Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15143 | DG0106-ORACLE10 | SV-24706r1_rule | DCFA-1 | Medium |
Description |
---|
Access to sensitive data may not always be sufficiently protected by authorizations and require encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access. |
STIG | Date |
---|---|
Oracle Database 10g Installation STIG | 2014-04-02 |
Check Text ( C-29312r1_chk ) |
---|
Review the System Security Plan and note sensitive data identified by the Information Owner as requiring encryption using DBMS features administered by the DBA. If no sensitive data is present or encryption of sensitive data is not required by the Information Owner, this check is Not a Finding. Review the encryption configuration against the System Security Plan specification. If the specified encryption is not configured, this is a Finding. |
Fix Text (F-26344r1_fix) |
---|
Configure DBMS encryption features and functions as required by the System Security Plan. Discrepancies between what features are and are not available should be resolved with the Information Owner, Application Developer and DBA as overseen by the IAO. |