ECDC-1

ECDC-1 Data Change Controls

Overview

Transaction-based systems (e.g., database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents.

MAC / CONF	Impact	Subject Area
MACI MACII	Medium	Enclave Computing Environment

Details

Threat
Without implementing transaction roll-back and journaling, unauthorized or unintentional modification or destruction of data stored in the database would cause the loss of critical data. This implementation guide is aimed to help database administrators ensure the recovery of database data that was modified or deleted unintentionally or by unauthorized users.

Guidance
1. The database administrator shall identify and determine if the database systems (e.g., Oracle, Microsoft SQL Server) implemented into the system provide transaction capabilities (e.g., transaction roll back and transaction journaling). 2. If the database systems provide the capability of transaction roll back and journaling, the database administrator shall enable the capability in order to log database updates to either files or disk partition according to DISA Database STIG and organization specific database guides. 3. If the database systems do not provide the transaction roll back and journaling or technical equivalent, the database administrator shall: · Identify a DoD approved 3rd party product that provides transaction roll back and journaling or technical equivalent · Configure the product and test it in a lab environment to ensure it functions properly · Install the product on the database system in the operational environment

Guidance

1. The database administrator shall identify and determine if the database systems (e.g., Oracle, Microsoft SQL Server) implemented into the system provide transaction capabilities (e.g., transaction roll back and transaction journaling).
2. If the database systems provide the capability of transaction roll back and journaling, the database administrator shall enable the capability in order to log database updates to either files or disk partition according to DISA Database STIG and organization specific database guides.
3. If the database systems do not provide the transaction roll back and journaling or technical equivalent, the database administrator shall:
  · Identify a DoD approved 3rd party product that provides transaction roll back and journaling or technical equivalent
  · Configure the product and test it in a lab environment to ensure it functions properly
  · Install the product on the database system in the operational environment

References

DISA Database STIG, Version 7, Release 1, 29 October 2004
NSA Microsoft SQL Server Guides, 02 October 2003
NSA Oracle Database Server Guides, 02 October 2003
Center for Internet Security Database Security Checklist, 06 April 2005
Vendor Security Administration Guide, (Refer to if no DSSA/NSA/NIST/USG guidance is available)