FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit

The Federal Information Security Management Act (FISMA) of 2002, ratified as Title III of the E-Government Act, was passed by the U.S. Congress and signed by the U.S. President. It address the significance of information security of the United States economic and national security interests. It requires each federal agency, subcontractors, service providers including any organization that operate IT systems on behalf of the any federal agency, to develop, document, and implement an program to ensure security for the information and information system that are related in any way to the operations and assets of the agency

The Recommended Security Controls for Federal Information Systems publication issued by the National Institute of Standards and Technology (NIST) is the major component of FISMA implementation and it is listed as NIST Special Publication 800-53

NIST Special Publication 800-53 lists 17 general security categories which are used for evaluating of an information security control program to measure its compliance level with obligations under FISMA. Each category in turn contains multiple subcategories (e.g. AC-1 Access Control Policy and

Procedures, AC-2 Account Management, AC-3 Access Enforcement, etc.) that provides more details for related categories of information security and assurance.  Consult Appendix F of NIST800-53
for additional information

ApexSQL Audit can partially or fully assist in implementing some or all aspects of the following NIST categories in the context of a SQL Server audit:

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Certification, Accreditation and Assessments (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Personal Security (PS)
  • Risk Assessment (RA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

 

FISMA (NIST800-53 rev. 4)Level of Support & Supporting FeaturesApexSQL Audit Provides
Access Control (AC)
AC-1 Access Control Policy and ProceduresSupportsApexSQL Audit can assist with User profile compliance policy including documenting of the access control policy and the associated access control procedures
AC-2 Account ManagementSupportsApexSQL Audit ensures auditing of SQL Server related accounts to fulfill user profile compliance policy. Any operation on any SQL Server account can be tracked and documented including the ability for real time alerting on any user account creating, enabling, modifying, disabling and deleting
AC-3 Access EnforcementSupportsApexSQL Audit can audit permission and access to SQL Server at user and application level allowing user to track all inconsistencies via generated reports and thus enforcing the user profile compliance policy and user control
AC-4 Information Flow EnforcementSupports with ExceptionApexSQL Audit can audit and collect information of all application and client host that accesses SQL Server including the information that is stored to or withdrawn from SQL Server
AC-5 Separation Of DutiesSupportsAuditing all user activities including the access by role and real-time alerting on any unauthorized user access. Allowing the review of all user activities to verify that only authorized users have accessed SQL Server or specified parts of SQL Server
AC-6 Least Privilege SupportsApexSQL Audit can audit SQL Server for any new user creation or for any change on existing users, including the real-time alerting to ensure that only approved users with approved user rights are present in the system with properly defined access rights to defined parts of SQL Server
AC-7 Unsuccessful Logon Attempts SupportsApexSQL Audit can audit, alert and report on any failed logon activity
AC-9 Previous Logon NotificationSupportsApexSQL Audit can audit any SQL Server logon/logoff activity as well as reporting on any logon activity that includes the precise date/time of logon/logoff events
AC-11 Session LockSupports with ExceptionAuditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being locked timely and according to established policy
AC-12 Session TerminationSupports with ExceptionAuditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being terminated timely and according to established policy
AC-13 Supervision and Review (Access control)SupportsReporting on SQL Server related activities including the ability to consolidate reports with audit data from different SQL Servers. Instant alerts on any unauthorized access events
AC-14 Permitted Actions Without Identification Or AuthenticationSupportsComprehensive reporting, including precisely specified events, allows validating of any user actions executed without appropriate authorization and/or authentication are in line with the established company and business tasks
AC-17 Remote Access SupportsApexSQL Audit can audit, alert and report on any remote access sessions including identification of the remote client host
AC-21 Information Sharing SupportsApexSQL Audit can audit access to any SQL Server object, alert on any unauthorized access and report on any object access activity, ensuring that only allowed users are accessed particular information according to information access restriction
AC-22 Publicly Accessible ContentSupportsAuditing access to any non-public SQL Server objects/data to make evident that only public SQL Server content can be accessed by users without appropriate permissions
AC-23 Data Mining Protection SupportsAudit, alerting in real-time and reporting on any data access of SQL Server users to make evident if any data mining activity is occurring.
Audit and Accountability (AU)
AU-1 Audit And Accountability Policy And ProceduresSupportsApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy
AU-2 Auditable EventsSupportsApexSQL Audit can be used for continuous auditing of all SQL Server events with zero data lost, including the auditing of SQL Server system events. Real time alerting on any unauthorized access event. Comprehensive and precise reporting including the ability to consolidate audited data from multiple SQL Server in a single report. Validates that defined auditing fulfills the defined regulation requirements
AU-3 Content Of Audit RecordsSupportsApexSQL Audit collects, stores and reports on audited events with fully detailed information for each audited SQL Server event
AU-4 Audit Storage CapacitySupportsApexSQL Audit allows managing of repository database data files. Ability of achieving, moving archives to any network location and ability to read archived data directly. Audit data can be stored on a dedicated machine. Alerting on free storage capacity where repository database data files are located, including the option for user defined free storage alert threshold. Alerting on central repository database size including the user defined central repository database size alert threshold. Built-in mechanisms to prevent losing of audited data in situations when storage capacity for repository database is exhausted
AU-5 Response To Audit Processing FailuresSupportsBuilt-in system alerts will alert in real-time when auditing failures occur
AU-6 Audit Review, Analysis, And ReportingSupportsApexSQL Audit simplifies defined procedures for reviewing of audit records and requirements for additional analysis.
AU-7 Audit Reduction And Report GenerationSupportsApexSQL Audit allows archiving and reporting on audited data including the ability to generate precise reports according to user defined criteria. Reporting on any auditing configuration changes and internal events is ensured via predefined reports
AU-8 Time StampsSupportsApexSQL Audit includes time stamp in all logged events and raised alerts
AU-9 Protection Of Audit InformationSupportsApexSQL Audit features a tamper evident central repository database design with 256 bit hash protection. Ability to alert on any tampering of repository database. Automatic checking of repository database integrity allows verify integrity checking interval to be defined by user. Reporting on any repository database integrity breach
AU-10 Non-RepudiationSupportsApexSQL Audit includes user ID in all logged events and raised alerts
AU-11 Audit Record RetentionSupports with ExceptionApexSQL Audit allows manual archiving with no retention policy, but archives can be read directly. Selective retention of audited data for unlimited terms with flexible policy is already in development and will be released in 2015 R5 version (Q4 2015)
AU-12 Audit GenerationSupportsApexSQL Audit supports configurable generation of audit log
Certification, Accreditation and Assessments (CA)
CA-2 Audit And Accountability Policy And ProceduresSupportsApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy
CA-3 System InterconnectionsSupports with ExceptionApexSQL Audit includes client host information in all logged events and raised alerts making possible to track if any unauthorized interconnection between the two information system is established without use of Interconnection Security Agreements
CA-7 Continuous MonitoringSupportsApexSQL Audit is capable of continuously audit SQL Server activities with zero data lost policy
CA-8 Continuous MonitoringSupportsAlerting system and audited information stored in the central repository database allows analysis for any unauthorized SQL Server access or activities
Configuration Management (CM)
CM-3 Configuration Change ControlSupportsApexSQL Audit allows reviewing of all configuration changes. It can track and store all configuration changes including the reporting on these changes
CM-4 Security Impact AnalysisSupportsDetailed reporting on audited events related to the SQL Server security can be used for verifying that all security related functions of SQL Server are not affected
CM-5 Access Restrictions For ChangeSupportsAudit all SQL Server user permissions, alert on any permission changes and generate the regular reports to verify that security restrictions are established and maintained according to the rules, and in order to prevent any unauthorized access and use of SQL Server
CM-6 Configuration SettingsSupportsApexSQL can generate the precise and detailed report on audited events that can be compared with the specified configuration to ensure detection of any deviation from the predefined SQL Server configuration
CM-7 Least FunctionalitySupportsRegularly generate and review reports for identifying any restricted or malicious events to make sure that regulation controls are properly implemented and actual
CM-9 Configuration Management PLANSupportsRegularly review the reports for validating the configuration management plan and identifying potential unauthorized disclosure and modification throughout the system development life cycle
Contingency Planning (CM)
CP-4 Contingency Plan TestingSupportsAudit testing and reviewing test results audit trail allows easy determining of the test plan effectiveness and makes corrective actions easier
CP-6 Alternate Storage SiteSupportsOn establishing an alternate storage site, audit all activity and review reports to ensure that the alternate storage site utilize information security safeguards equal to the primary site, to ensure that compliance is established within the defined parameters
CP-7 Alternate Processing SiteSupportsAudit the alternate processing site activity and review reports to ensure that the alternate processing site have the same information security safeguards as the primary site, which ensures that compliance requirements are fulfilled
CP-9 – Information System BackupSupportsApexSQL can audit all SQL Server backup activities including the real-time alerting. The reporting system can generate the precise reporting on all backup activities via predefined or custom reports. Reviewing reports help determining whether the established backup procedures are followed properly and timely
CP-10 Information System Recovery And ReconstitutionSupportsApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via
ApexSQL Log or ApexSQL Recover
it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time
CP-12 Safe ModeSupportsDefine appropriate real-time alerts to be notified about any activity that doesn’t follow imposed safe mode restrictions and limitations. Review reports regularly to certify that there were no safe mode restrictions breaches
Identification And Authentication (IA)
IA-2 Identification And Authentication (Organizational Users)SupportsApexSQL Audit can audit all user activities and access to SQL Server objects. Establish auditing alerts for accessing the objects by unauthorized users.
Incident Response (IR)
IR-4 Incident HandlingSupportsAuditing and reviewing resulting audit trail allows easy determining and analyzing the root cause of the incident
IR-5 Incident MonitoringSupportsReviewing all audited activity and alerts for the SQL Server involved in incident
IR-6 Incident ReportingSupportsReview every real-time alert raised and generate/review reports on regular basis
IR-9 Information Spillage ResponseSupportsApexSQL Audit can audit all data related activities, including the auditing of data reading. Precise alerting of any data related activity can be established to identify violations in real-time.
Maintenance (MA)
MA-2 Controlled MaintenanceSupportsAudit all SQL Server activity during the maintenance and check the activity of SQL Server post-maintenance period
Personnel Security (PS)
PS-4 Personnel TerminationSupportsReview audit trail reports to make sure that appropriate revocation of authenticators and credentials associated with the individual is performed and if performed, check the time stamp to validate that it is performed timely
PS-5 Personnel TransferSupportsApexSQL can audit all security and user modifications that can change the personnel’s SQL Server access right limitations
PS-8 Personnel SanctionsSupportsDetail review of audit reports to identify inappropriate individual actions severity and reason for imposing sanctions
Risk Assessment (RA)
RA-3 Risk AssessmentRA-5 Vulnerability ScanningSupportsReview alerts and reports for any unauthorized access to SQL Server or SQL Server objects/data, for any object or data modification and consequences of such actions
System And Communications Protection (SC)
SC-2 Application PartitioningSC-3 Security Function IsolationSupportsApexSQL Audit can establish the auditing of the specified privileged users for their system access control and tracking any management activities. Alerting can be established specifically for the privileged users explicitly and for specific privileged users activities
SC-4 Information In Shared ResourcesSupportsApexSQL Audit can track all access and data modifications on databases/tables without access limitations, including the Before-After auditing and any data read activity
CP-10 Information System Recovery And ReconstitutionSupportsApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via ApexSQL Log or ApexSQL Recover it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time
System And Information Integrity (SI)
SI-4 Information System MonitoringSupportsApexSQL Audit can establish the auditing of privileged users, auditing of all applications that accessing SQL Server, all data activity including the data read, any security related activity and unauthorized access attempts.
SI-5 Security Alerts, Advisories, And DirectivesSupportsFor each auditing activity, appropriate auditing alert can be created. Alerts can be defined for single specific activity or for group of activities. Review alerts and reports to ensure that SQL Server complies with security directives
SI-6 Security Function VerificationSupportsUse alerts and reports to verify the correct operation of defined security functions. Review report for failed tests of security verifications
SI-12 Information Handling And RetentionSupportsApexSQL can audit all SQL Server Before-After data activity, covering the full data life cycle and extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

For Appendix on meaning of category assessments e.g. supports, click here