Checklist Summary:

The Database Security Readiness Review (SRR) targets conditions that undermine the integrity of security, contribute to inefficient security operations and administration, or may lead to interruption of production operations. Additionally, the review ensures the site has properly installed and implemented the database environment and that it is being managed in a way that is secure, efficient, and effective. The items reviewed are based on Department of Defense (DOD) policy and the Database Security Technical Implementation Guide. Each security item to review is listed in this document with a procedure for measuring compliance with the security requirement. The result of the procedure is a status of compliance with the requirement. Results are assigned as one of the following: O = Open finding or non-compliance NF = Not a Finding or compliance NA = Not Applicable or the item is not applicable to the database version, database use, or host platform being reviewed and, NR = Not Reviewed or the procedure was not completed so compliance is not determined.

Checklist Role:

• Database Server

Known Issues:

The execution of the SQL Server 2005 script and many of the manual procedures require SYSADMIN privileges in the SQL Server instance. Some operating system commands require Administrator privileges to the host operating system. This will vary based on the permissions assigned to the account used. It is recommended the account used for installation of SQL Server be used to process the security review as this account is expected to have access required. Use of this account would be expected to be logged and monitored by an authorized DBA or the IAO.

Target Audience:

Developped for the DOD. This checklist has been created for IT professionals, information security and database personnel. The document assumes that the reader has experience administering Microsoft SQL Server

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

DISA Field Security Operations has assigned a level of urgency to each finding based on Chief Information Officer (CIO) established criteria for certification and accreditation. All findings are based on regulations and guidelines. All findings require correction by the host organization. Category I findings are any vulnerabilities that provide an attacker immediate access into a machine, superuser access, or access that bypasses a firewall. Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder. Category III findings are any vulnerabilities that provide information that potentially could lead to compromise. NOTE: Security patches required by the DOD IAVM process are reviewed during an operating system security review. Information for security patch compliance is available in Appendix A of this Database Security Checklist.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Version 8 Release 1.8 - 24 January 2014
Version 8 Release 1.7
Version 8, Release 1.2
Added point of contact
Updated URL to reflect change to the DISA website - http --> https
moved to archive status - 4/15/19
Updated URLs - 6/24/19
updated URLs - 9/11/19

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 09/11/2019