The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6174	APP6100	SV-6174r1_rule	ECAN-1	Medium

Description
Production database exports allow export of active user account information. Such information can provide a simple target for password attacks outside the protections of database. Not all application developers have a need to know concerning sensitive information such as HIPAA data, Privacy Act Data, or classified data.

STIG	Date
Application Security and Development Checklist	2014-01-07

Details

Check Text ( C-3060r1_chk )
Ask if any database exports from this database are imported to development databases. If no database exports exist, this check is not applicable. If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database. 1) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding. 3) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.

Check Text ( C-3060r1_chk )

Ask if any database exports from this database are imported to development databases.

If no database exports exist, this check is not applicable.

If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database.

1) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding.

3) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.

Fix Text (F-4642r1_fix)
Remove sensitive data from production export.