Information
Where system and DBMS access controls do not provide complete protection of sensitive or classified information, the Information Owner may require encryption to provide additional protection. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to the data, but may be able to access DBMS data files using OS file tools.
NOTE: The decision to encrypt data is the responsibility of the Information Owner and should be based on other access controls employed to protect the data.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database.
Use only NIST-certified or NSA-approved cryptography to provide encryption.
Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.
Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.
To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files.
Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).