Title: The DBMS must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.
Vulnerability ID: V-32409
IA Controls: None
Description: Regarding access restrictions for changes made to organization defined information system components and system level information, any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.
Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
A two-person rule requires two separate individuals acknowledge and approve those changes. Two-person rule for changes to critical application components helps to reduce risks pertaining to availability and integrity.
Check Text: If the organization has not defined components and system level information that requires dual authorization, this is NA.
Review DBMS vendor documentation to determine whether the DBMS software can provide dual authorization capabilities. If the DBMS does not support dual authorization, this is a finding.
Review DBMS settings to verify dual authorization is enabled for organization defined application components and system-level information. If dual authorization is not enabled, this is a finding.
Fix Text: Configure DBMS software to enable dual authorization for organization defined application components and system-level information.
If DBMS does not support dual authorization, utilize a DBMS or third-party product that provides dual authorization.[divider]