GRC Store

Search / finos-ccc/ccc.rdms.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.RDMS.CN Control Catalog

FINOS-CCC/CCC.RDMS.CN

Controls for Relational Database Management System technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.rdms.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.rdms.cn:v2026.06-rc3
Manifest digest
sha256:8761a54e12b66568e7adbbe913b18eecf3845df02c157c3f21a5d12f7dd973a1

Provenance

1 layer
Digest Media type Size
7ad2b16072d2… application/vnd.gemara.artifact.v1+yaml 7.7 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.RDMS.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.rdms.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/database/relational/controls.yaml",
            "uri": "file://artifacts/database/relational/controls.yaml",
            "digest": {
              "sha256": "7ad2b16072d266f75f9942aa98343f7953695220a7c52ac9323e9649148d5ccd"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:44:09.845475235Z",
          "finishedOn": "2026-06-01T16:44:09.958896387Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "7ad2b16072d266f75f9942aa98343f7953695220a7c52ac9323e9649148d5ccd"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.RDMS.CN",
      "role": "artifact"
    }
  ]
}

CCC Relational Database Management System Controls

Controls for Relational Database Management System technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.RDMS.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.RDMS.CN01 Password Management

    Objective

    Ensure default vendor-supplied DB administrator credentials are replaced with strong, unique passwords and that these credentials are properly managed using a secure password or secrets management solution.

    Assessment requirements

    1. When an attempt is made to authenticate to the database using known default credentials, the authentication attempt must fail and no access should be granted.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AA-01
    • NIST_800_53
      • AC-2
    Threats
    • CCC.RDMS.Threats
      • CCC.RDMS.TH01

  2. CCC.RDMS.CN02 Account Lockout and Rate-Limiting

    Objective

    Ensure the database enforces lockouts or rate-limiting after a specified number of failed authentication attempts. This prevents brute force or password-guessing attacks from succeeding.

    Assessment requirements

    1. When repeated failed login attempts are made in a short timeframe, the account must be locked out or rate-limited to prevent further login attempts.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AC-1
    • NIST_800_53
      • AC-7
    Threats
    • CCC.RDMS.Threats
      • CCC.RDMS.TH02

  3. CCC.RDMS.CN04 Access Control for Backup and Restore Operations

    Objective

    Restrict who can initiate, manage, and validate database backup or restore operations through strict role-based or least-privilege access. Prevents accidental or malicious restorations, protecting data integrity and availability.

    Assessment requirements

    1. When there is an attempt to perform a backup or restore, then the attempt must fail with an access denied message if credentials or roles that are not explicitly authorized for backup/restore functions.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.AC-4
    • NIST_800_53
      • AC-6
    Threats
    • CCC.RDMS.Threats
      • CCC.RDMS.TH04

  4. CCC.RDMS.CN05 Restrict Snapshot Sharing to Authorized Accounts

    Objective

    Ensure database snapshots can only be shared with explicitly authorized accounts, thereby minimizing the risk of data exposure or exfiltration.

    Assessment requirements

    1. When an attempt is made to share a snapshot with an unauthorized account, the sharing request must be denied.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.DS-10
    • NIST_800_53
      • AC-4
    Threats
    • CCC.RDMS.Threats
      • CCC.RDMS.TH05

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

  1. CCC.RDMS.CN03 Enforce and Monitor Automated Backups

    Objective

    Ensure database backups are automatically scheduled, actively monitored, and promptly reported if any disruptions occur. This helps maintain data integrity, facilitates disaster recovery, and supports business continuity when a system failure or breach occurs.

    Assessment requirements

    1. When backups are disabled, paused, or fail to run as scheduled, an alert must be triggered and logged.

      Applicability: tlp-red, tlp-amber

    Guidelines
    • NIST-CSF
      • PR.IP-4
    • NIST_800_53
      • CP-9
    Threats
    • CCC.RDMS.Threats
      • CCC.RDMS.TH03