The Federal Information Security Management Act (FISMA) of 2002, ratified as Title III of the E-Government Act, was passed by the U.S. Congress and signed by the U.S. President. It address the significance of information security of the United States economic and national security interests. It requires each federal agency, subcontractors, service providers including any organization that operate IT systems on behalf of the any federal agency, to develop, document, and implement an program to ensure security for the information and information system that are related in any way to the operations and assets of the agency
The Recommended Security Controls for Federal Information Systems publication issued by the National Institute of Standards and Technology (NIST) is the major component of FISMA implementation and it is listed as NIST Special Publication 800-53
NIST Special Publication 800-53 lists 17 general security categories which are used for evaluating of an information security control program to measure its compliance level with obligations under FISMA. Each category in turn contains multiple subcategories (e.g. AC-1 Access Control Policy and
Procedures, AC-2 Account Management, AC-3 Access Enforcement, etc.) that provides more details for related categories of information security and assurance. Consult Appendix F of NIST800-53
for additional information
ApexSQL Audit can partially or fully assist in implementing some or all aspects of the following NIST categories in the context of a SQL Server audit:
- Access Control (AC)
- Audit and Accountability (AU)
- Certification, Accreditation and Assessments (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Personal Security (PS)
- Risk Assessment (RA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
| FISMA (NIST800-53 rev. 4) | Level of Support & Supporting Features | ApexSQL Audit Provides |
| Access Control (AC) | ||
| AC-1 Access Control Policy and Procedures | Supports | ApexSQL Audit can assist with User profile compliance policy including documenting of the access control policy and the associated access control procedures |
| AC-2 Account Management | Supports | ApexSQL Audit ensures auditing of SQL Server related accounts to fulfill user profile compliance policy. Any operation on any SQL Server account can be tracked and documented including the ability for real time alerting on any user account creating, enabling, modifying, disabling and deleting |
| AC-3 Access Enforcement | Supports | ApexSQL Audit can audit permission and access to SQL Server at user and application level allowing user to track all inconsistencies via generated reports and thus enforcing the user profile compliance policy and user control |
| AC-4 Information Flow Enforcement | Supports with Exception | ApexSQL Audit can audit and collect information of all application and client host that accesses SQL Server including the information that is stored to or withdrawn from SQL Server |
| AC-5 Separation Of Duties | Supports | Auditing all user activities including the access by role and real-time alerting on any unauthorized user access. Allowing the review of all user activities to verify that only authorized users have accessed SQL Server or specified parts of SQL Server |
| AC-6 Least Privilege | Supports | ApexSQL Audit can audit SQL Server for any new user creation or for any change on existing users, including the real-time alerting to ensure that only approved users with approved user rights are present in the system with properly defined access rights to defined parts of SQL Server |
| AC-7 Unsuccessful Logon Attempts | Supports | ApexSQL Audit can audit, alert and report on any failed logon activity |
| AC-9 Previous Logon Notification | Supports | ApexSQL Audit can audit any SQL Server logon/logoff activity as well as reporting on any logon activity that includes the precise date/time of logon/logoff events |
| AC-11 Session Lock | Supports with Exception | Auditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being locked timely and according to established policy |
| AC-12 Session Termination | Supports with Exception | Auditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being terminated timely and according to established policy |
| AC-13 Supervision and Review (Access control) | Supports | Reporting on SQL Server related activities including the ability to consolidate reports with audit data from different SQL Servers. Instant alerts on any unauthorized access events |
| AC-14 Permitted Actions Without Identification Or Authentication | Supports | Comprehensive reporting, including precisely specified events, allows validating of any user actions executed without appropriate authorization and/or authentication are in line with the established company and business tasks |
| AC-17 Remote Access | Supports | ApexSQL Audit can audit, alert and report on any remote access sessions including identification of the remote client host |
| AC-21 Information Sharing | Supports | ApexSQL Audit can audit access to any SQL Server object, alert on any unauthorized access and report on any object access activity, ensuring that only allowed users are accessed particular information according to information access restriction |
| AC-22 Publicly Accessible Content | Supports | Auditing access to any non-public SQL Server objects/data to make evident that only public SQL Server content can be accessed by users without appropriate permissions |
| AC-23 Data Mining Protection | Supports | Audit, alerting in real-time and reporting on any data access of SQL Server users to make evident if any data mining activity is occurring. |
| Audit and Accountability (AU) | ||
| AU-1 Audit And Accountability Policy And Procedures | Supports | ApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy |
| AU-2 Auditable Events | Supports | ApexSQL Audit can be used for continuous auditing of all SQL Server events with zero data lost, including the auditing of SQL Server system events. Real time alerting on any unauthorized access event. Comprehensive and precise reporting including the ability to consolidate audited data from multiple SQL Server in a single report. Validates that defined auditing fulfills the defined regulation requirements |
| AU-3 Content Of Audit Records | Supports | ApexSQL Audit collects, stores and reports on audited events with fully detailed information for each audited SQL Server event |
| AU-4 Audit Storage Capacity | Supports | ApexSQL Audit allows managing of repository database data files. Ability of achieving, moving archives to any network location and ability to read archived data directly. Audit data can be stored on a dedicated machine. Alerting on free storage capacity where repository database data files are located, including the option for user defined free storage alert threshold. Alerting on central repository database size including the user defined central repository database size alert threshold. Built-in mechanisms to prevent losing of audited data in situations when storage capacity for repository database is exhausted |
| AU-5 Response To Audit Processing Failures | Supports | Built-in system alerts will alert in real-time when auditing failures occur |
| AU-6 Audit Review, Analysis, And Reporting | Supports | ApexSQL Audit simplifies defined procedures for reviewing of audit records and requirements for additional analysis. |
| AU-7 Audit Reduction And Report Generation | Supports | ApexSQL Audit allows archiving and reporting on audited data including the ability to generate precise reports according to user defined criteria. Reporting on any auditing configuration changes and internal events is ensured via predefined reports |
| AU-8 Time Stamps | Supports | ApexSQL Audit includes time stamp in all logged events and raised alerts |
| AU-9 Protection Of Audit Information | Supports | ApexSQL Audit features a tamper evident central repository database design with 256 bit hash protection. Ability to alert on any tampering of repository database. Automatic checking of repository database integrity allows verify integrity checking interval to be defined by user. Reporting on any repository database integrity breach |
| AU-10 Non-Repudiation | Supports | ApexSQL Audit includes user ID in all logged events and raised alerts |
| AU-11 Audit Record Retention | Supports with Exception | ApexSQL Audit provides selective retention of audited data via manual and scheduled archiving with the ability to read, manage the audited data records for unlimited terms with flexible policy |
| AU-12 Audit Generation | Supports | ApexSQL Audit supports configurable generation of audit log |
| Certification, Accreditation and Assessments (CA) | ||
| CA-2 Audit And Accountability Policy And Procedures | Supports | ApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy |
| CA-3 System Interconnections | Supports with Exception | ApexSQL Audit includes client host information in all logged events and raised alerts making possible to track if any unauthorized interconnection between the two information system is established without use of Interconnection Security Agreements |
| CA-7 Continuous Monitoring | Supports | ApexSQL Audit is capable of continuously audit SQL Server activities with zero data lost policy |
| CA-8 Continuous Monitoring | Supports | Alerting system and audited information stored in the central repository database allows analysis for any unauthorized SQL Server access or activities |
| Configuration Management (CM) | ||
| CM-3 Configuration Change Control | Supports | ApexSQL Audit allows reviewing of all configuration changes. It can track and store all configuration changes including the reporting on these changes |
| CM-4 Security Impact Analysis | Supports | Detailed reporting on audited events related to the SQL Server security can be used for verifying that all security related functions of SQL Server are not affected |
| CM-5 Access Restrictions For Change | Supports | Audit all SQL Server user permissions, alert on any permission changes and generate the regular reports to verify that security restrictions are established and maintained according to the rules, and in order to prevent any unauthorized access and use of SQL Server |
| CM-6 Configuration Settings | Supports | ApexSQL can generate the precise and detailed report on audited events that can be compared with the specified configuration to ensure detection of any deviation from the predefined SQL Server configuration |
| CM-7 Least Functionality | Supports | Regularly generate and review reports for identifying any restricted or malicious events to make sure that regulation controls are properly implemented and actual |
| CM-9 Configuration Management PLAN | Supports | Regularly review the reports for validating the configuration management plan and identifying potential unauthorized disclosure and modification throughout the system development life cycle |
| Contingency Planning (CM) | ||
| CP-4 Contingency Plan Testing | Supports | Audit testing and reviewing test results audit trail allows easy determining of the test plan effectiveness and makes corrective actions easier |
| CP-6 Alternate Storage Site | Supports | On establishing an alternate storage site, audit all activity and review reports to ensure that the alternate storage site utilize information security safeguards equal to the primary site, to ensure that compliance is established within the defined parameters |
| CP-7 Alternate Processing Site | Supports | Audit the alternate processing site activity and review reports to ensure that the alternate processing site have the same information security safeguards as the primary site, which ensures that compliance requirements are fulfilled |
| CP-9 – Information System Backup | Supports | ApexSQL can audit all SQL Server backup activities including the real-time alerting. The reporting system can generate the precise reporting on all backup activities via predefined or custom reports. Reviewing reports help determining whether the established backup procedures are followed properly and timely |
| CP-10 Information System Recovery And Reconstitution | Supports | ApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via ApexSQL Log or ApexSQL Recover it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time |
| CP-12 Safe Mode | Supports | Define appropriate real-time alerts to be notified about any activity that doesn’t follow imposed safe mode restrictions and limitations. Review reports regularly to certify that there were no safe mode restrictions breaches |
| Identification And Authentication (IA) | ||
| IA-2 Identification And Authentication (Organizational Users) | Supports | ApexSQL Audit can audit all user activities and access to SQL Server objects. Establish auditing alerts for accessing the objects by unauthorized users. |
| Incident Response (IR) | ||
| IR-4 Incident Handling | Supports | Auditing and reviewing resulting audit trail allows easy determining and analyzing the root cause of the incident |
| IR-5 Incident Monitoring | Supports | Reviewing all audited activity and alerts for the SQL Server involved in incident |
| IR-6 Incident Reporting | Supports | Review every real-time alert raised and generate/review reports on regular basis |
| IR-9 Information Spillage Response | Supports | ApexSQL Audit can audit all data related activities, including the auditing of data reading. Precise alerting of any data related activity can be established to identify violations in real-time. |
| Maintenance (MA) | ||
| MA-2 Controlled Maintenance | Supports | Audit all SQL Server activity during the maintenance and check the activity of SQL Server post-maintenance period |
| Personnel Security (PS) | ||
| PS-4 Personnel Termination | Supports | Review audit trail reports to make sure that appropriate revocation of authenticators and credentials associated with the individual is performed and if performed, check the time stamp to validate that it is performed timely |
| PS-5 Personnel Transfer | Supports | ApexSQL can audit all security and user modifications that can change the personnel’s SQL Server access right limitations |
| PS-8 Personnel Sanctions | Supports | Detail review of audit reports to identify inappropriate individual actions severity and reason for imposing sanctions |
| Risk Assessment (RA) | ||
| RA-3 Risk AssessmentRA-5 Vulnerability Scanning | Supports | Review alerts and reports for any unauthorized access to SQL Server or SQL Server objects/data, for any object or data modification and consequences of such actions |
| System And Communications Protection (SC) | ||
| SC-2 Application PartitioningSC-3 Security Function Isolation | Supports | ApexSQL Audit can establish the auditing of the specified privileged users for their system access control and tracking any management activities. Alerting can be established specifically for the privileged users explicitly and for specific privileged users activities |
| SC-4 Information In Shared Resources | Supports | ApexSQL Audit can track all access and data modifications on databases/tables without access limitations, including the Before-After auditing and any data read activity |
| CP-10 Information System Recovery And Reconstitution | Supports | ApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via ApexSQL Log or ApexSQL Recover it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time |
| System And Information Integrity (SI) | ||
| SI-4 Information System Monitoring | Supports | ApexSQL Audit can establish the auditing of privileged users, auditing of all applications that accessing SQL Server, all data activity including the data read, any security related activity and unauthorized access attempts. |
| SI-5 Security Alerts, Advisories, And Directives | Supports | For each auditing activity, appropriate auditing alert can be created. Alerts can be defined for single specific activity or for group of activities. Review alerts and reports to ensure that SQL Server complies with security directives |
| SI-6 Security Function Verification | Supports | Use alerts and reports to verify the correct operation of defined security functions. Review report for failed tests of security verifications |
| SI-12 Information Handling And Retention | Supports | ApexSQL can audit all SQL Server Before-After data activity, covering the full data life cycle and extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. |
For Appendix on meaning of category assessments e.g. supports, click here
