THE FIJI GOVERNMENT INFORMATION TECHNOLOGY DATABASE CREDENTIALS POLICY. Version 1.00.00



Similar documents
Xerox DocuShare Security Features. Security White Paper

Centralized Oracle Database Authentication and Authorization in a Directory

Data Security and Governance with Enterprise Enabler

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

DB2 - DATABASE SECURITY

The University of Texas at El Paso Information Security Policies

LDAP Authentication Configuration Appendix

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Authentication, Access Control, Auditing and Non-Repudiation

Training module 2 Installing VMware View

SAML-Based SSO Solution

Copyright

Delegated Administration Quick Start

Netop Remote Control Security Server

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

CAPITAL UNIVERSITY PASSWORD POLICY

How To Secure Your Data Center From Hackers

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

User Roles & Adding Domains & Users

CMDBuild Authentication (file auth.conf)

Web Applications Access Control Single Sign On

Hardware and Software Requirements for Installing California.pro

Oracle Identity and Access Management 10g Release running on Red Hat Enterprise Linux AS Release 4 Update 5

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Thick Client Application Security

HP Device Manager 4.6

Configuring and Using the TMM with LDAP / Active Directory

How To Protect Freespeech From Attack From A Hacker Attack

Potential Targets - Field Devices

Quality Center LDAP Guide

Active Directory LDAP

Secure Access Control for Control System Operations. Andrew Wright, CTO

customer care solutions

PineApp Surf-SeCure Quick

CITY OF BOULDER *** POLICIES AND PROCEDURES

Security. TestOut Modules

Enterprise Security Critical Standards Summary

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Integrating LANGuardian with Active Directory

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

OpenLDAP Oracle Enterprise Gateway Integration Guide

Introduction to Virtual Datacenter

How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D

CoSign by ARX for PIV Cards

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

CREDENTIAL MANAGER IN WINDOWS 7

Security and Control Issues within Relational Databases

Secure network guest access with the Avaya Identity Engines portfolio

ACCESS CONTROL TO A NETWORKED COMPUTER SYSTEM

Parent Single Sign-On Quick Reference Guide

4cast Server Specification and Installation

Remote Authentication and Single Sign-on Support in Tk20

TIBCO Spotfire Platform IT Brief

How To Use Saml 2.0 Single Sign On With Qualysguard

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Replacing Sneaker Net with the Internet. DREXEL UNIVERSITY ischool INFO614 DISTRIBUTED COMPUTING & NETWORKING FINAL PROJECT

Passing PCI Compliance How to Address the Application Security Mandates

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Utilizing LDAP for User Profile and Corporate Structure Integration

TERMS AND CONDITIONS OF REMOTE DATA TRANSMISSION

McAfee Cloud Single Sign On

THE UNIVERSITY OF THE WEST INDIES Electronic Mail & Messaging Services Policy 1. Introduction

Distributed File Systems Part I. Issues in Centralized File Systems

Cloud Security Best Practices

Kamala D. Harris Attorney General California Department of Justice

Certification Practice Statement

ICT USER ACCOUNT MANAGEMENT POLICY

Directory and File Transfer Services. Chapter 7

Oracle WebCenter Content

Defense In-Depth to Achieve Unbreakable Database Security

Montefiore Portal Quick Reference Guide

Using MailStore to Archive MDaemon

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Chapter 6: Fundamental Cloud Security

HP Device Manager 4.7

RELEASE NOTES. Modification Notes. Introduction. Security. System authentication. Product/version/build: Remote Control 10.

Five Steps to Improve Internal Network Security. Chattanooga ISSA

SAML-Based SSO Solution

Managing Users and Identity Stores

Backing Up and Restoring Data

WASHINGTON STATE EMPLOYEES CREDIT UNION ONLINE BANKING AGREEMENT BUSINESS ACCOUNTS

Identity and Access Management Standard for State Government Agencies

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Supplier Information Security Addendum for GE Restricted Data

Configuring User Identification via Active Directory

Identity Governance Evolution

WirelessOffice Administrator LDAP/Active Directory Support

Authentication Integration

GET IN NOW Step 2: Add Users

Please return this document to when complete.

Oracle Database Security

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Using Microsoft Active Directory for Checkpoint NG AI SecureClient

Web. Security Options Comparison

Transcription:

THE FIJI GOVERNMENT INFORMATION TECHNOLOGY DATABASE CREDENTIALS POLICY Version 1.00.00

DOCUMENT APPROVAL This document has been reviewed and authorized by the following personnel. Writer Reviewer Position: Quality Assurance Manager Position: Document Versioning Revision Document Version: Document Path T:\Quality Assurance\Documents\Policies, Procedures, Standards\Policies\DB Credentials Policy.doc 2

TABLE OF CONTENTS 1. PURPOSE... 4 2. SCOPE... 4 3. POLICY... 4 3.1 GENERAL... 4 3.2 SPECIFIC REQUIREMENTS... 4 3.2.1 Storage of Data Base User Names and Passwords...4 3.2.2 Retrieval of Database User Names and Passwords...5 3.3 ACCESS TO DATABASE USER NAMES AND PASSWORDS... 5 3.4 CODING TECHNIQUES FOR IMPLEMENTING THIS POLICY... 5 4. ENFORCEMENT... 5 5. DEFINITIONS... 6 6. REVISION HISTORY...Error! Bookmark not defined. 7. SIGN OFF... 7 3

1. PURPOSE This policy states the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of GOVNET's networks. Computer programs running on GOVNET's networks often require the use of one of the many internal database servers. In order to access one of these databases, a program must authenticate to the database by presenting acceptable credentials. The database privileges that the credentials are meant to restrict can be compromised when the credentials are improperly stored. 2. SCOPE This policy applies to all software that will access a GOVNET, multi-user production database. 3. POLICY 3.1 General In order to maintain the security of GOVNET's internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program's source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server. 3.2 Specific Requirements 3.2.1 Storage of Data Base User Names and Passwords Database user names and passwords may be stored in a file separate from the executing body of the program's code. This file must not be world readable. Database credentials may reside on the database server. In this case, a hash number identifying the credentials may be stored in the executing body of the program's code. Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authentication. Database authentication may occur on behalf of a program as part of the user authentication process at the authentication server. In this case, there is no need for programmatic use of database credentials. Database credentials may not reside in the documents tree of a web server. 4

Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the database based solely upon a remote user's authentication on the remote host. Passwords or pass phrases used to access a database must adhere to the Password Policy. 3.2.2 Retrieval of Database User Names and Passwords If stored in a file that is not source code, then database user names and passwords must be read from the file immediately prior to use. Immediately following database authentication, the memory containing the user name and password must be released or cleared. The scope into which you may store database credentials must be physically separated from the other areas of your code, e.g., the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials. For languages that execute from source code, the credentials' source file must not reside in the same browseable or executable file directory tree in which the executing body of code resides. 3.3 Access to Database User Names and Passwords Every program or every collection of programs implementing a single business function must have unique database credentials. Sharing of credentials between programs is not allowed. Database passwords used by programs are system-level passwords as defined by the Password Policy. Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password Policy. This process must include a method for restricting knowledge of database passwords to a need-to-know basis. 3.4 Coding Techniques for implementing this policy Windows authentication is the preferred authentication. Database security can also be used, but prior approval is needed from ITC management. There are to be no usernames and passwords hard coded into applications. 4. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5

5. DEFINITIONS Term Definition Computer language A language used to generate programs. Credentials Something you know (e.g., a password or pass phrase), and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print). Something you know and something that identifies you are presented for authentication. Entitlement Executing body Hash LDAP Module Name space Production The level of privilege that has been authenticated and authorized. The privileges level at which to access resources. The series of computer instructions that the computer executes to run a program. An algorithmically generated number that identifies a datum or its location. Lightweight Directory Access Protocol, a set of protocols for accessing information directories. A collection of computer language instructions grouped together either logically or physically. A module may also be called a package or a class, depending upon which computer language is used. A logical area of code in which the declared symbolic names are known and outside of which these names are not visible. Software that is being used for a purpose other than when software is being implemented or tested. 6

6. DECLARATION I have read, understand and acknowledge receipt of the DB Credentials Policy. I will comply with the guidelines set out in this policy and understand that failure to do so might result in withdrawal of services and disciplinary or legal action. 7. SIGN OFF Quality Assurance PC/Server Team Database Support Team Development Team 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information