DG0090-ORACLE11 - Sensitive information stored in the database should be protected by encryption.

Information

Sensitive data stored in unencrypted format within the database is vulnerable to unauthorized viewing.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Identify all sensitive data and the method to be used to encrypt specified sensitive data in the System Security Plan.

Use only NIST-certified or NSA-approved cryptography to provide encryption.

Oracle transparent data encryption (available in Oracle version 10.2 and later) requires Oracle Advanced Security.

See the chapter on Transparent Data Encryption in the Oracle Database Advanced Security Guide Administrator's Guide for details on using and configuring transparent data encryption.

Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.

Have the Information Owner document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those without need-to-know access to the data.

Developers should consider using a record-specific encryption method to protect individual records.

For example, by employing the session username or other individualized element as part of the encryption key, then decryption of a data element is only possible by that user or other data accessible only by that user.

Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by unauthorized users (without need-to-know).

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11g_Y21M10_STIG.zip

Item Details

References: CAT|II, Rule-ID|SV-24397r1_rule, STIG-ID|DG0090-ORACLE11, Vuln-ID|V-15131

Plugin: Windows

Control ID: f70b9f90245d9908d66ecdd0e12a2ef5683480f7d4317c301ae925ae8ccac768