This is a guidance box.

Remove all guidance boxes

after filling out the template. Items highlighted in
turquoise should be edited appropriately. Items
highlighted in green are examples and should be
removed. After all edits have been made, all
highlights should be cleared.

Insert organization logo by

clicking on the placeholder to the
left.

Database Security Standard

Template

Replace <organization name> with the

name of the organization for the entire
Choose Classification document. To do so, perform the following:
● Press “Ctrl” + “H” keys
DATE Click here to add date simultaneously.
● Enter “<organization name>” in
VERSION Click here to add text the Find text box.
REF Click here to add text ● Enter your organization’s full
name in the “Replace” text box.
● Click “More”, and make sure
“Match case” is ticked.
● Click “Replace All”.
● Close the dialog box.
Database Security Standard Template

Disclaimer
This template has been developed by the National Cybersecurity
Authority (NCA) as an illustrative example that can be used by organizations as
a reference and guide. This template must be customized and aligned with the
<organization name>’s business and relevant legislative and regulatory
requirements. This template must be approved by the head of the organization
(Authorizing official) or his/her delegate. The NCA is not responsible for any use
of this template as is, and it affirms that this template is solely an illustrative
example.

Choose Classification

VERSION <1.0>

1
Database Security Standard Template

Document Approval
Role Job Title Name Date Signature

<Insert individual’s Click here to add <Insert

Choose Role <Insert job title>
full personnel name> date signature>

Version Control
Version Date Updated By Version Details

<Insert version Click here to add <Insert individual’s full <Insert description of the
number> date personnel name> version>

Review Table
Periodical Review Rate Last Review Date Upcoming Review Date

<Once a year> Click here to add date Click here to add date

Choose Classification

VERSION <1.0>

2
Database Security Standard Template

Table of Contents
Purpose ............................................................................................................. 4
Scope .............................................................................................................. 4
Standards .......................................................................................................... 4
Roles and Responsibilities ................................................................................ 8
Update and Review ........................................................................................... 8
Compliance ....................................................................................................... 8

Choose Classification

VERSION <1.0>

3
Database Security Standard Template

Purpose
This standard aims to define the detailed cybersecurity requirements
related to <organization's name>’s Database Management System (DBMS) ‫هي‬
in order to minimize cybersecurity risks resulting from internal and external
threats at <organization's name>.
The requirements in this standard are aligned with the Database Security
Policy and the cybersecurity requirements issued by the National Cybersecurity
Authority (NCA) in addition to other related cybersecurity legal and regulatory
requirements.

Scope
This standard covers all <organization name>’s information technology
assets (including DBMS) and applies to all personnel (employees and
contractors) in <organization name>.

Standards
1 Secure Hardening Configuration

To define basic DBMS security requirements to ensure that the

Objective
DBMS is securely designed, configured, and operated.

Faults in DBMS configuration and weak designs are among the

Risk top reasons leading to security vulnerabilities that can be
Implication exploited to jeopardize the confidentiality, integrity, and
availability of <organization name>’s data.

Requirements

Naming conventions must be different to distinguish between

1-1
production and non-production servers.

DBMS servers must be dedicated and must not host any other
1-2 functionality such as “Web or Application Tier” or “Domain
Services.”

Choose Classification

VERSION <1.0>

4
Database Security Standard Template

Default database table names must be changed; must not be

1-3
limited to the tables only & address all default configurations.

Only stored and available procedures for the application must be

1-4
used to make transactions or queries from the database.

DBMS servers links (such as creating connections or interfaces)

1-5 must be isolated between production and non-production
DBMS(s).

Data validation must be used to ensure the integrity of stored

1-6
data.

Database fields must be limited to specific ranges of input and

queries. In addition, dual input, or other input checks (such as
Boundary Checking and Content Inspection/URL Filtering) must
be used to limit transactions such as:
1-7 • Missing and/or incomplete data
• Out of range values
• Unauthorized or inconsistent data
• Invalid characters in data fields
• Exceeding upper or lower date volume limits

Access to all DBMS configuration files, as well as to the source

1-8 code of applications/scripts stored in the database, must be
controlled, and monitored.

An accurate inventory of all databases and their contents must be

1-9
maintained and regularly updated & reviewed.

Data stored in databases must be labeled using predefined types

1-10 of security labels as per <organization name>’s relevant policies
and procedures; and related controls must be applied.

2 Audit Logs

To generate DBMS logs for critical security events, and record

Objective and secure them on the DBMS to help with future investigations,
tracking, and verifications.

Choose Classification

VERSION <1.0>

5
Database Security Standard Template

Insufficient audit logs limit <organization name>’s ability to detect

security compromises, incidents, and issues and track them on
Risk the DBMS, and undermine its ability to determine the causes of
Implication such security compromises. Failing to properly secure audit logs
on the DBMS can lead to tampering with logs, thereby impacting
their integrity.

Requirements

All DBMS clocks must be synchronized with centrally trusted

2-1
Network Time Protocol (NTP) source.

Logs must be appended to the operating system logs or be self-

2-2
contained within the DBMS.

Audit records containing detailed information must be generated

2-3 to establish the identity of any user/subject or process associated
with the event.

The following DBMS activities must be recorded and logged at

minimum mention changes on DB record level and the
timestamp of the event:
• All raised system alarms or errors
• Start up
• Shutdown
• The creation, alteration, or deletion (drop) of databases,
and any database storage structures, tables, indexes,
2-4
accounts and objects
• Enabling and disabling of audit functionality
• Granting and revoking of DBMS system level privileges
• Any action that returns an error message because the
object referenced does not exist
• Any action that renames a DBMS object
• Any action that grants or revokes object privileges from a
DBMS role or account
• All modifications to the data dictionary or DBMS system
configuration
Choose Classification

VERSION <1.0>

6
Database Security Standard Template

• Audits of all DBMS connection failures where possible.

DBA must ensure that both successful and unsuccessful
connection attempts are audited
• Stating a threshold and triggering alert of failed logon
attempts, and password locks
• Attempts to add, modify or delete privileges/permissions
• Deletion of categories of information (such as classification
levels/security levels)
• Abnormal command (command calling another command,
etc.)
• Disabling or modifying DBMS's logs

An immediate real-time alert must be raised to appropriately

2-5 support individuals with all audit failure events requiring real-time
action(s).

Audit features in the DBMS must be protected against

2-6
unauthorized removal.

DBMS must be configured to send the event logs to SIEM in

2-7 accordance with the <organization name>’s approved
cybersecurity event and logging standard.

3 Other Standards

To implement all database security standards and requirements

Objective
to ensure the highest protection levels.

Failure to implement all security standards and requirements

Risk
exposes <organization name> to increasing database security
implication
risks.

Choose Classification

VERSION <1.0>

7
Database Security Standard Template

Requirements

The following standards must be implemented:

1- Identity and access management standard
3-1 2- Disaster recovery and backup standard
3- Cryptography standard
4- Server security standard
5- Physical security standard

Roles and Responsibilities

1- Standard Owner: <head of the cybersecurity function>
2- Standard Review and Update: <cybersecurity function>
3- Standard Implementation and Execution: <information technology
organization>
4- Standard Compliance Measurement: <cybersecurity function>

Update and Review

<cybersecurity function> must review the standard at least once a year
or in case any changes happen to the policy or the regulatory procedures in
<organization name> or the relevant regulatory requirements.

Compliance
1- The <head of the cybersecurity function> will ensure compliance of
<organization name> with this standard on a regular basis.
2- All employees at <organization name> must comply with this standard.
3- Any violation of this standard may be subject to disciplinary action
according to <organization name>’s procedures.

Choose Classification

VERSION <1.0>