18.11: Use Standard Hardening Configuration Templates for Databases
For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
N/A |
N/A |
2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 2.5: Integrate Software and Hardware Asset Inventories
Sub-control 5.1: Establish Secure Configurations
Inputs
The list of database management software being used in the organization
The list of systems on which database instances reside
The list of enterprise security configuration standards
Operations
Determine, from the list of enterprise security configuration standards, which are applicable to database management software (M1)
From the list of enterprise security configuration standards, calculate the number of database management software that are covered by the standards (perform the intersection of the results of Operation 1 with Input 1; the result is M2)
Measures
M1 = List of enterprise security configuration standards specific to database management systems
M2 = Count of M1
M3 = List of database management software covered by applicable enterprise security configuration standards
M4 = Count of M3
M5 = List of database management software not covered by applicable enterprise security configuration standards
M6 = Count of M5
M7 = Count of database management software being used in the organization (from Input 1)
Metrics
Coverage
Metric |
The ratio of database management software covered by applicable enterprise security
configuration standards to the total number of database management software
|
Calculation |
|
NOTE: The second ask of this sub-control speaks to assessment of Input 2 against security configuration standards determined by Operation 1.