Check: WEBPL170
Web Policy STIG:
WEBPL170
(in version v1 r1)
Title
Incident Response procedures must exist for web servers and sites. (Cat II impact)
Discussion
It is a requirement that all DoD information sites have developed and implemented Incident Response (IR) policies and procedures. In the event that an unexpected occurrence disrupts the web server’s function, a mechanism will be in place to guide the SA or the web administrator through the process of determining the cause and effect of such an event. This may involve, among other things, the use of forensic techniques (such as log file research as well as file and directory modification analysis), and may include specific reporting and coordination requirements as well as specific steps necessary to begin recovery of an affected server. The IAO, SAs, and web administrators should have a copy of these procedures and be knowledgeable about their roles and responsibilities.
Check Content
Even if the IR, with regard to the production web server is governed by an MOU or SLA, the majority of the elements listed in this check must still be addressed within those documents. Assurances will be provided by the application owners to the hosting administration. Assurance and any supporting documentation will be made available to an authorized reviewer. Ask the IAO, the SA, or the web administrator if an IR plan exists for the production web server being reviewed. If a plan exists, then determine if the plan contains the following elements: 1. The IR plan addresses specific requirements with respect to the data types on the server such as reporting requirements for the loss or compromise of public, private, or classified data. 2. The IR plan addresses policy and procedures that may be documented in the COOP that will contain specific procedures necessary to recover the server, the hosted sites, and any data that may have been lost. 3. The IR plan should name specific individuals with incident and response responsibilities. Assurance should be documented that these individuals have received IR training. 4. The IR plan addresses notification and coordination of incidents with regard to reporting chains such as security officers and management personnel. Other items to consider are as follows: Have any of the listed procedures actually been tested with regard to mock incidents, data recovery, and server/site recovery? If they were tested, are they then performed on a periodic basis? If an IR plan cannot be produced, or if the web administrative staff is not aware of the IR policies and procedures, this is a finding.
Fix Text
Establish and maintain a documented IR plan that addresses the IR procedures for the production web server.
Additional Identifiers
Rule ID: SV-28757r1_rule
Vulnerability ID: V-23822
Group Title: Incident Response procedures
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |