O121-BP-023300 - Sensitive information from production database exports must be modified before import to a development database.

Information

Data export from production databases may include sensitive data. Application developers do not have a need to know to sensitive data. Any access they may have to production data would be considered unauthorized access and subject the sensitive data to unlawful or unauthorized disclosure. See DODD 8500.1 for a definition of Sensitive Information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Develop, document and implement policy, procedures and restrictions for production data import.

Require any users assigned privileges that allow the export of production data from the database to acknowledge understanding of import policies, procedures and restrictions.

Restrict permissions of development personnel requiring use or access to production data imported into development databases containing sensitive information to authorized users.

Implement policy and procedures to modify or remove sensitive information in production exports prior to import into development databases.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_12c_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-219844r961863_rule, STIG-ID|O121-BP-023300, STIG-Legacy|SV-75943, STIG-Legacy|V-61453, Vuln-ID|V-219844

Plugin: OracleDB

Control ID: bb9efcf2bcbc3df0e3aae788b0c260b41d20f5e38be8f21856500b23f1af4ef0