Application user privilege assignment should be reviewed monthly or more frequently to ensure compliance with least privilege and documented policy.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3821 | DG0080-SQLServer9 | SV-24232r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Users granted privileges not required to perform their assigned functions are able to make unauthorized modifications to the production data or database. Monthly or more frequent periodic review of privilege assignments assures that organizational and/or functional changes are reflected appropriately. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-24309r1_chk ) |
|---|
| Review procedures and implementation evidence to determine if procedures are in place for periodic review of user privileges by the IAO. Evidence may consist of email or other correspondence that acknowledges receipt of periodic reports and notification of review between the DBA and IAO or other auditors as assigned. If the procedures are incomplete or no evidence of implementation exists, this is a Finding. |
| Fix Text (F-20110r1_fix) |
|---|
| Develop, document and implement procedures for periodic review of application user database privilege assignments. Include methods to provide evidence of review in the procedures to verify reviews occur in accordance with the procedures. |