This checklist was developed by the Medaille College IT Department to provide guidance for securing databases storing sensitive data. Implementing these security controls will help to prevent data loss, leakage, or unauthorized access to Medaille College databases.
Physical Database Server Security
- The physical machine hosting a database is housed in a secured, locked and monitored environment to prevent unauthorized entry, access or theft.
- Application and web servers are not hosted on the same machine as the database server.
Firewalls for Database Servers
- The database server is located behind a firewall with default rules to deny all traffic.
- The database server firewall is opened only to specific application or web servers, and firewall rules do not allow direct client access
- Firewall rules for database servers are maintained and reviewed on a regular basis.
- Regularly test machine hardening and firewall rules via network scans.
- The database software version is currently supported by the vendor and core updates are regularly tested and applied to stay supported by the vendor.
- All unused or unnecessary services or functions of the database are removed or turned off.
- Unneeded default accounts are removed, or else passwords are changed from defaults.
- Null passwords are not used, and temporary files from the install process that may contain passwords are removed.
- Database software is patched to include all current security patches. Provisions are made to maintain security patch levels in a timely fashion.
- If users are allowed sensitive data on their workstations, then client workstations meet the minimum security standards.
- If users are allowed sensitive data on their workstations, then the workstation is protected against unauthorized access to a session by deploying screen savers. Users understand the requirement to lock their workstations when leaving the station.
- If users are allowed sensitive data on their workstations, then the workstation should require an individual login and password.
- If users are allowed sensitive data on their workstations, then sensitive data on the client workstation is encrypted by the workstation’s operating system. (Fall 2014)
- Sensitive data is not stored on transportable devices.
- Sensitive data is never sent via email, either in the body or as an attachment, by either users or as an automated part of the system.
- Sensitive data that is no longer needed is routinely deleted.
- If users are allowed sensitive data on their workstations, then no "Spyware" is allowed on the client workstations.
Administrator Accounts / Permissions / Passwords
- DBAs understand their responsibility for reviewing all requested script and database changes to ensure the security of the system is not compromised.
- Accounts with system administration capabilities are provided to as few individuals as is practical, and only as needed to support the application.
- Operating system accounts used by Medaille IT staff to login to dataserver machines for administrative duties are individual accounts, and not a shared group account.
Database accounts used by Medaille IT staff for administrative duties are individual accounts, and not a shared group account.
- A group account is permitted for running automated DBA maintenance and monitoring jobs, such as backups.
- This group account is not used for daily interactive tasks by the DBA group, except when required to troubleshoot maintenance and monitoring jobs.
- Passwords for all DBA operating system accounts and database accounts are strong passwords, and are changed when administrators leave positions.
User Database Roles / Permissions / Passwords / Management & Reporting
- Secure authentication to the database is used.
- Only authorized users have access to the database.
- Users are granted the minimal permissions necessary for their job function in the database.
- Strong passwords in the database are enforced when technically possible, and database passwords are encrypted when stored in the database or transmitted over the network.
- Non-DBA accounts do not allow the granting of roles or permissions in any environment with sensitive data (Production, Dev).
- Database accounts are locked after at most six failed logins.
- Only the sensitive data required for the business function is kept within the database. When possible, historical information is purged when no longer required.
- Redundancy of sensitive data is eliminated throughout the system, and shadowing of sensitive data outside the system of record is avoided wherever possible.
- Sensitive data in non-production environments is held to the same security standards as production systems. In cases where non-production environments are not held to the same security standard as required in production, data in these non-production environments must either be encrypted using industry-standard algorithms, or else test data must be made up for these systems.
- All logins to operating system and database servers, successful or unsuccessful, are logged. These logs are retained for at least one year. (Fall 2014)
- Database objects with sensitive data have auditing turned on where technically possible. (Fall 2014)
Database Backup & Recovery
- All databases and transactions logs are backed up 2 times per day.
- Backup and recovery procedures are periodically tested.
- Backup retention intervals are 30 days for both the core databases and the transaction logs.
- The database backups are stored on our backup server and not on the same machine as the production databases.
- The database backups are encrypted.
- The backup server has the same security principals as the database server.
- Backups are disk-to-disk.