Sensitive data is stored in the database and should be identified in the System Security Plan and AIS Functional Architecture documentation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15144 | DG0107-SQLServer9 | SV-24271r1_rule | DCFA-1 | Medium |
| Description |
|---|
| A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned stands the chance of not being secured at a level appropriate to the risk it poses. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-20335r1_chk ) |
|---|
| Review the System Security Plan and AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the IAO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal identifiable information (PII) involving health, financial and security proprietary or sensitive business data or data that might be classified. If any columns in the database contain data considered sensitive and is not referenced in the System Security Plan and AIS Functional Architecture documentation, this is a Finding. |
| Fix Text (F-21331r1_fix) |
|---|
| Include identification of any sensitive data in the System Security Plan and AIS Functional Architecture. Include discussions of data that appear to be sensitive and annotate why it is not marked as such. |