If Asymmetric keys are present and Oracle Advanced Security is not installed and operational on the DBMS host, this is a Finding. For each asymmetric key identified as being used to encrypt sensitive data, verify the key owner is an application object owner or other non-DBA account. If the key owner listed is a DBA, this is a Finding. If any key owner is not the application object owner account or an account specific to the application as documented in the System Security Plan, this is a Finding. If any asymmetric keys whose private key is not encrypted exist in the database, this is a Finding. Review the access permissions to asymmetric keys. Verify that any permission granted is authorized in the System Security Plan for access to the key. Examine evidence that an audit record is created whenever the asymmetric key is accessed by other than authorized users. In particular, view evidence that access by a DBA or other system privileged account results in the generation of an audit record. This is required because system privileges that allow access to encryption keys may be used to access sensitive data where the privileged user does not have a job function need-to-know the data. If an audit record is not generated for unauthorized access to the asymmetric key, this is a Finding. |