Check: WEBPL050
Web Policy STIG:
WEBPL050
(in version v1 r1)
Title
Trained staff are not available to respond to web server or web content problems. (Cat III impact)
Discussion
Many web sites are available 24 hours per day, 7 days a week, and the potential for problems relating to the web server operations are significant. Operating staff may discover a problem with the organization’s web server operation or web content. Points-of-contact (staff) with the appropriate access and training must be available to respond to immediate operational needs to correct the problem.
Check Content
The reviewer will verify that an appropriate training program is in place and that web server personnel are either certified or in the process of certification. The following elements will be reviewed: 1. A training program is in place that addresses DoD publication 8570.01M with respect to either the IAT or the IAM certification of the web server staff at the appropriate certification level, according to job roles and responsibilities. 2. Web server staff will either be DoD IAT- or IAM- certified according to their roles or be in the process of achieving DoD IA certification. 3. Training records are maintained. 4. DoD IA certification must remain active. 5. Web server staff will be CE certified. CE certification should be specific to operating systems, server hosts, etc. If web server staff administers multiple technologies, current guidance suggests that CE certification should be achieved for all supported technology. At a minimum, certification should be achieved for the technology he or she spends the most time supporting. 6. The certification program may be instructor-led, given through a CBT, or be blended. It may be vendor-specific or a component-developed equivalent certification. Testing or proof of knowledge and skill is required. It is highly suggested that, with respect to web server administration, emphasis be given to the expected functional duties of the web server staff. This emphasis should concentrate in areas that may include, but are not limited to: • Security threat and mitigation techniques. • Securing critical files and processes. • Back up and recovery techniques. • OS and the web server software administration. • OS and web server hardening techniques. • The application of access controls. • Disaster recovery. • Incident response and analysis. If elements listed above are not in place or the web server staff is not certified or is in the process of certification, this is a finding.
Fix Text
Assign certified staff to respond to operational and content issues.
Additional Identifiers
Rule ID: SV-28769r1_rule
Vulnerability ID: V-23833
Group Title: Certified Web Administrators
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |