Application data protection requirements must be identified and documented.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69325	APSC-DV-000440	SV-83947r1_rule		Medium

Description
Failure to protect organizational information from data mining may result in a compromise of information. In order to assign the appropriate data protections, application data must be identified and then protection requirements assigned. Access to sensitive data and sensitive data objects should be restricted to those authorized to access the data. Examples of sensitive data include but are not limited to; Social Security Numbers, Personally Identifiable Information, or any other data that is has been identified as being sensitive in nature by the data owner. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: limiting the types of responses provided to database queries; limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and notifying organizational personnel when atypical database queries or accesses occur. Protection methods include but are not limited to data encryption, Role-Based Access Controls and access authentication.

Description

Failure to protect organizational information from data mining may result in a compromise of information. In order to assign the appropriate data protections, application data must be identified and then protection requirements assigned. Access to sensitive data and sensitive data objects should be restricted to those authorized to access the data. Examples of sensitive data include but are not limited to; Social Security Numbers, Personally Identifiable Information, or any other data that is has been identified as being sensitive in nature by the data owner. Data storage objects include, for example, databases, database records, and database fields. Data mining prevention and detection techniques include, for example: limiting the types of responses provided to database queries; limiting the number/frequency of database queries to increase the work factor needed to determine the contents of such databases; and notifying organizational personnel when atypical database queries or accesses occur. Protection methods include but are not limited to data encryption, Role-Based Access Controls and access authentication.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2020-06-12

Details

Check Text ( C-69737r1_chk )
Ask the application representative for the documentation that identifies the application data elements, the protection requirements, and any associated steps that are being taken to protect the data. If the application data protection requirements are not documented, this is a finding.

Fix Text (F-75499r1_fix)
Identify and document the application data elements and the data protection requirements.