UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6174 APP6100 SV-6174r1_rule ECAN-1 Medium
Description
Production database exports allow export of active user account information. Such information can provide a simple target for password attacks outside the protections of database. Not all application developers have a need to know concerning sensitive information such as HIPAA data, Privacy Act Data, or classified data.
STIG Date
Application Security and Development Checklist 2014-01-07

Details

Check Text ( C-3060r1_chk )
Ask if any database exports from this database are imported to development databases.

If no database exports exist, this check is not applicable.

If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database.

1) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding.


3) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.
Fix Text (F-4642r1_fix)
Remove sensitive data from production export.