UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Sensitive information from production database exports should be modified after import to a development database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3819 DG0076-SQLServer9 SV-24226r1_rule ECAN-1 Medium
Description
Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 section E2.1.41 for a definition of Sensitive Information.
STIG Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide 2015-06-16

Details

Check Text ( C-23836r1_chk )
If the database is not a production database, this check is Not Applicable.

Review procedures or restrictions for data exports from the production database. If data exports are allowed, then review procedures for protecting any sensitive data included in the exports. If sensitive data is included in the exports and no protections are taken to remove or modify the data to render it not sensitive when provided to unauthorized users, this is a Finding.
Fix Text (F-19659r1_fix)
Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users.