The Database STIG's System Security Plan

The Database STIG requires a written System Security Plan, and it's the responsibility of the Information Assurance Officer (IAO) to create it (see section 3.1.9 below). Although the DBA doesn't create it, the DBA can advise the IAO, and the DBA is required to maintain compliance with the security plan.

The following excerpts are from the Database STIG, V8R1, and include every reference to "Security Plan":

3.1.4.3 Unique security requirements (encryption of sensitive data)

Access to sensitive data may not always be sufficiently protected by authorizations and requires encryption. In some cases, the required encryption may be provided by the application accessing the database. In others, the DBMS may be configured to provide the data encryption. When the DBMS provides the encryption, the requirement must be implemented as identified by the Information Owner to prevent unauthorized disclosure or access.

                        (DG0106: CAT II) The DBA will ensure security requirements specific to the use of the database are configured as identified in the System Security Plan.

3.1.4.5 Restoration priority of subsystems is identified

When DBMS service is disrupted, the impact it has on the overall mission of the organization can be severe. Without the proper assignment of the priority to be placed on restoration of the DBMS and its subsystems, restoration of DBMS services may not meet mission requirements.

                        (DG0108: CAT III) The IAO will ensure the restoration priority of the database and its supporting subsystems are identified in the System Security Plan.

3.1.6 Partitioning the Application (DCPA)

[content skipped]

                        (DG0109: CAT II) The IAO will ensure the DBMS host is dedicated to support of the DBMS and is not shared with other application services including web, application, file, print, or other services unless mission or operationally required and documented in the System Security Plan.

3.1.9 IA Documentation (DCSD)

A System Security Plan defines the security procedures and policies applicable to the AIS. It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS [Automated Information System]. For databases, this includes specifically the DBA in addition to the standard SA and IAO roles. Without a security plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and the database security is prone to an inconsistent and incomplete implementation.

                        (DG0153: CAT III) The IAO will assign and authorize DBA responsibilities for the DBMS.

                        (DG0156: CAT III) The IAM will assign and authorize IAO responsibilities for the DBMS.

                        (DG0154: CAT III) The IAO will ensure the DBMS is included in or has defined for it a System Security Plan.

3.3.4 Changes to Data (ECCD)

The responsibility for managing the auditing configuration for data access may or may not fall to the DBA. In some cases, applications may incorporate their own auditing capability. Where the application depends on the DBMS to provide the auditing of changes to data, the responsibility for auditing for changes to data falls to the DBA. Auditing of changes to sensitive data can provide not only accountability, but also the ability to restore data to the correct value or content.

                        (DG0031: CAT II) The DBA will configure auditing of access or changes to data in accordance with the application requirements specified in the System Security Plan.

3.3.8 Interconnections among DoD systems and Enclaves (ECIC)

Applications that access databases and databases connecting to remote databases that differ in their assigned classification levels may expose sensitive data to unauthorized clients. Any interconnections between databases or applications and databases differing in classification levels are required to comply with interface control rules. This requirement is covered in depth in the Enclave STIG and is listed here to heighten awareness of the requirement during application and DBMS design and planning.

                        (DG0171: CAT II) The DBA will ensure interconnections between databases or other applications operating at different classification levels are identified and their communications configured to comply with the interface controls specified in the System Security Plan.

3.3.10 Logon (ECLO)

[content skipped]

                          (DG0073: CAT II) The DBA will configure the DBMS to lock database accounts after three or an IAO-specified number of consecutive unsuccessful connection attempts within a 60 minute period. The counter may be reset to 0 if a third failed logon attempt does not occur before reset. Where this requirement is not compatible with the operation of a front-end application, the unsuccessful logon count and time will be specified and the operational need documented in the System Security Plan.

[requirement skipped]

(DG0134: CAT II) The DBA will configure where supported by the DBMS a limit of concurrent connections by a single database account to the limit specified in the System Security Plan, a number determined by testing or review of logs to be appropriate for the application. The limit will not be set to unlimited except where operationally required and documented in the System Security Plan.

[requirement skipped]

                          (DG0160: CAT III) The DBA will ensure database connection attempts are limited to a specific number of times within a specific time period as specified in the System Security Plan. The limit will not be set to unlimited.

3.3.12 Marking and Labeling (ECML)

A database user that does not know the sensitivity level of the data being accessed cannot be expected to protect it in accordance with requirements. While normally marking and labeling of the data is handled by the application displaying the data, many applications provided with the DBMS software may not provide this capability. Use or access to any application that cannot display sensitivity labels must be restricted to protect the data from inadvertent disclosure. Where the marking and labeling of the data can be configured by the DBMS, it must be assigned in accordance with the direction of the Information Owner.

                        (DG0087: CAT III) The DBA will configure DBMS marking and labeling of non-public data where required in accordance with the System Security Plan.