SV-24684r1_rule
V-15132
DBMS data file encryption
DG0092-ORACLE11
CAT II
10
Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database.
Use only NIST-certified or NSA-approved cryptography to provide encryption.
Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.
Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.
To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files.
Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).
Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption.
If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding.
Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation.
If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding.
If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files.
If no encryption is applied, this is a Finding.
If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information.
If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information.
If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave.
Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.
V-15132
False
DG0092-ORACLE11
Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption.
If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding.
Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation.
If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding.
If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files.
If no encryption is applied, this is a Finding.
If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information.
If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information.
If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave.
Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.
M
Database Administrator
1368