FISMA (NIST800-53 rev. 4) compliance checklist for ApexSQL Audit

The Federal Information Security Management Act (FISMA) of 2002, ratified as Title III of the E-Government Act, was passed by the U.S. Congress and signed by the U.S. President. It address the significance of information security of the United States economic and national security interests. It requires each federal agency, subcontractors, service providers including any organization that operate IT systems on behalf of the any federal agency, to develop, document, and implement an program to ensure security for the information and information system that are related in any way to the operations and assets of the agency

The Recommended Security Controls for Federal Information Systems publication issued by the National Institute of Standards and Technology (NIST) is the major component of FISMA implementation and it is listed as NIST Special Publication 800-53

NIST Special Publication 800-53 lists 17 general security categories which are used for evaluating of an information security control program to measure its compliance level with obligations under FISMA. Each category in turn contains multiple subcategories (e.g. AC-1 Access Control Policy and

Procedures, AC-2 Account Management, AC-3 Access Enforcement, etc.) that provides more details for related categories of information security and assurance.  Consult Appendix F of NIST800-53
for additional information

ApexSQL Audit can partially or fully assist in implementing some or all aspects of the following NIST categories in the context of a SQL Server audit:

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Certification, Accreditation and Assessments (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Personal Security (PS)
  • Risk Assessment (RA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

 

FISMA (NIST800-53 rev. 4) Level of Support & Supporting Features ApexSQL Audit Provides
Access Control (AC)
AC-1 Access Control Policy and Procedures Supports ApexSQL Audit can assist with User profile compliance policy including documenting of the access control policy and the associated access control procedures
AC-2 Account Management Supports ApexSQL Audit ensures auditing of SQL Server related accounts to fulfill user profile compliance policy. Any operation on any SQL Server account can be tracked and documented including the ability for real time alerting on any user account creating, enabling, modifying, disabling and deleting
AC-3 Access Enforcement Supports ApexSQL Audit can audit permission and access to SQL Server at user and application level allowing user to track all inconsistencies via generated reports and thus enforcing the user profile compliance policy and user control
AC-4 Information Flow Enforcement Supports with Exception ApexSQL Audit can audit and collect information of all application and client host that accesses SQL Server including the information that is stored to or withdrawn from SQL Server
AC-5 Separation Of Duties Supports Auditing all user activities including the access by role and real-time alerting on any unauthorized user access. Allowing the review of all user activities to verify that only authorized users have accessed SQL Server or specified parts of SQL Server
AC-6 Least Privilege  Supports ApexSQL Audit can audit SQL Server for any new user creation or for any change on existing users, including the real-time alerting to ensure that only approved users with approved user rights are present in the system with properly defined access rights to defined parts of SQL Server
AC-7 Unsuccessful Logon Attempts  Supports ApexSQL Audit can audit, alert and report on any failed logon activity
AC-9 Previous Logon Notification Supports ApexSQL Audit can audit any SQL Server logon/logoff activity as well as reporting on any logon activity that includes the precise date/time of logon/logoff events
AC-11 Session Lock Supports with Exception Auditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being locked timely and according to established policy
AC-12 Session Termination Supports with Exception Auditing individual user SQL Server activities including the date/time of each activity allowing verification of user session for being terminated timely and according to established policy
AC-13 Supervision and Review (Access control) Supports Reporting on SQL Server related activities including the ability to consolidate reports with audit data from different SQL Servers. Instant alerts on any unauthorized access events
AC-14 Permitted Actions Without Identification Or Authentication Supports Comprehensive reporting, including precisely specified events, allows validating of any user actions executed without appropriate authorization and/or authentication are in line with the established company and business tasks
AC-17 Remote Access  Supports ApexSQL Audit can audit, alert and report on any remote access sessions including identification of the remote client host
AC-21 Information Sharing  Supports ApexSQL Audit can audit access to any SQL Server object, alert on any unauthorized access and report on any object access activity, ensuring that only allowed users are accessed particular information according to information access restriction
AC-22 Publicly Accessible Content Supports Auditing access to any non-public SQL Server objects/data to make evident that only public SQL Server content can be accessed by users without appropriate permissions
AC-23 Data Mining Protection  Supports Audit, alerting in real-time and reporting on any data access of SQL Server users to make evident if any data mining activity is occurring.
Audit and Accountability (AU)
AU-1 Audit And Accountability Policy And Procedures Supports ApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy
AU-2 Auditable Events Supports ApexSQL Audit can be used for continuous auditing of all SQL Server events with zero data lost, including the auditing of SQL Server system events. Real time alerting on any unauthorized access event. Comprehensive and precise reporting including the ability to consolidate audited data from multiple SQL Server in a single report. Validates that defined auditing fulfills the defined regulation requirements
AU-3 Content Of Audit Records Supports ApexSQL Audit collects, stores and reports on audited events with fully detailed information for each audited SQL Server event
AU-4 Audit Storage Capacity Supports ApexSQL Audit allows managing of repository database data files. Ability of achieving, moving archives to any network location and ability to read archived data directly. Audit data can be stored on a dedicated machine. Alerting on free storage capacity where repository database data files are located, including the option for user defined free storage alert threshold. Alerting on central repository database size including the user defined central repository database size alert threshold. Built-in mechanisms to prevent losing of audited data in situations when storage capacity for repository database is exhausted
AU-5 Response To Audit Processing Failures Supports Built-in system alerts will alert in real-time when auditing failures occur
AU-6 Audit Review, Analysis, And Reporting Supports ApexSQL Audit simplifies defined procedures for reviewing of audit records and requirements for additional analysis.
AU-7 Audit Reduction And Report Generation Supports ApexSQL Audit allows archiving and reporting on audited data including the ability to generate precise reports according to user defined criteria. Reporting on any auditing configuration changes and internal events is ensured via predefined reports
AU-8 Time Stamps Supports ApexSQL Audit includes time stamp in all logged events and raised alerts
AU-9 Protection Of Audit Information Supports ApexSQL Audit features a tamper evident central repository database design with 256 bit hash protection. Ability to alert on any tampering of repository database. Automatic checking of repository database integrity allows verify integrity checking interval to be defined by user. Reporting on any repository database integrity breach
AU-10 Non-Repudiation Supports ApexSQL Audit includes user ID in all logged events and raised alerts
AU-11 Audit Record Retention Supports with Exception ApexSQL Audit allows manual archiving with no retention policy, but archives can be read directly. Selective retention of audited data for unlimited terms with flexible policy is already in development and will be released in 2015 R5 version (Q4 2015)
AU-12 Audit Generation Supports ApexSQL Audit supports configurable generation of audit log
Certification, Accreditation and Assessments (CA)
CA-2 Audit And Accountability Policy And Procedures Supports ApexSQL Audit can help and assist in implementation of required auditing procedures and is suited to support accountability procedures. Ability to specify the events to be audited at the system, user, object and data level. Ability to specify the data records that will be audited for reading. Ensures the system values compliance policy
CA-3 System Interconnections Supports with Exception ApexSQL Audit includes client host information in all logged events and raised alerts making possible to track if any unauthorized interconnection between the two information system is established without use of Interconnection Security Agreements
CA-7 Continuous Monitoring Supports ApexSQL Audit is capable of continuously audit SQL Server activities with zero data lost policy
CA-8 Continuous Monitoring Supports Alerting system and audited information stored in the central repository database allows analysis for any unauthorized SQL Server access or activities
Configuration Management (CM)
CM-3 Configuration Change Control Supports ApexSQL Audit allows reviewing of all configuration changes. It can track and store all configuration changes including the reporting on these changes
CM-4 Security Impact Analysis Supports Detailed reporting on audited events related to the SQL Server security can be used for verifying that all security related functions of SQL Server are not affected
CM-5 Access Restrictions For Change Supports Audit all SQL Server user permissions, alert on any permission changes and generate the regular reports to verify that security restrictions are established and maintained according to the rules, and in order to prevent any unauthorized access and use of SQL Server
CM-6 Configuration Settings Supports ApexSQL can generate the precise and detailed report on audited events that can be compared with the specified configuration to ensure detection of any deviation from the predefined SQL Server configuration
CM-7 Least Functionality Supports Regularly generate and review reports for identifying any restricted or malicious events to make sure that regulation controls are properly implemented and actual
CM-9 Configuration Management PLAN Supports Regularly review the reports for validating the configuration management plan and identifying potential unauthorized disclosure and modification throughout the system development life cycle
Contingency Planning (CM)
CP-4 Contingency Plan Testing Supports Audit testing and reviewing test results audit trail allows easy determining of the test plan effectiveness and makes corrective actions easier
CP-6 Alternate Storage Site Supports On establishing an alternate storage site, audit all activity and review reports to ensure that the alternate storage site utilize information security safeguards equal to the primary site, to ensure that compliance is established within the defined parameters
CP-7 Alternate Processing Site Supports Audit the alternate processing site activity and review reports to ensure that the alternate processing site have the same information security safeguards as the primary site, which ensures that compliance requirements are fulfilled
CP-9 – Information System Backup Supports ApexSQL can audit all SQL Server backup activities including the real-time alerting. The reporting system can generate the precise reporting on all backup activities via predefined or custom reports. Reviewing reports help determining whether the established backup procedures are followed properly and timely
CP-10 Information System Recovery And Reconstitution Supports ApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via
ApexSQL Log or ApexSQL Recover
it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time
CP-12 Safe Mode Supports Define appropriate real-time alerts to be notified about any activity that doesn’t follow imposed safe mode restrictions and limitations. Review reports regularly to certify that there were no safe mode restrictions breaches
Identification And Authentication (IA)
IA-2 Identification And Authentication (Organizational Users) Supports ApexSQL Audit can audit all user activities and access to SQL Server objects. Establish auditing alerts for accessing the objects by unauthorized users.
Incident Response (IR)
IR-4 Incident Handling Supports Auditing and reviewing resulting audit trail allows easy determining and analyzing the root cause of the incident
IR-5 Incident Monitoring Supports Reviewing all audited activity and alerts for the SQL Server involved in incident
IR-6 Incident Reporting Supports Review every real-time alert raised and generate/review reports on regular basis
IR-9 Information Spillage Response Supports ApexSQL Audit can audit all data related activities, including the auditing of data reading. Precise alerting of any data related activity can be established to identify violations in real-time.
Maintenance (MA)
MA-2 Controlled Maintenance Supports Audit all SQL Server activity during the maintenance and check the activity of SQL Server post-maintenance period
Personnel Security (PS)
PS-4 Personnel Termination Supports Review audit trail reports to make sure that appropriate revocation of authenticators and credentials associated with the individual is performed and if performed, check the time stamp to validate that it is performed timely
PS-5 Personnel Transfer Supports ApexSQL can audit all security and user modifications that can change the personnel’s SQL Server access right limitations
PS-8 Personnel Sanctions Supports Detail review of audit reports to identify inappropriate individual actions severity and reason for imposing sanctions
Risk Assessment (RA)
RA-3 Risk AssessmentRA-5 Vulnerability Scanning Supports Review alerts and reports for any unauthorized access to SQL Server or SQL Server objects/data, for any object or data modification and consequences of such actions
System And Communications Protection (SC)
SC-2 Application PartitioningSC-3 Security Function Isolation Supports ApexSQL Audit can establish the auditing of the specified privileged users for their system access control and tracking any management activities. Alerting can be established specifically for the privileged users explicitly and for specific privileged users activities
SC-4 Information In Shared Resources Supports ApexSQL Audit can track all access and data modifications on databases/tables without access limitations, including the Before-After auditing and any data read activity
CP-10 Information System Recovery And Reconstitution Supports ApexSQL Audit is capable of track all SQL Server restoring activities and to log all such activities. Via ApexSQL Log or ApexSQL Recover it is possible to recover/reconstruct even the maliciously or accidentally updated or deleted data fully or selectively to the specified point of time
System And Information Integrity (SI)
SI-4 Information System Monitoring Supports ApexSQL Audit can establish the auditing of privileged users, auditing of all applications that accessing SQL Server, all data activity including the data read, any security related activity and unauthorized access attempts.
SI-5 Security Alerts, Advisories, And Directives Supports For each auditing activity, appropriate auditing alert can be created. Alerts can be defined for single specific activity or for group of activities. Review alerts and reports to ensure that SQL Server complies with security directives
SI-6 Security Function Verification Supports Use alerts and reports to verify the correct operation of defined security functions. Review report for failed tests of security verifications
SI-12 Information Handling And Retention Supports ApexSQL can audit all SQL Server Before-After data activity, covering the full data life cycle and extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.

For Appendix on meaning of category assessments e.g. supports, click here