UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6174 APP6100 SV-6174r2_rule ECAN-1 Medium
Description
Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff who may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have a need to know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-3060r2_chk )
Ask if any database exports from this database are imported to development databases.

If no database exports exist, this check is not applicable.

If there are such exports, ask if policy and procedures are in place to require the modification of the production database account passwords after import into the development database.

1) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as passwords, financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

2) If any database exports include sensitive data and it is not modified or removed prior to or after import to the development database, it is a finding.


3) If there are no policy and procedures in place to modify production database account passwords, it is a finding.

If there are such exports, ask if the production database includes sensitive data identified by the data owner as sensitive such as financial, personnel, personal, HIPAA, Privacy Act, or classified data is included.

4) If any database exports include sensitive data, and it is not modified or removed prior to or after import to the development database, it is a finding.
Fix Text (F-4642r2_fix)
Remove sensitive data from production database exports.