DISA Database STIG, Version 7, Release 1, 29 October 2004
DOD OC/390 RACF Checklist October 2004
DOD OC/390 ACF2 Checklist October 2004
DOD OC/390 TSS Checklist October 2004
NSA Microsoft SQL Server Guides, 02 October 2003
NSA Oracle Database Server Guides, 02 October 2003