UCF STIG Viewer Logo

Database data encryption controls should be configured in accordance with application requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15143 DG0106-SQLServer9 SV-24269r1_rule DCFA-1 Medium
Description
Authorizations may not sufficiently protect access to sensitive data and may require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-1314r1_chk )
Review the System Security Plan and AIS Functional Architecture documentation and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA.

If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

Review the encryption configuration against the System Security Plan and AIS Functional Architecture documentation specification.

If the specified encryption is not configured, this is a Finding.
Fix Text (F-17796r1_fix)
Configure DBMS encryption features and functions as required by the System Security Plan and AIS Functional Architecture documentation. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO.