Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15143 | DG0106-SQLServer9 | SV-24269r1_rule | DCFA-1 | Medium |
Description |
---|
Authorizations may not sufficiently protect access to sensitive data and may require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Check Text ( C-1314r1_chk ) |
---|
Review the System Security Plan and AIS Functional Architecture documentation and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. Review the encryption configuration against the System Security Plan and AIS Functional Architecture documentation specification. If the specified encryption is not configured, this is a Finding. |
Fix Text (F-17796r1_fix) |
---|
Configure DBMS encryption features and functions as required by the System Security Plan and AIS Functional Architecture documentation. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO. |