Sensitive information from production database exports should be modified after import to a development database.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3819 | DG0076-SQLServer9 | SV-24226r1_rule | ECAN-1 | Medium |
| Description |
|---|
| Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 section E2.1.41 for a definition of Sensitive Information. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-23836r1_chk ) |
|---|
| If the database is not a production database, this check is Not Applicable. Review procedures or restrictions for data exports from the production database. If data exports are allowed, then review procedures for protecting any sensitive data included in the exports. If sensitive data is included in the exports and no protections are taken to remove or modify the data to render it not sensitive when provided to unauthorized users, this is a Finding. |
| Fix Text (F-19659r1_fix) |
|---|
| Document procedures and restrictions for production data export. Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of the export restrictions. Restrict permissions allowing use or access to database export procedures or functions to authorized users. |