Professional Documents
Culture Documents
DWP ss005 Security Standard Database Management Systems v1.1
DWP ss005 Security Standard Database Management Systems v1.1
System Security
Standard
(SS-005)
1. Revision History
Version Author Description Date
0.0a First Draft 08/11/2016
Updated to current template & Sent
0.0b
for Review. 12/01/2017
Updated controls information &
0.0c 13/01/2017
comments.
Updated review Senior Security
0.0d 16/02/2017
Review Comments.
Update control set to include 5 CIS
0.0e 17/02/2017
benchmarks and template.
Updates to controls mapping and
0.0f-0.0g 23/02/2017
minor changes
0.0h Updated all hyperlinks. 01/03/2017
V1.0 1st published version 20/03/2017
V1.1 Version for external publication 30/03/2020
2. Distribution
Version Role/Status Role Date
3. Approval History
Issue Approver Title Role Date
Status
V1.0 Chief Security Officer 18/09/2017
V1.1 Chief Security Officer 30/03/2020
This document will be reviewed for continued completeness, relevancy and accuracy
within 1 year of being granted “final” status, and at yearly intervals thereafter.
Contents
1. Revision History ...................................................................................... 2
2. Distribution .............................................................................................. 2
3. Approval History ..................................................................................... 2
4. Introduction ............................................................................................. 4
5. Purpose .................................................................................................... 4
6. Exceptions ............................................................................................... 4
7. Audience .................................................................................................. 5
8. Scope ....................................................................................................... 5
10. Database Management Systems Security Requirements .................... 6
11. General Security Requirements ............................................................. 6
12. Secure Hardening Configuration Requirements .................................. 6
13. Database Application Access Control Requirements .......................... 8
14. Database Application Logging Control Requirements ........................ 8
15. Backup and Disaster Recovery.............................................................. 9
16. Data Encryption ....................................................................................... 9
17. Authentication & Authorisation ........................................................... 10
18. Compliance ............................................................................................ 10
19. Accessibility .......................................................................................... 10
20. Reference Documents .......................................................................... 11
21. Definition of Terms ............................................................................... 11
4. Introduction
4.1. This document defines the Authority’s security requirements for the
configuration of Database Management Systems (DBMS’s).
4.2. This document is an agnostic DBMS security standard and will provide
overarching controls for any DBMS new to the Authority’s estate in lieu of a security
standard or pattern e.g. the Oracle Database Security Pattern.
4.3. General controls detailed in this document are driven from the need to align to
Authority Security Policy. System hardening configuration guidelines laid out in this
document provides advice and guidance on the secure DBMS deployments in lieu of
a DMBS specific security standard or security pattern.
5. Purpose
5.1. The standard lists technical security requirements on how to secure DBMS’s
securely for Authority use with the aim of protecting Authority data. This Standard
covers systems or data at the OFFICIAL tier of the Government Security
Classification Policy (including the handling caveat (OFFICIAL-SENSITIVE).
6. Exceptions
6.1. Any exceptions to the application of this standard or where controls cannot be
adhered to MUST be presented to the Authority where appropriate. This MUST be
carried out prior to deployment and managed through the design caveats or
exception process*.
6.2. Such exception requests may invoke the Risk Management process in order
to clarify the potential impact of any deviation to the configuration detailed in this
standard.
7. Audience
8. Scope
8.1. All new DBMS builds MUST meet all the requirements in this standard, attest
to meet the standard or be otherwise authorised for exception via an Authority risk
review.
8.3. In the event of uncertainty on the controls laid out in this standard please
contact the Authority for guidance and support on items which require clarification.
9.1. Controls presented in this standard or referred to via this standard may be
subjected to a formalised IT Health Check penetration test to provide
evidence of adequacy and effectiveness.
10.1. The following sections provide the security requirements that MUST be
applied to DBMS’s prior to deployment.
10.2. The following sections provide the security requirements that MUST be
applied to DBMS’s prior to the storing or processing production data of any type or
classification level.
10.3. Each configuration setting is listed with three sections, the first being a control
reference number, secondly the security control requirement that is required to be
configured to the operating system’s default configuration and the third section
provides information on change itself.
11.1.7. Dual input or other input checks such as boundary checking (content
inspection/URL Filtering) or limiting fields to specific ranges of input data MUST be
used.
12.1.2. All databases MUST be hosted on servers which do not perform any other
functionality such as “web or application tier” or “Domain Services” functionality.
12.1.4. The default passwords for accounts and services that are mandatory, for example
SA and Listener, MUST be changed prior to being deployed.
12.1.5. Test databases must not be installed upon production systems.
12.1.7. All administrator, user or application traffic to and from the DBMS MUST
encrypted.
12.1.8. The database must not use unencrypted protocols or non-secure services
(example, HTTP, FTP etc. must not be used).
12.1.9. Unnecessary services or ports MUST be disabled or removed and where possible.
12.1.11. The database servers must restrict network access using IP filtering.
12.1.12. The DBMS MUST avoid the need to run services with privileged accounts on the
underlying host Operating System.
12.1.13. All installations of a DBMS MUST be up to date with all appropriate security
patches prior to deployment into service. **
12.1.14. Only licensed software which has been verified as being authentic with the
supplier can be used for a DBMS.
12.1.15. All DMBS software authenticity checks MUST be completed via a cryptographic
verification or secure receipt of tamper proof / tamper evident packaging.
12.1.16. Default accounts, examples, code, files, objects etc. that are no longer required
after installation MUST be deleted from the DBMS and also the host operating
system.
12.1.17. The DBMS configuration MUST not permit default accounts (e.g. PUBLIC) to
remain active.
13.1.2. DBMSs MUST authenticate the user (or application requesting access), or if that
is not possible, then it MUST record and log the user which requested that
function.
13.1.3. User privileges MUST be granted on the basis of inclusion into roles. Privileges
MUST not be granted directly to application / user accounts on the DBMS.
13.1.4. All databases must ensure that the HTTP interface is disabled.
13.1.5. Role-based access control must be enabled and configured appropriately pre a
fully defined Role Based Access Control (RBAC) model.
13.1.6. Each role for each database must only grant the necessary privileges as per the
principle of least privilege.
13.1.7. Each database deployment must ensure that access to data/files reflects the
defined RBAC model and assigned permissions.
13.1.8. Replication slave backups must be made for all database systems.
13.1.11. Any anonymous, default accounts and sample data must be removed from the
database.
14.1.2. The clocks of all Applications MUST be MUST be synchronized with the
underlying Operating System clock.
14.1.3. Logs may be appended to the Operating System Logs or be self-contained within
the application.
15.1.3. Replication slave backups must be made for all database systems.
16.1.4. All encrypted channels and stored data must not use a default or example
certificate.
16.1.5. All encryption keys must be generated for a specific use case.
16.1.7. All encryption certificates must be verified from both the provider and the
Certificate Authority (CA).
18. Compliance
18.1. Compliance with this standard MUST occur as follows:
19. Accessibility
19.1. No user interfaces are included in this standard and accessibility is not
applicable as part of this standard. However, it is deemed that Suppliers
implementing this standard are obliged to incorporate accessibility functions.