The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6174	APP6100	SV-6174r2_rule	ECAN-1	Medium

Description
Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff who may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have a need to know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.

Description

Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff who may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have a need to know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3060r2_chk )
Ask if any database exports from this database are imported to development databases. If no database exports exist, this check is not applicable. If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database. 1) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding. 3) If there are no policy and procedures in place to modify production database account passwords, it is a finding. If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included. 4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.

Check Text ( C-3060r2_chk )

Ask if any database exports from this database are imported to development databases.

If no database exports exist, this check is not applicable.

If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database.

1) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding.

3) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.

Fix Text (F-4642r2_fix)
Remove sensitive data from production database exports.