UCF STIG Viewer Logo

Sensitive data served by the DBMS should be protected by encryption when transmitted across the network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15104 DG0167-ORACLE10 SV-24820r1_rule ECCT-1 ECCT-2 High
Description
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review.
STIG Date
Oracle 10 Database Installation STIG 2014-01-14

Details

Check Text ( C-29384r1_chk )
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding.

If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding.

If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification.

It may be necessary to review network device configuration evidence or host communications configuration evidence.

If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding.
Fix Text (F-26409r1_fix)
Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan and AIS Functional Architecture documentation.

Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.

Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.