Procedures and restrictions for import of production data to development databases should be documented, implemented and followed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15140	DG0069-SQLServer9	SV-24218r1_rule	ECAN-1	Medium

Description
Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-04-03

Details

Check Text ( C-28438r1_chk )
If the database being reviewed is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are not allowed, then review methods for preventing and monitoring of any production data export. If procedures and methods are not complete or implemented, this is a Finding. Acknowledgement of data export restrictions and procedures by individuals granted privileges that enable data export is considered sufficient protection, however, record of such acknowledgement must be filed. Privileges required for database copy and/or export commands include sysadmin, dbcreator or database owner of the source database. If DBMS export utilities are not restricted to users authorized by the IAO, this is a Finding.

Check Text ( C-28438r1_chk )

If the database being reviewed is not a production database, this check is Not Applicable.

Review procedures or restrictions for data exports from the production database.

If data exports are not allowed, then review methods for preventing and monitoring of any production data export.

If procedures and methods are not complete or implemented, this is a Finding.

Acknowledgement of data export restrictions and procedures by individuals granted privileges that enable data export is considered sufficient protection, however, record of such acknowledgement must be filed.

Privileges required for database copy and/or export commands include sysadmin, dbcreator or database owner of the source database.

If DBMS export utilities are not restricted to users authorized by the IAO, this is a Finding.

Fix Text (F-24466r1_fix)
Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.