The DBMS requires a System Security Plan containing all required information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15150 | DG0154-SQLServer9 | SV-25380r1_rule | DCSD-1 | Low |
| Description |
|---|
| A System Security Plan identifies security control applicability and configuration for the DBMS. It also contains security control documentation requirements. Security controls applicable to the DBMS may not be documented, tracked or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of DBMS vulnerabilities. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-19417r1_chk ) |
|---|
| Review the System Security Plan for the DBMS with the IAO. Review coverage of the following in the System Security Plan: 1. Technical, administrative and procedural IA program and policies that govern the DBMS 2. Identification of all IA personnel (IAM, IAO, DBA, SA) assigned responsibility to the DBMS 3. Specific IA requirements and objectives (e.g., requirements for data handling or dissemination (to include identification of sensitive data stored in the database, database application user job functions/roles and privileges), system redundancy and backup, or emergency response) If the System Security Plan does not exist, this is a Finding. If the System Security Plan does not include the information listed above at a minimum, this is a Finding. |
| Fix Text (F-19551r1_fix) |
|---|
| Develop, document and implement a System Security Plan for the DBMS or include IA documentation related to the DBMS in the System Security Plan of the system that the DBMS supports. Refer to Section 3.4 in the Microsoft SQL Server Database Security Checklist for information on how to develop a System Security Plan. Include or note additional information in the System Security Plan where required in other DBMS checks. |