Database data files containing sensitive information should be encrypted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15132	DG0092-SQLServer9	SV-24246r1_rule	ECCR-1 ECCR-2 ECCR-3	Medium

Description
Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also provides a level of protection where database controls cannot restrict access to single rows and columns of data.

Description

Where access controls do not provide complete protection of sensitive or classified data, encryption can help to close the gap. Encryption of sensitive data helps protect disclosure to privileged users who do not have a need-to-know requirement to view the data that is stored in files outside of the database. Data encryption also provides a level of protection where database controls cannot restrict access to single rows and columns of data.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13773r1_chk )
Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption. If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding. Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation. If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding. If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files. If no encryption is applied, this is a Finding. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information. If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information. If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave. Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.

Check Text ( C-13773r1_chk )

Review the System Security Plan and/or the AIS Functional Architecture documentation to discover sensitive or classified data identified by the Information Owner that requires encryption.

If no sensitive or classified data is identified as requiring encryption by the Information Owner, this check is Not a Finding.

Have the DBA use select statements in the database to review sensitive data stored in tables as identified in the System Security Plan and/or AIS Functional Architecture documentation.

If all sensitive data as identified is encrypted within the database objects, encryption of the DBMS data files is optional and Not a Finding.

If all sensitive data is not encrypted within database objects, review encryption applied to the DBMS host data files.

If no encryption is applied, this is a Finding.

If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored sensitive information.

If encryption is required by the information owner, NIST-certified cryptography is used to encrypt stored classified non-sources and methods intelligence information.

If a classified enclave contains sources and methods intelligence data and is accessed by individuals lacking an appropriate clearance for sources and methods intelligence, then NSA-approved cryptography is used to encrypt all sources and methods intelligence stored within the enclave.

Determine which DBMS data files contain sensitive data. Not all DBMS data files will require encryption.

Fix Text (F-18457r1_fix)
Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database. Use only NIST-certified or NSA-approved cryptography to provide encryption. Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted. Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data. To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files. Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).

Fix Text (F-18457r1_fix)

Use third-party tools or native DBMS features to encrypt sensitive or classified data stored in the database.

Use only NIST-certified or NSA-approved cryptography to provide encryption.

Document acceptance of risk by the Information Owner where sensitive or classified data is not encrypted.

Have the IAO document assurance that the unencrypted sensitive or classified information is otherwise inaccessible to those who do not have Need-to-Know access to the data.

To lessen the impact on system performance, separate sensitive data where file encryption is required into dedicated DBMS data files.

Consider applying additional auditing of access to any unencrypted sensitive or classified data when accessed by users (with and/or without Need-to-Know).