Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15104 | DG0167-ORACLE10 | SV-24820r1_rule | ECCT-1 ECCT-2 | High |
Description |
---|
Sensitive data served by the DBMS and transmitted across the network in clear text is vulnerable to unauthorized capture and review. |
STIG | Date |
---|---|
Oracle Database 10g Installation STIG | 2014-04-02 |
Check Text ( C-29384r1_chk ) |
---|
If no data is identified as being sensitive or classified by the Information Owner, in the System Security Plan or in the AIS Functional Architecture documentation, this check is Not a Finding. If no identified sensitive or classified data requires encryption by the Information Owner in the System Security Plan and/or AIS Functional Architecture documentation, this check is Not a Finding. If encryption requirements are listed and specify configuration at the host system or network device level, then review evidence that the configuration meets the specification. It may be necessary to review network device configuration evidence or host communications configuration evidence. If the evidence review does not meet the requirement or specification as listed in the System Security Plan, this is a Finding. |
Fix Text (F-26409r1_fix) |
---|
Configure encryption of sensitive data served by the DBMS in accordance with the specifications provided in the System Security Plan and AIS Functional Architecture documentation. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. |