The DBMS must dynamically reconfigure security labels in accordance with an identified security policy as information is created and combined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32169	SRG-APP-000009-DB-000189	SV-42486r1_rule		Medium

Description
Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., data records, buffers, files) within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Organizations define the security attributes of their data (e.g., classified, FOUO). When application data is created and/or combined, data security attributes defined by organizational policy must be dynamically created and/or updated to reflect the potential change in data sensitivity and characteristics. If the application does not dynamically reconfigure the data security attributes as data is created and combined, there is the possibility that classified data may become commingled with unclassified data resulting in a data compromise. Databases frequently have internal procedures and functions that can be used to combine data. If security labels assigned to the data do not dynamically reconfigure the labels to reflect an appropriate security level for the newly combined data, classified and unclassified data may be commingled or mislabeled.

Description

Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., data records, buffers, files) within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Organizations define the security attributes of their data (e.g., classified, FOUO). When application data is created and/or combined, data security attributes defined by organizational policy must be dynamically created and/or updated to reflect the potential change in data sensitivity and characteristics. If the application does not dynamically reconfigure the data security attributes as data is created and combined, there is the possibility that classified data may become commingled with unclassified data resulting in a data compromise. Databases frequently have internal procedures and functions that can be used to combine data. If security labels assigned to the data do not dynamically reconfigure the labels to reflect an appropriate security level for the newly combined data, classified and unclassified data may be commingled or mislabeled.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40680r2_chk )
Review system documentation to determine if the labeling of sensitive data is required under organization defined guidelines. If the labeling of sensitive data is not required, this is NA. Review DBMS vendor documentation to determine whether the DBMS is capable of dynamically updating security labels as data is added or is changed. Review DBMS settings to determine whether functionality to dynamically update security labels is enabled. If the DBMS is not capable of, or is not configured to, dynamically update security labels, this is a finding.

Check Text ( C-40680r2_chk )

Review system documentation to determine if the labeling of sensitive data is required under organization defined guidelines. If the labeling of sensitive data is not required, this is NA.

Review DBMS vendor documentation to determine whether the DBMS is capable of dynamically updating security labels as data is added or is changed. Review DBMS settings to determine whether functionality to dynamically update security labels is enabled. If the DBMS is not capable of, or is not configured to, dynamically update security labels, this is a finding.

Fix Text (F-36093r1_fix)
Utilize a database product that is capable of dynamically updating security labels as data is changed and added. Configure the DBMS settings to enable the dynamic updating of security labels.