Check: WEBPL030
Web Policy STIG:
WEBPL030
(in version v1 r1)
Title
Information on public web servers is reviewed before publication and periodically reviewed after publication. (Cat II impact)
Discussion
The publishing of un-reviewed and unapproved content on a public web server may pose a serious threat to the safety of the warfighter and national security. Security is everyone’s responsibility and, although the originating organization posting the information must ensure that the information has been approved prior to publication, all individuals have a responsibility to raise concern if they suspect that inappropriate content has been published. There are a number of events that may require the removal of publicly posted information from a public web site such as a change in security postures and guidance directives, the discovery of inadvertently released sensitive information, the discovery of the use of copy-righted material without proper permissions, and the removal of outdated or superseded information.
Check Content
The organization or activity that sponsors the web site will have web content responsibility. These persons will ensure that all information is kept current and that information placed on the web server is reviewed and approved by the Public Affairs Officer (PAO). This organization will provide assurance to the hosting agency that this requirement has been satisfied. The organization or activity that owns the web site will develop local policies in accordance with the DoD Web Site Administration Policies & Procedures, dated 25 November 1998 (updated 11 January 2002), available at: http://www.defenselink.mil/webmasters/policy/dod_web_policy_12071998_with_amendments_and_corrections.html. The following elements will be included in that policy: 1. All organizational personnel should receive training appropriate to distinguish between public and non-public information, but specific training is given to content approving authority. 2. Periodic re-review of posted information. 3. Procedures and contact information that address the discovery and subsequent removal of published information that is considered to be in violation of current law, policy, directive, or is outdated. A copy of this policy will be provided to the hosting agency for the purpose of the site review associated with this check. It is not the responsibility of the hosting agency to review or re-review posted information. If, however, the hosting agency ever notices policy violations or the posting of questionable content, they will take appropriate action. If review assurance for publicly posted information is not available, or if a policy containing the listed elements is not available, this is a finding.
Fix Text
Acquire review assurance and local posting policies for publicly published information.
Additional Identifiers
Rule ID: SV-28795r1_rule
Vulnerability ID: V-23846
Group Title: Information on public web servers is reviewed.
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |