Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-61503 | O121-BP-024900 | SV-75993r1_rule | Medium |
Description |
---|
A DBMS that does not have the correct confidentiality level identified or any confidentiality level assigned is not being secured at a level appropriate to the risk it poses. |
STIG | Date |
---|---|
Oracle Database 12c Security Technical Implementation Guide | 2016-12-15 |
Check Text ( C-62375r1_chk ) |
---|
If no sensitive or classified data is stored in the database, listed in the System Security Plan and listed in the AIS Functional Architecture documentation, this check is not a finding. Review AIS Functional Architecture documentation for the DBMS and note any sensitive data that is identified. Review database table column data or descriptions that indicate sensitive data. For example, a data column labeled "SSN" could indicate social security numbers are stored in the column. Question the ISSO or DBA where any questions arise. General categories of sensitive data requiring identification include any personal data (health, financial, social security number and date of birth), proprietary or financially sensitive business data or data that might be classified. If any data is considered sensitive and is not documented in the AISFA, this is a finding. |
Fix Text (F-67419r1_fix) |
---|
Include identification of any sensitive data in the AIS Functional Architecture and the System Security Plan. Include data that appear to be sensitive with a discussion as to why it is not marked as such. |