UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ECDC-1 Data Change Controls


Overview

Transaction-based systems (e.g., database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents.

MAC / CONF Impact Subject Area
MACI
MACII
Medium Enclave Computing Environment

Details

Threat
Without implementing transaction roll-back and journaling, unauthorized or unintentional modification or destruction of data stored in the database would cause the loss of critical data.  This implementation guide is aimed to help database administrators ensure the recovery of database data that was modified or deleted unintentionally or by unauthorized users.

Guidance
1. The database administrator shall identify and determine if the database systems (e.g., Oracle, Microsoft SQL Server) implemented into the system provide transaction capabilities (e.g., transaction roll back and transaction journaling).
2. If the database systems provide the capability of transaction roll back and journaling, the database administrator shall enable the capability in order to log database updates to either files or disk partition according to DISA Database STIG and organization specific database guides.
3. If the database systems do not provide the transaction roll back and journaling or technical equivalent, the database administrator shall:
  · Identify a DoD approved 3rd party product that provides transaction roll back and journaling or technical equivalent
  · Configure the product and test it in a lab environment to ensure it functions properly
  · Install the product on the database system in the operational environment

References

  • DISA Database STIG, Version 7, Release 1, 29 October 2004
  • NSA Microsoft SQL Server Guides, 02 October 2003
  • NSA Oracle Database Server Guides, 02 October 2003
  • Center for Internet Security Database Security Checklist, 06 April 2005
  • Vendor Security Administration Guide, (Refer to if no DSSA/NSA/NIST/USG guidance is available)