1Security Policies for the Database SystemSecurity Policies for the Database System1.What Policies need to be put in Place to Meet the Security Goals?ScopeThe purpose of this document is to define the security policies as well as the proceduresfor the database system in Miami Civil Engineering Unit (CEU) that manages Real Property.The scope of these security policies covers the CEU’s databases (including Oracle, Sysbase, andInformix), mainframe databases (i.e., DB2, IMS, and Supra), Datafeeds (FTP, Feeds,Informatica, and NDM), IS Website, Dataloads, and BRIO access.The CEU databaseadministration group will offer secure environments for the systems within their areas ofjurisdiction.The Database Security Features (for all Databases)All the database administrator accounts (examples provided below) are restricted to thedatabase administrator use only, unless there is an exception specified here. The OS and the DBAaccount passwords are assumed to be exclusively known and being implemented by the DBAteam.Database accounts: sa, sys, systemLinux accounts: Oracle, sysbase, inftest, inftest2, InformixDATABASE USER ACCOUNT MANAGEMENT POLICYPurposeThis policy covers such activities as the creation, modification, granting, and revocationuser privileges and the way the request should be made and to whom. Its purpose is to ensurethat it is only the authorized administrators can grant or revoke the user accounts.
2Security Policies for the Database SystemScopeThe policy covers all the accounts being created by CEU employees, business partners,interns in the company and any other parties that may want to have accounts so as to transactbusiness on behalf of the company.ProcedureRequests:the creation of user accounts, changes to the same, granting and revocation ofprivileges; and their deletion must be requested via the IS request process, Heat, Emails, ISApplication Access Request, Migration Systems, and Data Warehouse Request.Processing: The processing of user account requests will be done by the databaseadministration team. The request completion notification will take place through the closing ofthe request and then communicating back o the requesting user.DBA OS/DATABASE ACCOUNT PASSWORD MODIFICATION POLICYPurposeThe purpose of this policy is to make sure that any database administrators who leave thedatabase management team are removed from the system immediately. It defines the way theseadministrators are supposed to be removed from the system so that they will not continue to havethe privileges that they used to have while in the company.ScopeThe policy covers only the administrators that have been in the database administrationmanagement team and have now left of their accounts have been compromised. It does not coverthe other users of the database. It only defines how the password change should be carried outbased on CEU compliance requirements and the other policies defined in this document.